ppt
advertisement
Assessing the Public Policy Morass Surrounding Cyber-Security Protection Prof. John W. Bagby College of Info.Sci. &Tech. Pennsylvania State University Cyber-Security Policy Morass (FISC 2013) Really?!? A Morass • That Which Entraps, Hinders, Overwhelms or Impedes Progress – also; disordered or muddled situation or circumstance; a low-lying soggy swampland – Assumes Cyber-Security Progress has Stalled – Offers Public Policy Assessment to Assist Resolution Among Entrenched Interests • Really any different than other current public policy situations? Like what?!? Cyber-Security Policy Morass (FISC 2013) Evidence of Vulnerabilities • Vulnerability Invited Damage – Iranian Denial of Service on US Consumer Financial Services Sept.’12 – Shamoon virus Saudi Oil Ja.’12 – TJX Hack in ’07 - 45 million customer PII • Vulnerabilities Successfully Defended ! – Empirical Counts of Probes or Thwarted Attack • CERT Data Show Scope, Source, Failure, Resolution – DoD under constant attack Cyber-Security Policy Morass (FISC 2013) Sensitivities: Private-Sector vs. National Security • Cyber-Security Conundrum Defies Resolution – Vulnerability Demands Remediation – Public Policy Consensus Unlikely – Probability/Magnitude Calculus from Basic v. Levinson ‘88 • Traditional Private Sector Risk Analysis – Prof.T. – Actuarial-Based – Standard: ROI Dominates over Costs of Failure • Traditional National Security Risk Analysis – Col.J. – Black Swans Drive Much Security Investment – Standard: Costs of Failure Dominate over ROI Cyber-Security Policy Morass (FISC 2013) What Role is there for Traditional Insurance Underwriting? • WSJ last week: – Danny Yadron Lobbying Over Cyber Attacks vs. • CyberSecurity more like Intell & counterespionage – Bernard R. Horovitz, Blunting the Cyber Threat to Business, Wall St. J., A15 (1.10.13) • Coverage Unlikely under Existing Policies – Audit using current de facto standards (principles) – Ins. Market is coming • Perhaps Instructive: 90s Intelligent Transport – Demo ’97 San Diego Lloyds-style came JIT – Finally 16 yrs later: Google’s Driverless Car • Will it Hasten FaceBook in YOUR Dashboard?!? Cyber-Security Policy Morass (FISC 2013) CyberSecurity: Omnibus vs. Sectoral • Omnibus: Security Measures Apply Broadly – Permits Standardization • Vulnerabilities Broadly Reduced – Socializes Compliance Costs • The “Cyber-Security Tax?” • Sectoral: Security Measures Apply Narrowly – Permits Customization to Industry Risks • Experimentation breeds experience useful elsewhere • EXs: PCI; Financial Services; NIST-Fed.Agencies; HIPAA; DoD – Isolates Social Costs as Appropriate • Most vulnerable Infrastructures 1st: Financial, Grid, Nat’l Defense – Slows Multi-Sectoral Deployment • Some Vulnerabilities Persist: Cyber is Broadly Cross-Cutting Cyber-Security Policy Morass (FISC 2013) Industrial Organization Analysis • Theory of firm: – boundaries/behaviors between firms & markets, – structure of entities, competitive environment, transactions costs, barriers to entry, information asymmetries, – role of government policies that intervene to correct market imperfections & incentivize behaviors consistent with policy • structure, conduct, performance models • Proposals Will Alter Traditional I/O Cyber-Security Policy Morass (FISC 2013) Security Law & Economics • Private Sector Owns/Operates/Maintains 85% of Critical Infrastructure • NPV: Direct & Immediate Costs-Uncertain Remote Benefits – Incentives Appear Insufficient to Anticipate/Inhibit Black Swans – Chronic Underestimation of Reputational Degradation • Free rider: Weakest Link – Industry-Wide Irrationalization – First-Mover Disadvantage – Revelations Signal Vulnerability Cyber-Security Policy Morass (FISC 2013) Security Law & Economics • Coordination problem – Incentives limited to provide positive externalities, societal benefits – Fragmented IT Assets Defy Coordination & Efficient Control • Locations, control, monitoring, portability, cloud transient, duties • Should Cyber-Security be a Public Good – Currently Under-Produced because … • Non-Rival – marginal costs low as others benefit • Non-Excludable – positive externalities invite free riders, investor cannot capture all benefits Cyber-Security Policy Morass (FISC 2013) Some Existing Legislation • • • • • • Critical Infrastructures Protection Act of 2001 Homeland Security Act of 2002 G/L/B 1999 HIPAA Trade Secrecy National Security Cyber-Security Policy Morass (FISC 2013) Proposed Legislation: House • H.R.3674, Promoting and Enhancing Cybersecurity & Information Sharing Effectiveness Act (PRECISE Act) (sponsor: Dan Lungren R-Ca (lost in ’12 to Ami Bera D-Ca) • H.R.3523, Cyber Intelligence Sharing & Protection Act (CISPA) sponsor: Mike Rogers, R-Mi) 11.30.11, passed House April 26, 2012 (248–168)) • H.R.326, Stop Online Piracy Act (SOPA) (sponsor: Lamar Smith, R-Tx 10.26.11) • H.R. 4263: SECURE IT Act of 2012, 112th Congress, 2011–2012 Cyber-Security Policy Morass (FISC 2013) Proposed Legislation: Senate • S.3414 • S.3342 • S.2105 Cybersecurity Act – sponsors: Lieberman D-Cn & Collins R-Ma • S.2151, Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, (SECURE IT) (sponsor: J.McCain R-Az) • S.968, Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PROTECT IP Act or PIPA) – sponsor: P.Leahy D-Vt 5.12.11 Cyber-Security Policy Morass (FISC 2013) Presidential Exec. Order • Are EOs Const.? Or Audacious Royal Decree – Art.II, §1, cl.1: Executive Pwr in Pres – Art.II, §1, cl.1: Pres. Duty-Faithful Execution • Pres.Decision Directives=Exec.Orders • Legal Equivalence to Statutes – Typically to enforce existing law … BUT … – Over 14,000, many pre-##; add PDDs > 300/Pres – Many Pres have Usurped Congress • Ike, Harry, FDR – How Might Congress Usurp Exec.Orders? Cyber-Security Policy Morass (FISC 2013) HSPD No. 7 (rev?) • Finance, Energy & Cyber Infrastructures CrossCutting • Business – Government “Partnerships” • Sector-Specific “Lead Agencies” • See: Bagby, John W., Evolving Institutional Structure and Public Policy Environment of Critical Infrastructures, 9 Speaker’s J. Pa. Policy 187-204 (Sp.10) • Strategies: – U.S. Govt. Architecture- Resilience – Information Exchange – Mplement Integration & Analysis • Also: R&D, DHS-lead “lead,” Nat’l Plan, Cyber-Security Policy Morass (FISC 2013) Presidential Exec. Order • EO# 13,587 2010 Policy Document • Presidential Policy Dir. No.20 (PPD#20, 10.?.12-class.doc.) – Reportedly: • • • • • sets broad & strict cyber-security standards for federal agencies; distinguishes network defense from cyber operations; Establishes vetting process; updates “Ws” NSPD#54 (’08-classified); violates domestic prohibition of military action – FOIA Request to NSA, E.P.I.C. 11.14.12 (seeking public release of PDD#20) – NSA Reply to E.P.I.C, FOIA Case No.69164 (11.20.12) (denying FOIA request for PDD#20 citing classified document under Exec.Order #13526 & exempt under FOIA Exempt.#5 by NSS designation) Cyber-Security Policy Morass (FISC 2013) Regulatory Action: SEC • Cybersecurity, SEC Disclosure Guidance, CF Topic#2 (10.13.11) • What? Issuer Risks, Costs, Consequences – Cybersecurity Risks defined • “technologies, processes & practices designed to protect networks, systems, computers, programs & data from attack, damage or unauthorized access” – Remediation, CyberSecurity Protection Expense, Revenue Loss, Goodwill/Reputation, Litigation • Disclose How? If Material then Where? – Risk Factors, MD&A, Bus. Description, Litigation (pre-incident-risks, post-incidents). Cyber-Security Policy Morass (FISC 2013) Externalities of Proposed Solutions • Information Sharing – Public Disclosure (e.g., SEC) Invites • Liability Litigation (SH, investor, customer/client) • Copycat Intrusion to Further Exploit Signaled Vulnerability – Incentivizes Industry Collusion • So What if Trade Assns Seek Antitrust Immunity ? • Mandatory Rules-Based/Design Standards – Impose High Compliance Costs • EX: encryption, bandwidth hog, degrades performance – Inappropriate for Some Industries – Dis-incentivizes Innovation, Locks-In Old Tech Cyber-Security Policy Morass (FISC 2013) Externalities of Proposed Solutions • Laissez Faire - Rely on Market Discipline • Standardization – Best Practice, Guidelines, Voluntary Consensus, Industry-Specific, NIST models, Regulatory Imposition – PCI: encryption, firewalls, IDs & p/w’s (rules-based stds) • Direct by DHS or Sector-Specific Regulator – G/L/B: PII “Safeguards Rule” (principles-only stds) – HIPPA: PHI “Security Rule” (principles-based stds) • Expand Direct Regulation thru DoD & IC – Long History of Successful Imperialism • Militias & Army on US’ Frontier 17th – 19th Century • Colonialism: Various Navies protect trade routes Cyber-Security Policy Morass (FISC 2013) Externalities of Proposed Solutions • Regulatory Liability ex post – Permits resolution thru deference to regulatory expertise (Chevron v. NRDC) • Civil Liability ex post – Maximizes freedom ex ante until uncertain limit reached – C/L more efficient than market discipline or ex ante regulation (R.Posner) • Sneaking in the Back Door: Rootkits, Trojans – Strange Bedfellows?!? - CyberNauts, Civil Libertarians Cyber-Security Policy Morass (FISC 2013) Cyber-Infrastructure Protection WaRoom • WaRoom-concentration of information, hypotheses, testing assertions & debate to enable resolution – Can be physical &/or virtual – analyzed from centralized data hosting & data-mining of diverse open & proprietary information resources • Enable decision-making thru ubiquity, lower transaction costs & ease of communication • Crises make WaRooms useful See: http://faculty.ist.psu.edu/bagby/CyberInfrastructureProtection/ Cyber-Security Policy Morass (FISC 2013) WaRooms • Some Prior Examples: – Enron – BP Macando Well – Post-9.11 Electronic Surveillance • Current – http://faculty.ist.psu.edu/bagby/CyberInfrastr uctureProtection/ – http://jobsact.ist.psu.edu – http://SportsAntitrust.ist.psu.edu Cyber-Security Policy Morass (FISC 2013) Churchill’s Second World War Rooms Cyber-Security Policy Morass (FISC 2013) Modern War Room Origins • Derived from actual war time hostilities – Originally Centralized Physical Location – Information Gathering – Expertise Applied for “Sense-Making” – Enables Strategic Planning – Expert Analysts Findings – Informs Decision-Makers • Traditional Physical War Room Features – Walls project images, maps, data – Informs Analysis & Planning Cyber-Security Policy Morass (FISC 2013) Cold War Room Cyber-Security Policy Morass (FISC 2013) Modern Electronic War Room • Invest in war room facilities, training & readiness – Justified for high stakes campaign – Concentration of information, hypotheses, testing assertions, debate, command & control decision-making – Transaction & communication costs reduced • Public Policy Derivations – Adapted to litigation, pre-trial discovery, political campaigns & crisis management – Crisis particularly useful organizing principles • Document Repositories • Provide easy access to: robust literature, primary/secondary docs • Selective Availability to defined group(s) – Strategic choice: publicly accessibility Cyber-Security Policy Morass (FISC 2013) Virtual War Rooms • Various Locations: Security Defense & Cost – Dispersed Actors – Connected Electronically to Info Respositories • Public Internet connections vs. secure lines • Communications nerve center(s), • eDiscovery “in the Cloud” – “What is the Cloud’s Street Address Again?” • That’s an “in rem” lawyer’s joke • Closed systems preserve confidentiality • Open systems trade-off confidentiality – May Destroy Confidentiality & Privacy Cyber-Security Policy Morass (FISC 2013) CrowdSource Investigations • Online Collaboration Lowers Costs/Barriers – Access many people, each performs subset of tasks – Crowd Source Scholars May Argue: • 1st Central authority organizes, sets narrow task, vets before decision-making • Here, grassroots impetus is eventually focused – Independent Investigative Journalism • Cite to D.Tapscott; A.D.Williams; P.Bradshaw • Derived from social networks (SN) & wikis – Website encourages crowdsource content mgt • Ward Cunningham: "simplest online database” • Design options: – Confidentiality; group expertise, size & dedication; raw data vs. deep analysis through Sense Making Cyber-Security Policy Morass (FISC 2013)
