Download
1 / 27
270 likes | 345 Views
Assessing the Public Policy Morass Surrounding Cyber-Security Protection. Prof. John W. Bagby College of Info.Sci. &Tech. Pennsylvania State University. Really?!? A Morass . That Which Entraps, Hinders, Overwhelms or Impedes Progress
E N D
Assessing the Public Policy Morass Surrounding Cyber-Security Protection Prof. John W. Bagby College of Info.Sci. &Tech. Pennsylvania State University Cyber-Security Policy Morass (FISC 2013)
Really?!? A Morass • That Which Entraps, Hinders, Overwhelms or Impedes Progress • also; disordered or muddled situation or circumstance; a low-lying soggy swampland • Assumes Cyber-Security Progress has Stalled • Offers Public Policy Assessment to Assist Resolution Among Entrenched Interests • Really any different than other current public policy situations? Like what?!? Cyber-Security Policy Morass (FISC 2013)
Evidence of Vulnerabilities • Vulnerability Invited Damage • Iranian Denial of Service on US Consumer Financial Services Sept.’12 • Shamoon virus Saudi Oil Ja.’12 • TJX Hack in ’07 - 45 million customer PII • Vulnerabilities Successfully Defended ! • Empirical Counts of Probes or Thwarted Attack • CERT Data Show Scope, Source, Failure, Resolution • DoD under constant attack Cyber-Security Policy Morass (FISC 2013)
Sensitivities: Private-Sector vs. National Security • Cyber-Security Conundrum Defies Resolution • Vulnerability Demands Remediation • Public Policy Consensus Unlikely • Probability/Magnitude Calculus from Basic v. Levinson ‘88 • Traditional Private Sector Risk Analysis – Prof.T. • Actuarial-Based • Standard: ROI Dominates over Costs of Failure • Traditional National Security Risk Analysis – Col.J. • Black Swans Drive Much Security Investment • Standard: Costs of Failure Dominate over ROI Cyber-Security Policy Morass (FISC 2013)
What Role is there for Traditional Insurance Underwriting? • WSJ last week: • Danny Yadron Lobbying Over Cyber Attacks vs. • CyberSecurity more like Intell & counterespionage • Bernard R. Horovitz, Blunting the Cyber Threat to Business, Wall St. J., A15 (1.10.13) • Coverage Unlikely under Existing Policies • Audit using current de facto standards (principles) • Ins. Market is coming • Perhaps Instructive: 90s Intelligent Transport • Demo ’97 San Diego Lloyds-style came JIT • Finally 16 yrs later: Google’s Driverless Car • Will it Hasten FaceBook in YOUR Dashboard?!? Cyber-Security Policy Morass (FISC 2013)
CyberSecurity: Omnibus vs. Sectoral • Omnibus: Security Measures Apply Broadly • Permits Standardization • Vulnerabilities Broadly Reduced • Socializes Compliance Costs • The “Cyber-Security Tax?” • Sectoral: Security Measures Apply Narrowly • Permits Customization to Industry Risks • Experimentation breeds experience useful elsewhere • EXs: PCI; Financial Services; NIST-Fed.Agencies; HIPAA; DoD • Isolates Social Costs as Appropriate • Most vulnerable Infrastructures 1st: Financial, Grid, Nat’l Defense • Slows Multi-Sectoral Deployment • Some Vulnerabilities Persist: Cyber is Broadly Cross-Cutting Cyber-Security Policy Morass (FISC 2013)
Industrial Organization Analysis • Theory of firm: • boundaries/behaviors between firms & markets, • structure of entities, competitive environment, transactions costs, barriers to entry, information asymmetries, • role of government policies that intervene to correct market imperfections & incentivize behaviors consistent with policy • structure, conduct, performance models • Proposals Will Alter Traditional I/O Cyber-Security Policy Morass (FISC 2013)
Security Law & Economics • Private Sector Owns/Operates/Maintains 85% of Critical Infrastructure • NPV: Direct & Immediate Costs-Uncertain Remote Benefits • Incentives Appear Insufficient to Anticipate/Inhibit Black Swans • Chronic Underestimation of Reputational Degradation • Free rider: Weakest Link • Industry-Wide Irrationalization • First-Mover Disadvantage – Revelations Signal Vulnerability Cyber-Security Policy Morass (FISC 2013)
Security Law & Economics • Coordination problem • Incentives limited to provide positive externalities, societal benefits • Fragmented IT Assets Defy Coordination & Efficient Control • Locations, control, monitoring, portability, cloud transient, duties • Should Cyber-Security be a Public Good • Currently Under-Produced because … • Non-Rival – marginal costs low as others benefit • Non-Excludable – positive externalities invite free riders, investor cannot capture all benefits Cyber-Security Policy Morass (FISC 2013)
Some Existing Legislation • Critical Infrastructures Protection Act of 2001 • Homeland Security Act of 2002 • G/L/B 1999 • HIPAA • Trade Secrecy • National Security Cyber-Security Policy Morass (FISC 2013)
Proposed Legislation: House • H.R.3674, Promoting and Enhancing Cybersecurity & Information Sharing Effectiveness Act (PRECISE Act) (sponsor: Dan Lungren R-Ca (lost in ’12 to Ami Bera D-Ca) • H.R.3523, Cyber Intelligence Sharing & Protection Act (CISPA) sponsor: Mike Rogers, R-Mi) 11.30.11, passed House April 26, 2012 (248–168)) • H.R.326, Stop Online Piracy Act (SOPA) (sponsor: Lamar Smith, R-Tx10.26.11) • H.R. 4263: SECURE IT Act of 2012, 112th Congress, 2011–2012 Cyber-Security Policy Morass (FISC 2013)
Proposed Legislation: Senate • S.3414 • S.3342 • S.2105 Cybersecurity Act • sponsors: Lieberman D-Cn & Collins R-Ma • S.2151, Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, (SECURE IT) (sponsor: J.McCain R-Az) • S.968, Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PROTECT IP Act or PIPA) • sponsor: P.Leahy D-Vt 5.12.11 Cyber-Security Policy Morass (FISC 2013)
Presidential Exec. Order • Are EOs Const.? Or Audacious Royal Decree • Art.II, §1, cl.1: Executive Pwr in Pres • Art.II, §1, cl.1: Pres. Duty-Faithful Execution • Pres.Decision Directives=Exec.Orders • Legal Equivalence to Statutes • Typically to enforce existing law … BUT … • Over 14,000, many pre-##; add PDDs > 300/Pres • Many Pres have Usurped Congress • Ike, Harry, FDR • How Might Congress Usurp Exec.Orders? Cyber-Security Policy Morass (FISC 2013)
HSPD No. 7 (rev?) • Finance, Energy & Cyber Infrastructures Cross-Cutting • Business – Government “Partnerships” • Sector-Specific “Lead Agencies” • See: Bagby, John W., Evolving Institutional Structure and Public Policy Environment of Critical Infrastructures, 9 Speaker’s J. Pa. Policy 187-204 (Sp.10) • Strategies: • U.S. Govt. Architecture- Resilience • Information Exchange • Mplement Integration & Analysis • Also: R&D, DHS-lead “lead,” Nat’l Plan, Cyber-Security Policy Morass (FISC 2013)
Presidential Exec. Order • EO# 13,587 2010 Policy Document • Presidential Policy Dir. No.20 (PPD#20, 10.?.12-class.doc.) • Reportedly: • sets broad & strict cyber-security standards for federal agencies; • distinguishes network defense from cyber operations; • Establishes vetting process; • updates “Ws” NSPD#54 (’08-classified); • violates domestic prohibition of military action • FOIA Request to NSA, E.P.I.C. 11.14.12 (seeking public release of PDD#20) • NSA Reply to E.P.I.C, FOIA Case No.69164 (11.20.12) (denying FOIA request for PDD#20 citing classified document under Exec.Order #13526 & exempt under FOIA Exempt.#5 by NSS designation) Cyber-Security Policy Morass (FISC 2013)
Regulatory Action: SEC • Cybersecurity, SEC Disclosure Guidance, CF Topic#2 (10.13.11) • What? Issuer Risks, Costs, Consequences • Cybersecurity Risks defined • “technologies, processes & practices designed to protect networks, systems, computers, programs & data from attack, damage or unauthorized access” • Remediation, CyberSecurity Protection Expense, Revenue Loss, Goodwill/Reputation, Litigation • Disclose How? If Material then Where? • Risk Factors, MD&A, Bus. Description, Litigation (pre-incident-risks, post-incidents). Cyber-Security Policy Morass (FISC 2013)
Externalities of Proposed Solutions • Information Sharing • Public Disclosure (e.g., SEC) Invites • Liability Litigation (SH, investor, customer/client) • Copycat Intrusion to Further Exploit Signaled Vulnerability • Incentivizes Industry Collusion • So What if Trade Assns Seek Antitrust Immunity ? • Mandatory Rules-Based/Design Standards • Impose High Compliance Costs • EX: encryption, bandwidth hog, degrades performance • Inappropriate for Some Industries • Dis-incentivizes Innovation, Locks-In Old Tech Cyber-Security Policy Morass (FISC 2013)
Externalities of Proposed Solutions • Laissez Faire - Rely on Market Discipline • Standardization • Best Practice, Guidelines, Voluntary Consensus, Industry-Specific, NIST models, Regulatory Imposition • PCI: encryption, firewalls, IDs & p/w’s (rules-based stds) • Direct by DHS or Sector-Specific Regulator • G/L/B: PII “Safeguards Rule” (principles-only stds) • HIPPA: PHI “Security Rule” (principles-based stds) • Expand Direct Regulation thru DoD & IC • Long History of Successful Imperialism • Militias & Army on US’ Frontier 17th – 19th Century • Colonialism: Various Navies protect trade routes Cyber-Security Policy Morass (FISC 2013)
Externalities of Proposed Solutions • Regulatory Liability ex post • Permits resolution thru deference to regulatory expertise (Chevron v. NRDC) • Civil Liability ex post • Maximizes freedom ex ante until uncertain limit reached • C/L more efficient than market discipline or ex ante regulation (R.Posner) • Sneaking in the Back Door: Rootkits, Trojans • Strange Bedfellows?!? - CyberNauts, Civil Libertarians Cyber-Security Policy Morass (FISC 2013)
Cyber-Infrastructure Protection WaRoom • WaRoom-concentration of information, hypotheses, testing assertions & debate to enable resolution • Can be physical &/or virtual • analyzed from centralized data hosting & data-mining of diverse open & proprietary information resources • Enable decision-making thru ubiquity, lower transaction costs & ease of communication • Crises make WaRooms useful See:http://faculty.ist.psu.edu/bagby/CyberInfrastructureProtection/ Cyber-Security Policy Morass (FISC 2013)
WaRooms • Some Prior Examples: • Enron • BP Macando Well • Post-9.11 Electronic Surveillance • Current • http://faculty.ist.psu.edu/bagby/CyberInfrastructureProtection/ • http://jobsact.ist.psu.edu • http://SportsAntitrust.ist.psu.edu Cyber-Security Policy Morass (FISC 2013)
Churchill’s Second World War Rooms Cyber-Security Policy Morass (FISC 2013)
Modern War Room Origins • Derived from actual war time hostilities • Originally Centralized Physical Location • Information Gathering • Expertise Applied for “Sense-Making” • Enables Strategic Planning • Expert Analysts Findings • Informs Decision-Makers • Traditional Physical War Room Features • Walls project images, maps, data • Informs Analysis & Planning Cyber-Security Policy Morass (FISC 2013)
Cold War Room Cyber-Security Policy Morass (FISC 2013)
Modern Electronic War Room • Invest in war room facilities, training & readiness • Justified for high stakes campaign • Concentration of information, hypotheses, testing assertions, debate, command & control decision-making • Transaction & communication costs reduced • Public Policy Derivations • Adapted to litigation, pre-trial discovery, political campaigns & crisis management • Crisis particularly useful organizing principles • Document Repositories • Provide easy access to: robust literature, primary/secondary docs • Selective Availability to defined group(s) • Strategic choice: publicly accessibility Cyber-Security Policy Morass (FISC 2013)
Virtual War Rooms • Various Locations: Security Defense & Cost • Dispersed Actors • Connected Electronically to Info Respositories • Public Internet connections vs. secure lines • Communications nerve center(s), • eDiscovery “in the Cloud” • “What is the Cloud’s Street Address Again?” • That’s an “in rem” lawyer’s joke • Closed systems preserve confidentiality • Open systems trade-off confidentiality • May Destroy Confidentiality & Privacy Cyber-Security Policy Morass (FISC 2013)
CrowdSource Investigations • Online Collaboration Lowers Costs/Barriers • Access many people, each performs subset of tasks • Crowd Source Scholars May Argue: • 1st Central authority organizes, sets narrow task, vets before decision-making • Here, grassroots impetus is eventually focused • Independent Investigative Journalism • Cite to D.Tapscott; A.D.Williams; P.Bradshaw • Derived from social networks (SN) & wikis • Website encourages crowdsource content mgt • Ward Cunningham: "simplest online database” • Design options: • Confidentiality; group expertise, size & dedication; raw data vs. deep analysis through Sense Making Cyber-Security Policy Morass (FISC 2013)
