In the United States government, cybersecurity regulation comprises directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. The purpose of cybersecurity regulation is to force companies and organizations to protect their systems and information from cyber-attacks. Cyber-attacks include viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber-attacks. Cyber-security measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption and login passwords. Federal and state governments in the United States have attempted to improve cybersecurity through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cybersecurity.
Reasons for cybersecurity
The United States government believes the security of computer systems is important to the world for two reasons. The increased role of Information Technology (IT) and the growth of the e-commerce sector, have made cybersecurity essential to the economy. Also, cybersecurity is vital to the operation of safety critical systems, such as emergency response, and to the protection of infrastructure systems, such as the national power grid .
Cyber attacks against our nation continue to occur across our networks. Based on DHS Secretary Janet Napolitano’s testimony to the Senate in 2012, in 2011 alone, the DHS U.S. Computer Emergency Readiness Team (US-CERT) received more than 100,000 incident reports, and released more than 5,000 actionable cybersecurity alerts and information products. In January 2013, Twitter, the Wall Street Journal, New York Times, and the Department of Energy each reported that their systems had been breached. So far as we know, these attacks have only been successful at probing our systems and compromising data. However, a successful attack on our critical infrastructures could be devastating to the public. Richard Clarke, the former special advisor on cybersecurity to George W. Bush, stated that within the first 48 hours of a cyber attack, the United States could experience, among other things: classified and unclassified network failures, large oil refinery fires and gas pipeline explosions, financial system collapse with no idea of who owns what, trains and subways derailing, and a nationwide blackout leaving cities in the dark. Defense Secretary Leon Panetta stated in October 2012 that, “a cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11…Such a destructive cyber terrorist attack could paralyze the nation”.
Federal government regulation
There are few federal cybersecurity regulations, and the ones that exist focus on specific industries. The three main cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). These three regulations mandate that healthcare organizations, financial institutions and federal agencies protect their systems and information. For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security”. But, these regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, these regulations do not specify what cybersecurity measures must be implemented and require only a “reasonable” level of security. The vague language of these regulations leaves much room for interpretation. Bruce Schneier, founder of Cupertino’s Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts.
It has been suggested that the Data Quality Act already provides the Office of Management and Budget the statutory authority needed to implement critical infrastructure protection regulations through the Administrative Procedure Act rulemaking process. This idea has not been fully vetted and would require additional legal analysis before a rulemaking could begin.
State government regulation
State governments have attempted to improve cybersecurity by increasing public visibility of firms with weak security. In 2003, California passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, social security number, driver’s license number, credit card number or financial information. Several other states have followed California’s example and passed similar security breach notification regulations. These security breach notification regulations punish firms for their cybersecurity failures while giving them the freedom to choose how to secure their systems. Also, this regulation creates an incentive for companies to voluntarily invest in cybersecurity to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber-attack.
In 2004 the California State Legislature passed California Assembly Bill 1950 which also applies to businesses that own or maintain personal information for California residents. This regulation dictates that businesses maintain a reasonable level of security and that these required security practices also extend to business partners. This regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cybersecurity. However, like the federal legislation, it requires a “reasonable” level of cybersecurity, which leaves much room for interpretation until case law is established.
Other government efforts
In addition to regulation, the federal government has tried to improve cybersecurity by allocating more resources to research and collaborating with the private-sector to write standards. In 2003, the President’s National Strategy to Secure Cyberspace made the Department of Homeland Security (DHS) responsible for security recommendations and researching national solutions. The plan calls for cooperative efforts between government and industry “to create an emergency response system to cyber-attacks and to reduce the nation’s vulnerability to such threats”. In 2004, Congress allocated $4.7 billion toward cybersecurity and achieving many of the goals stated in the President’s National Strategy to Secure Cyberspace. Some industry security experts state that the President’s National Strategy to Secure Cyberspace is a good first step but is insufficient. Bruce Schneier stated that “The National Strategy to Secure Cyberspace hasn’t secured anything yet”. However, the President’s National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem. Yet, companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions.
In the European Union, draft legislation would "require all companies to report attacks on and breaches of their networks to local authorities, which would be obliged to make them public". Business lobbyists, however, believe that such laws would sully brand reputations and burden companies with high compliance costs.
In the United States, Congress is trying to make information more transparent after the Cyber Security Act of 2012, which would have created voluntary standards for protecting vital infrastructure, failed to pass through the Senate. In February 2013, the White House issued an executive order, titled "Improving Critical Infrastructure Cybersecurity," which allows the Obama Administration to share information about threats with more companies and individuals. In April 2013, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), which calls for protecting against lawsuits aimed at companies that disclose breach information. The Obama Administration said it may veto the bill.
The U.S. Congress has proposed numerous bills that expand upon cybersecurity regulation. The Consumer Data Security and Notification Act amends the Gramm-Leach-Bliley Act to require disclosure of security breaches by financial institutions. Congressmen have also proposed “expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card”. Congress has proposed cybersecurity regulations similar to California’s Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers “ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals”.
In addition to requiring companies to improve cybersecurity, Congress is also considering bills that criminalize cyber-attacks. The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) is a bill of this type. This bill which focuses on phishing and spyware bill that was passed on May 23, 2005, in the United States House of Representatives and is currently in committee in the Senate. This bill “makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect or induce the owner to disclose personally identifiable information, install unsolicited software, and tamper with security, anti-spyware, or anti-virus software”.
On May 12, 2011, U.S. President Obama proposed a package of cybersecurity legislative reforms to improve the security of U.S. persons, the federal government, and critical infrastructure. A year of public debate and U.S. Congress hearings followed, resulting in the U.S. House of Representative passing an information sharing bill and the U.S. Senate developing a compromise bill seeking to balance national security, privacy, and business interests.
In July 2012, the Cybersecurity Act of 2012 was proposed by Senators Joseph Lieberman and Susan Collins. The bill would have required creating voluntary "best practice standards" for protection of key infrastructure from cyber attacks, which businesses would be encouraged to adopt through incentives such as liability protection. The bill was put to a vote in the Senate but failed to pass. President Obama had voiced his support for the Act in a Wall Street Journal op-ed and it also received support from officials in the military and national security including John O. Brennan, the chief counterterrorism adviser to the White House. According to The Washington Post, experts said that the failure to pass the act may leave the United States "vulnerable to widespread hacking or a serious cyberattack". The act was opposed by Republican senators including John McCain who was concerned that the act would introduce regulations that would not be effective and could be a "burden" for businesses. After the senate vote, Republican senator Kay Bailey Hutchison stated that the opposition to the bill was not a partisan issue, but rather that the Act did not take the right approach to cybersecurity.The senate vote was not strictly along partisan lines, six Democrats voted against the Act, while five Republicans voted in favor. Critics of the bill included the U.S. Chamber of Commerce, advocacy groups including the American Civil Liberties Union and the Electronic Frontier Foundation, cybersecurity expert Jody Westby and The Heritage Foundation, both of whom argued that although the government does need to act on cybersecurity, the 2012 bill was flawed in its approach and represented "too intrusive a federal role".
In February 2013, President Obama proposed the Executive Order Improving Critical Infrastructure Cybersecurity. It represents the latest iteration of policy, but is not considered to be law as it hasn’t been addressed by Congress yet. It seeks to improve existing public-private partnerships by enhancing timeliness of information flow between DHS and critical infrastructure companies. It directs federal agencies to share cyber threat intelligence warnings to any private sector entity identified as a target. It also tasks DHS with improving the process to expedite security clearance processes for applicable public and private sector entities to enable the federal government to share this information at the appropriate sensitive and classified levels. It directs the development of a framework to reduce cyber risks, incorporating current industry best practices and voluntary standards. Lastly, it tasks the federal agencies involved with incorporating privacy and civil liberties protections in line with Fair Information Practice Principles.
While experts agree that cybersecurity improvements are necessary, there is disagreement about whether the solution is more government regulation or more private-sector innovation. Many government officials and cybersecurity experts believe that the private-sector has failed to solve the cybersecurity problem and that regulation is needed. Richard Clarke states that, “industry only responds when you threaten regulation. If industry does not respond [to the threat], you have to follow through”. He believes that software companies must be forced to produce more secure programs. Bruce Schneier also supports regulation that encourages software companies to write more secure code through economic incentives. U.S. Rep. Rick Boucher (D–VA) proposes improving cybersecurity by making software companies liable for security flaws in their code. In addition, to improving software security, Clarke believes that certain industries, such as utilities and ISPs, require regulation.
On the other hand, many private-sector executives believe that more regulation will restrict their ability to improve cybersecurity. Harris Miller, president of the Information Technology Association of America, believes that regulation inhibits innovation. Rick White, President and CEO of TechNet, also opposes more regulation. He states that, “the private-sector must continue to be able to innovate and adapt in response to new attack methods in cyber space, and toward that end, we commend President Bush and the Congress for exercising regulatory restraint”. Another reason many private-sector executives oppose regulation is because it is costly. Firms are just as concerned about regulation reducing profits as they are about regulation limiting their flexibility to solve the cybersecurity problem efficiently.
- computer security
- National Strategy to Secure Cyberspace
- National Cyber Security Division
- United States Department of Homeland Security
- CERT Coordination Center
- National Security Directive
- Cyber security standards
- Rise Is Seen in Cyberattacks Targeting U.S. Infrastructure July 26, 2012 New York Times
- FT Special Report (7 June 2013). "Secrecy hampers battle for web". Financial Times. Retrieved 12 June 2013.
- "Executive Order -- Improving Critical Infrastructure Cybersecurity". The White House. Office of the Press Secretary. Retrieved 12 June 2013.
- ^ "A chronology of data breaches reported since the ChoicePoint incident." (2005). Retrieved October 13, 2005.
- ^ "Electronic privacy information center bill track: Tracking privacy, speech and civil liberties in the 109th congress." (2005). Retrieved October 23, 2005.
- ^ "How computer viruses work." (2005). Retrieved October 10, 2005.
- ^ "The National Strategy to Secure Cyberspace." (2003). Retrieved December 14, 2005.
- ^ "Notice of security breach - civil code sections 1798.29 and 1798.82 - 1798.84." 2003). Retrieved October 23, 2005.
- ^ "Richard Clarke interview." (2003). Retrieved December 4, 2005.
- ^ Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Richardson, R. (2005). "2005 CSI/FBI computer crime and security survey." Retrieved October 10, 2005.
- ^ Heiman, B. J. (2003). Cybersecurity regulation is here. RSA security conference, Washington, D.C. Retrieved October 17, 2005.
- ^ Kirby, C. (2003, December 4, 2003). Forum focuses on cybersecurity. San Francisco Chronicle.
- ^ Lemos, R. (2003). "Bush unveils final cybersecurity plan." Retrieved December 4, 2005.
- ^ Menn, J. (2002, January 14, 2002). Security flaws may be pitfall for Microsoft. Los Angeles Times, pp. C1.
- ^ Rasmussen, M., & Brown, A. (2004). "California Law Establishes Duty of Care for Information Security." Retrieved October 31, 2005.
- ^ Schmitt, E., Charron, C., Anderson, E., & Joseph, J. (2004). "What Proposed Data Laws Will Mean for Marketers." Retrieved October 31, 2005.
- ^ Jennifer Rizzo. (August 2, 2012) "Cybersecurity bill fails in Senate." Accessed August 29, 2012.
- ^ Paul Rosenzweig. (July 23, 2012) "Cybersecurity Act of 2012: Revised Cyber Bill Still Has Problems." The Heritage Foundation. Accessed August 20, 2012.
- ^ Ed O’Keefe & Ellen Nakashima. (August 2, 2012 ) "Cybersecurity bill fails in Senate." The Washington Post. Accessed August 20, 2012.
- ^ Alex Fitzpatrick. (July 20, 2012) "Obama Gives Thumbs-Up to New Cybersecurity Bill." Mashable. Accessed August 29, 2012.
- ^ Brendan Sasso. (August 4, 2012) "After defeat of Senate cybersecurity bill, Obama weighs executive-order option". The Hill. Accessed August 20, 2012.
- ^ Jaikumar Vijayan. (August 16, 2012) "No partisan fight over cybersecurity bill, GOP senator says". Computerworld. Accessed August 29, 2012.
- ^ Carl Franzen. (August 2, 2012) "As Cybersecurity Bill Fails In Senate, Privacy Advocates Rejoice". TPM. August 29, 2012.
- ^ Alex Fitzpatrick. (August 2, 2012) "". Mashable. Accessed August 29, 2012.
- ^ Jody Westby (August 13, 2012) "Congress Needs to Go Back To School on Cyber Legislation". Forbes. Accessed August 20, 2012.