The Impact of Cybersecurity Legislation and Policy

The defeat of the Cybersecurity Act of 2012 in the US Senate was a major factor in President Obama’s February 2013 executive order on cybersecurity for CI
The defeat of the Cybersecurity Act of 2012 in the US Senate was a major factor in President Obama’s February 2013 executive order on cybersecurity for CI

Among the issues discussed by the panel were privacy, industry blowback, and congressional efforts to address cybersecurity for critical infrastructure operators (CI) – most of which are privately owned in the US.

Norman Pearlstine, chief content officer for Bloomberg LP and chairman of Bloomberg Businessweek, moderated the discussion, and first highlighted former Sen. Joe Lieberman’s efforts to get a comprehensive cybersecurity bill passed. He considered this one of the most noteworthy recent developments, mostly due to the resistance it received from the business community, including the US Chamber of Commerce.

The defeat of the Cybersecurity Act of 2012 in the US Senate, as Pearlstine observed, was a major factor in President Obama’s February 2013 executive order on cybersecurity for CI. “It has changed some of the rules in terms of some of our behavior”, he commented to an audience of security and intelligence professionals during last week’s SINET Innovation Summit at New York’s Columbia University.

Recent moves by the administration – including the executive order – have attempted to address counter-terrorism, hazards, resiliency and cybersecurity issues for CI, according to an evaluation given by Bruce McConnell, the Department of Homeland Security’s acting Deputy Undersecretary for Cybersecurity. A major issue raised in the debate over the executive and its proposed framework is the degree to which privacy concerns will be addressed, mainly for the protection of the infrastructure operators themselves.

“We can get both privacy and security” McConnell asserted. “The way to do that is by building trust through transparency.” Examples he provided included adequate oversight and reporting by the government – namely unclassified privacy impact assessments that outline how information is collected and used.

Privacy is one part of the “three-legged stool” McConnell outlined as part of these legislative/policy efforts; the other components comprise information sharing (both classified and unclassified) by the government with CI operators and the proposed Cybersecurity Framework spearheaded by NIST.

McConnell said the framework currently in development will be the basis of a voluntary program for CI operators, with a beta version expected in October 2013, followed by an expected finalized framework in February 2014. The voluntary framework will have a scaled model, he anticipated, based on an organization’s maturity and needs, rather than being one all-encompassing “ceiling-type model” for operators to implement.

Mark Weatherford formerly held McConnell’s position at DHS, and is now a principal with the Chertoff Group, a security advisory firm. He said legislative efforts in the area failed because of industry backlash, in addition to poor communication of the imperatives involved by those promoting them. As for the executive order, Weatherford offered more tempered praise: “It raises the dialogue...without going to far. It advances the ability of the government, through NIST, and advances the conversation across the industry. There are limitations”, he continued, adding “there is a certain amount of distrust among industry”.

Weatherford also identified “scaling issues” with the executive order, with respect to the information sharing provisions. The issue of additional security clearances within the private sector is a primary concern, he noted, especially given the post-Snowden era the US government is now operating within.

He concluded that the executive order would be an “evolutionary process”, but would be an overall positive development for CI cybersecurity and the industry as a whole. “It will take a number of years to get this framework to a place where industry accepts it and embraces it”, Weatherford concluded.

This last comment highlights the diverging approaches to cybersecurity legislation in the area of critical infrastructure. Some proposals, such as the initial draft of the Cybersecurity Act, sought to create and impose regulatory structures on CI operators. The executive order, on the other hand, creates a voluntary framework that operators will have the option to adopt – at least from the outset.

Robert Coles, CISO for UK-based National Grid, explained why a prescriptive regulatory approach would likely have deleterious effects on promoting increased cybersecurity for CI, contrary to its intended goals. In Europe, he observed, similar legislation tends to take a risk-based approach, “but in America, regulation tends to be very low level – very long list of compliance rules that everyone must do exactly the same way”.

Given that the Obama executive order borrows a page from the risk-based approach, rather than mandatory compliance, Coles asserted that the order’s effectiveness “holds some promise” by allowing CI operators to engage with regulators in a constructive manner that allows them to identify best practices for cybersecurity that fit their particular industry.

Coles concluded that a legislative regulation would not achieve the goals of promoting increased cybersecurity, but rather lead to “compliance fatigue” that results in operators doing the bare minimum to achieve compliance goals. “Once you have written down a regulation, it actually prevents you from protecting yourself appropriately against a changing threat landscape”, he warned. “The opportunity here is to take the effort away from the direction of regulation and focus the Obama executive order around the understanding of risk.”

What’s Hot on Infosecurity Magazine?