Cybersecurity regulation will take its place alongside environmental regulation, health and safety regulation and financial regulation as a major federal activity. What is not yet clear is what form the regulations will take. FISMA controls, performance standards, consensus standards and industry-specific consortia standards are all possible regulatory approaches. What is not likely is an extended continuation of the current situation in which federal authorities have only limited, informal oversight of private sector cyberdefenses (or lack thereof).
Early federal steps to formalizing regulation of private sector IT security are already underway with different approaches being taken by different agencies. For example, the Department of Defense is employing a FISMA-based approach in a rulemaking that would require contractors “to implement adequate security measures to safeguard unclassified DoD information….” The proposed rule would mandate that the “information security program shall implement, at a minimum, the specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800 — 53 security controls…”
A very different approach to private sector cybersecurity has been taken by the Federal Reserve with respect to debit card transactions. The agency’s interim rule for debit card cybersecurity/fruad prevention takes a non-prescriptive approach to regulation. In making their decision the Federal Reserve explained that “[s]pecifying, and limiting the set of, technologies for which issuers recover their costs may weaken the long-term effectiveness of these technologies.” Although the non-prescriptive route offers financial service firms greater flexibility, one downside is that the rule, which is part of a price cap proceeding, effectively limits the resources card issuers are able to spend on security.
The Securities and Exchange Commission (SEC) is taking a reporting-based approach to private sector cybersecurity. The SEC’s new guidance states that “cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant.” Moreover, a publicly traded company “may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context.” Meanwhile, the FBI is taking a very different approach to cybersecurity by calling for a secure, limited access alternative internet to support critical government and corporate functions.
Agencies’ approaches to cybersecurity risk management are being driven by their different statutory responsibilities and authorities rather than reflecting regulatory mechanisms which have been tailored to the needs to different industries. Although a one-size-fits-all federal attitude toward cybersecurity regulation is not necessarily beneficial, neither is an ad hoc modus operandi.
Instead, there is a need for a national dialog to ventilate cyber-regulatory issues, preferably prior to additional regulatory and legislative activities. Stakeholders which would need to be represented in the dialog include agencies with technical expertise, such as NIST, regulatory agencies including the independent ones (FCC, FERC, etc), various industry sectors including small business representatives, state and local governments, civil society, academia, and major trading partners. NIST’s Risk Management Framework could help provide structure to the discussions.
One of the most important issues that needs to be explored is what entities would potentially be subject to regulation. “Critical infrastructure” is a convenient term to describe entities which may be cyber-regulated but not one which has well defined boundaries. For example, development of the Smart Grid could mean that home internet connections may be considered as critical infrastructure and subject to security regulation. Thus, there could be security-related regulation of everything from the design of home appliances to the use of home computers.
The twin issues of liability and accountability also need to thoroughly explored before new cybersceurity regulations are developed. If a regulated company experiences a security breach, who is at fault from a regulatory compliance viewpoint? The company? Their IT vendors? The company that wrote the software program containing a vulnerability that was exploited? The possibilities for liability and blame-shifting are endless. All that’s clear at this point is that everyone from code writers to cloud vendors may be subject to federal cybersecurity regulation.
The possibilities for IT security conformity assessment requirements are also open-ended. Possibilities include Sarbanes-Oxley style independent audits and certification by senior corporate officers as well as numerous alternative mechanisms.
The sooner a broad-based structured dialog begins, the better. An Interactive Public Docket such as FISMA Focus could serve as an inclusive, transparent mechanism facilitating the dialog. Principles which should govern development of cyber-regulation, including cost effectiveness, should be the first discussion topic.