Editor’s Note: In the following article the author describes the “Good Government” laws which “regulate the regultors”. These laws will govern the issuance of regulations dealing with the protection of the nation’s critical infrastructure from cyber attacks.
Cybersecurity regulation is coming. Whether regulations intended to enhance critical infrastructure protection will be based on existing statutory authority, new legislation, an Executive Order or a combination of legal authorities, however, is still unknown.
Other aspects of the coming federal oversight of critical infrastructure cybersecurity that remain undetermined include the extent to which governance system will include voluntary characteristics and the time frame for initiation of new cybersecurity regulation. More specifically, whether critical infrastructure protection regulation will come before or after a major destructive cyberattack on the United States has yet to be decided.
Nonetheless, it’s not too soon to explore an attribute that needs to be integral to any new cybersecurity regulation — cost-effectiveness. Cost effectiveness needs to be designed into any plans for critical infrastructure cyberdefense for two reasons. First, if regulations affecting much of the economy are not cost-effective, the regulatory structure will not have lasting viability and will not boost industrial security irrespective of legal requirements. Second, a discussion of cost effectiveness inherently encompasses a review of several issues that are fundamental to any rational regulatory scheme starting which, what is meant by effective cybersecurity?
Effective Cybersecurity Means Risk Management, Not Absolute Safety
It makes no more sense to refer to making any critical infrastructure sector “secure” than it does to trying to ensure that air, water, a consumer product or anything else is “safe.” After all, even unplugging all the computers would still leave them vulnerable to physical theft or destruction. Moreover, unrealistic safety/security goals are not idealistic, but wasteful, undermining achievable gains. As with all regulation, safety/security should be understood as managing — not eliminating — risk.
To assist in the risk management process, the National Institute of Standards and Technology (NIST) has developed a Risk Management Framework (RMF). The RMF is applicable to private and government enterprises. The Framework provides a life cycle approach for systematically analyzing and making risk decisions, including the selection of security controls, evaluating how well the controls are working, and changing/updating the controls.
NIST has also developed an extensive set of information security publications providing standards and guidance, applicable to all types of organizations working on cybersecurity risk management.
A working definition of cost-effectiveness is found in a Circular published by the White House Office of Management and Budget (OMB). The document explains that a “program is cost-effective if, on the basis of life cycle cost analysis of competing alternatives, it is determined to have the lowest costs expressed in present value terms for a given amount of benefits.”
There are two principles that can be drawn from OMB’s definition of cost-effectiveness, particularly when considered in context of the RMF. First, prospective cybersecurity costs should be analyzed on a life cycle basis. Second, cybersecurity regulations should be designed to achieve a selected risk profile at the lowest present value cost. The lowest practical cost approach is in keeping with the regulatory principle in Executive Order 13563 requiring agencies to tailor “regulations to impose the least burden on society, consistent with obtaining regulatory objectives….”
Moreover, just as information security needs to be integrated throughout an enterprise, the regulatory costs of critical infrastructure protection need to be analyzed within the context of all regulatory costs on an industry.
The need to analyze cumulative regulatory costs is specifically cited in the regulatory principles discussion in the Executive Order on Improving Regulation and Regulatory Review. Additional specific implementing directives on cumulative cost analysis are provided by OMB’s Office of Information and Regulatory Affairs (OIRA). A May 2012 OIRA Memorandum on the Cumulative Effects of Regulations provides a series of specific steps that agencies are to engage in to “promote consideration of cumulative effects, and to reduce redundant, overlapping, and inconsistent requirements” when developing regulations.
The question remains, however, of how to develop cost-effective cybersecurity regulation. The answer has two parts each of which will each be discussed below in greater detail. First, agencies and OMB need to scrupulously adhere to the “good government” laws that regulate the regulatory process. Second, regulatory development and implementation decisions should be informed by cost-benefit metrics and best practice case studies.
The Good Government Laws: Regulating Cybersecurity Regulation
There are a series of laws that provide processes and standards that govern the regulatory state. These laws include the Administrative Procedure Act (APA), the Paperwork Reduction Act (PRA), the Data Quality Act (DQA, also known as the Information Quality Act), the Small Business Regulatory Enforcement Fairness Act Regulatory Flexibility Act (SBREFA, originally the Regulatory Flexibility Act prior to amendment) and the Executive Order on regulatory review along with various implementing guidance documents.
Although an in-depth discussion of each good government law is well beyond the scope of this article, a brief description of how the major legal authorities can help protect the regulated community from unduly burdensome regulation is provided.
The APA is the most basic of the good government laws; it creates due process rights through the notice-and-comment process and protects against arbitrary and capricious regulatory actions.
The PRA creates a participatory process agencies are required to undertake prior to any collection of information from ten or more persons. The law requires that information which agencies seek to collect have “practical utility” and not be duplicative of other collections. The PRA creates a process in which agencies are to engage the regulated community in formal and informal discussions as to how best to achieve an agency’s information collection needs. The PRA applies to voluntary as well as mandatory information collections. No agency is permitted to undertake an information collection without OIRA’s authorization.
The DQA sets quality standards for virtually all information disseminated publicly by Executive Branch agencies. Quality is defined as including objectivity, utility and integrity. OMB set binding government-wide requirements for these criteria and has also issued additional implementing documents. Of particular note, the DQA creates an administrative process allowing affected persons to “seek and obtain” correction of federal data not meeting quality standards, such as analyses relied on by agencies in developing regulations.
As I’ve previously discussed, the integrity of component of the DQA has private sector cybersecurity implications. Since the DQA applies to third-party data that agencies use or rely on in their public disseminations, agencies need to be able to attest to the integrity of data they collect from third-party information systems prior to being able to use the data in a public information dissemination. I have also discussed the possibility that the DQA provides statutory authority OMB could use to enact critical infrastructure cybersecurity regulations.
SBREFA has provisions to ensure that agencies give consideration to the regulatory burdens that would be imposed on small businesses and other small entities, such as small local governments. A key goal of the SBREFA process is for agencies to create, where possible, lower burden compliance requirements for small entities.
EO 13563 is the most recent statement of White House regulatory review authority, a power that has been exercised for more than 40 years by eight Presidents. The centralized regulatory review process administered by OMB under Presidential direction can be tremendously influential in determining the federal regulatory policies.
Best Practices: Key to Implementing a Cost-Effective Cyber Defense
Regulatory mechanics provide the processes by which cost-effectiveness should be taken into account in developing federally-managed cyberdefenses for critical infrastructure. What industry and government still need to know are how to identify which implementation steps, measurement techniques, and practices work best from a security and cost perspective.
Best Practice case studies can provide organizations with useful guidance irrespective of whether there any regulatory mandates. Ideally, the studies should be equally applicable to private and government networks.
A case in point is FISMA’s requirement for continuous monitoring of networks. Based on the experience of a federal network in using their continuous monitoring tools in defending against cyberattacks, Best Practices for information security continuous monitoring were identified. These Federal Cybersecurity Best Practices are equally applicable to private sector networks and are beneficial even in the absence of a regulatory mandate. It is important to recognize, of course, that any regulations need to flexible enough to allow not only the identified best practices but also alternative compliance approaches.
The need exists for best practice analyses of aspects of critical infrastructure cyberdefense in addition to continuous monitoring. Moreover, there is the need for IT cost-benefit analytic techniques to assist in evaluating cybersecurity projects. It would be a mistake, however, to view these methodologies and metrics as applicable only to the security aspects of IT. Just the opposite.
Big Data – It’s More Than Analysis, It’s a Paradigm
There have been countless promises associated with Big Data. Some of them may even be true. But it’s hard to tell. Investments in Big Data projects have been slowed by the lack of tools and techniques for objectively evaluating project proposals — and comparing them against alternative investment opportunities. In short, the situation for Big Data project proposals is the same as for security-centric proposals, they need to make demonstrable sense from a cost-benefit standpoint.
Two points were made at the top of this article, cybersecurity regulation is coming and the security has to make business sense irrespective of any regulatory mandate. Big Data proposals and cyberdefense proposals share a common need to make a business case in order to get funded. Another commonality is that neither Big Data nor cybersecurity is limited to any given organizational function.
The Big Data paradigm is about integration of datasets, potentially across many networks and time periods. It is this expansive perspective that is also essential to information security.
Where does this leave us? Two conclusions. One, there needs to be additional work on developing broadly applicable business case analyses evaluating various types of cybersecurity and Big Data projects. Two, cybersecurity regulation needs to be cost effective. Improving critical infrastructure cyberdefenses will require a balance of security and economic effectiveness.
Balance can be misunderstood as a compromise that achieves no goal except, perhaps, the substitution of activity for accomplishment. This need not be the case, to wit, consider the exemplar of balance without compromise, a ballerina en pointe.
By Bruce Levinson, SVP, Regulatory Intervention — Center for Regulatory Effectiveness