Editor’s Note: Cost-benefit analysis for cybersecurity is an essential prerequisite for developing an effective cybersecurity regulatory program. For more information on the need for the federal government to develop such cost-benefit analysis tools, please see CRE’s Statement to the Information Security and Privacy Advisory Board (ISPAB) available here.
Most businesses have paid little attention to the sweeping cybersecurity legislation introduced on Valentine’s Day by Senators Lieberman, Collins, Rockefeller, and Feinstein, even though it could be one of the most expensive and intrusive pieces of legislation proposed since Sarbanes-Oxley. Intended to help protect the nation against a major cyber attack by improving the security and resiliency of the computer systems of critical infrastructure companies, the Cybersecurity Act of 2012 (S. 2105) actually would put a federal agent inside most of these businesses’ data centers and require assessments and reporting that could make Sarbanes-Oxley seem inexpensive.
Since 1998, the number of critical infrastructure sectors, now designated by Homeland Security Presidential Directive-7, has grown from six to eighteen, encompassing a huge number of U.S. businesses. Each designated sector is aligned with a federal agency (referred to as a Sector-Specific Agency) that is tasked with identifying key risks and vulnerabilities associated with systems and assets within the sector. For example, the banking and financial sector is assigned to the Treasury Department, electricity grids are assigned to the Energy Department, and transportation systems are assigned to the Department of Transportation and Coast Guard. This coupled and stove-piped approach has not been emulated globally because it is not sustainable and, for the most part, cyber attacks are not sector-specific – they involve civilians and rapidly spread across sectors.
The Department of Homeland Security (DHS) has spent a decade trying to devise plans for critical infrastructure protection, encourage public-private information sharing, and coax and cajole the private sector into paying attention to their cybersecurity programs. After ten years of little progress, its frustration point matched that of many in the security and auditing industries who had decided that congressional mandates were the only way to get companies to spend money on the security of their systems. Their wish lists were ready: government authority to conduct risk assessments, annual reviews, mandated requirements, and continuing oversight.
The Senate bill more than fulfills their hearts’ desire. Within 90 days after enactment, the legislation requires the DHS Secretary to conduct sector-by-sector risk assessments of cyber threats, vulnerabilities, risks, and the probability of catastrophic incidents. Beginning with the highest priority sectors, DHS – not the company – must conduct ongoing cyber risk assessments using state-of-the-art modeling, simulation, and analysis and consider:
- the actual or assessed threat, including adversary capabilities;
- the extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by damage or unauthorized access to the infrastructure;
- the extent to which the damage will disrupt other infrastructure;
- the harm to the economy that may result;
- the risk of national or regional catastrophic damage in the U.S. caused by unauthorized access outside the U.S.; and
- the overall preparedness and resilience of the sector.
Whew. Businesses, for their part, may “provide input” to the risk assessments and must provide “reasonable access” to the assessor. The frequency of the assessments is open-ended, as the bill gives DHS the authority to conduct these assessments any time based upon “reliable intelligence or other information indicating a cyber risk” or “actual knowledge or reasonable suspicion.”
The DHS Secretary must submit these risk assessments “in a classified or unclassified form” to the President, appropriate federal agencies, and Congressional committees. Whoa. That is a lot of company data that could have a significant impact on stock price, market share, and competitiveness – and reveal vulnerabilities – if shared inappropriately or inadvertently disclosed, especially if it is unclassified. Is there a Chairman or CEO on the Forbes Global 2000 list who would want this type of assessment undertaken on their company by the federal government and distributed by DHS at their discretion?
In designating whether a company’s systems are within a “covered critical infrastructure” category, the Secretary must take into account, “to the extent practicable,” the input of the owners of the infrastructure. Such designations, however, are not just at the sector and company level; they are at the system or asset level. Companies unhappy with the designations are allowed to appeal to federal court.
The designation as a covered critical infrastructure is only the beginning. The DHS Secretary also must develop:
- cyber security performance requirements for each sector that require system owners to remediate or mitigate any identified risks or consequences; and
- promulgate regulations to enhance the security of the infrastructure against cyber risks.
With overtones of Sarbanes-Oxley, the bill also requires the owners of these systems to either certify annually to DHS and their sector agency whether they have implemented security measures to satisfy the performance requirements or submit a third-party assessment. Even if a company subject to the provisions of the bill can obtain an exemption by demonstrating that it is sufficiently secured or in compliance with the risk-based performance requirements, it must undergo this process every three years.
Third party assessors also do not escape regulation: they must be certified by the Secretary and meet regulatory requirements for conducting such assessments. Moreover, the third-party assessors must provide their findings not only to the company, but to DHS and any federal agency responsible for regulating the security of the company’s infrastructure, increasing the distribution of this sensitive information.
All of this is required by page 32 of a 205 page bill. The problem, of course, is that the entire approach is flawed. It is foolish to believe that DHS performance requirements and regulations for security can keep pace with the rapid evolution of cyber threats. Moreover, numerous international technical working groups, standards setting bodies, and researchers are working continuously on solutions, protocols, and approaches to the multidimensional problem of cyber threats. Their work is published, incorporated into global standards and best practices, and adopted and deployed by organizations around the world. It is extremely unlikely that DHS regulations will keep pace with this work. Almost certainly, cybercriminals will develop exploits around these mandates, and U.S. companies will be more vulnerable because they will be meeting compliance requirements instead of deploying the latest technologies or approaches that will best help them to detect, deter, and combat current threats. Precious corporate security budgets will be spent on assessments and compliance instead of on better technologies or advancements to enterprise security programs.
Most importantly, no one knows what this bill will cost the government or the businesses it impacts. One thing is certain: it will be expensive. If enacted, this legislation could have a detrimental impact on the U.S. economy because the cost of compliance will swallow the funds desperately needed by businesses to create jobs and boost economic growth. As businesses are trying to recover from the recession, they will be forced to absorb the costs associated with the assessments, such as interference of business operations, system down time, staff support to assessors, deficiency mitigation, and compliance with performance requirements. The legislation also carries a huge price tag for taxpayers who will foot the cost of the assessments, which surely will number at least in the tens of thousands.
Pursuant to the 2004 DHS Appropriations Conference Report, DHS was required to submit a cost benefit analysis report to Congress on whether the private sector should be required to provide information to DHS on security measures and vulnerabilities associated with their critical infrastructure. A 2009 Government Accountability Office (GAO) report on DHS’s efforts to generate the required report is insightful: DHS paid two contractors about $3.4 million to produce a report, which only discussed possible costs and benefits but did not set forth any qualitative analysis, distinguish between costs and benefits, or indicate those that were most important, all of which are required by the Office of Management and Budget (OMB) Circular A-4. According to GAO, DHS claimed the cost-benefit analysis was not performed because they did not have quantifiable data and now the Department considers the report to be out-of-date. “As far as we are aware, DHS has never provided the required cost-benefit report to Congress,” noted Stephen Caldwell, author of the GAO report.
Of course, any cost analysis will vary depending upon the approach used for the assessments. The appropriate methodology for conducting such assessments, however, is far from settled. Not only does the methodology used impact the cost, but it also impacts the company, both in the findings of an assessment and the operational disruption. Eric Solano, a prominent researcher with RTI International, noted that, “Although many in my field have been studying assessment methodologies for critical infrastructure, there is no agreement on any particular method, and I have not seen any study on how to quantify the costs of these assessments, both from the side of the entity being assessed and the cost of the assessments themselves.”