assessing the public policy morass surrounding cyber-security protection
Post on 10-Feb-2016
27 Views
Preview:
DESCRIPTION
TRANSCRIPT
Cyber-Security Policy Morass (FISC 2013)
Assessing the Public Policy Morass Surrounding Cyber-
Security ProtectionProf. John W. Bagby
College of Info.Sci. &Tech.Pennsylvania State University
Cyber-Security Policy Morass (FISC 2013)
Really?!? A Morass • That Which Entraps, Hinders, Overwhelms or
Impedes Progress– also; disordered or muddled situation or
circumstance; a low-lying soggy swampland– Assumes Cyber-Security Progress has Stalled– Offers Public Policy Assessment to Assist
Resolution Among Entrenched Interests• Really any different than other current public
policy situations? Like what?!?
Cyber-Security Policy Morass (FISC 2013)
Evidence of Vulnerabilities• Vulnerability Invited Damage
– Iranian Denial of Service on US Consumer Financial Services Sept.’12
– Shamoon virus Saudi Oil Ja.’12– TJX Hack in ’07 - 45 million customer PII
• Vulnerabilities Successfully Defended !– Empirical Counts of Probes or Thwarted Attack
• CERT Data Show Scope, Source, Failure, Resolution – DoD under constant attack
Cyber-Security Policy Morass (FISC 2013)
Sensitivities: Private-Sector vs. National Security
• Cyber-Security Conundrum Defies Resolution – Vulnerability Demands Remediation– Public Policy Consensus Unlikely – Probability/Magnitude Calculus from Basic v. Levinson ‘88
• Traditional Private Sector Risk Analysis – Prof.T.– Actuarial-Based– Standard: ROI Dominates over Costs of Failure
• Traditional National Security Risk Analysis – Col.J.– Black Swans Drive Much Security Investment – Standard: Costs of Failure Dominate over ROI
Cyber-Security Policy Morass (FISC 2013)
What Role is there for Traditional Insurance Underwriting?
• WSJ last week: – Danny Yadron Lobbying Over Cyber Attacks vs.
• CyberSecurity more like Intell & counterespionage– Bernard R. Horovitz, Blunting the Cyber Threat to
Business, Wall St. J., A15 (1.10.13)• Coverage Unlikely under Existing Policies
– Audit using current de facto standards (principles)– Ins. Market is coming
• Perhaps Instructive: 90s Intelligent Transport – Demo ’97 San Diego Lloyds-style came JIT– Finally 16 yrs later: Google’s Driverless Car
• Will it Hasten FaceBook in YOUR Dashboard?!?
Cyber-Security Policy Morass (FISC 2013)
CyberSecurity: Omnibus vs. Sectoral• Omnibus: Security Measures Apply Broadly
– Permits Standardization • Vulnerabilities Broadly Reduced
– Socializes Compliance Costs • The “Cyber-Security Tax?”
• Sectoral: Security Measures Apply Narrowly– Permits Customization to Industry Risks
• Experimentation breeds experience useful elsewhere• EXs: PCI; Financial Services; NIST-Fed.Agencies; HIPAA; DoD
– Isolates Social Costs as Appropriate• Most vulnerable Infrastructures 1st: Financial, Grid, Nat’l Defense
– Slows Multi-Sectoral Deployment • Some Vulnerabilities Persist: Cyber is Broadly Cross-Cutting
Cyber-Security Policy Morass (FISC 2013)
Industrial Organization Analysis• Theory of firm:
– boundaries/behaviors between firms & markets, – structure of entities, competitive environment,
transactions costs, barriers to entry, information asymmetries,
– role of government policies that intervene to correct market imperfections & incentivize behaviors consistent with policy
• structure, conduct, performance models
• Proposals Will Alter Traditional I/O
Cyber-Security Policy Morass (FISC 2013)
Security Law & Economics• Private Sector Owns/Operates/Maintains 85% of
Critical Infrastructure • NPV: Direct & Immediate Costs-Uncertain Remote
Benefits– Incentives Appear Insufficient to Anticipate/Inhibit Black
Swans– Chronic Underestimation of Reputational Degradation
• Free rider: Weakest Link – Industry-Wide Irrationalization– First-Mover Disadvantage – Revelations Signal
Vulnerability
Cyber-Security Policy Morass (FISC 2013)
Security Law & Economics• Coordination problem
– Incentives limited to provide positive externalities, societal benefits
– Fragmented IT Assets Defy Coordination & Efficient Control
• Locations, control, monitoring, portability, cloud transient, duties
• Should Cyber-Security be a Public Good – Currently Under-Produced because …
• Non-Rival – marginal costs low as others benefit• Non-Excludable – positive externalities invite free
riders, investor cannot capture all benefits
Cyber-Security Policy Morass (FISC 2013)
Some Existing Legislation• Critical Infrastructures Protection Act of 2001• Homeland Security Act of 2002• G/L/B 1999• HIPAA • Trade Secrecy• National Security
Cyber-Security Policy Morass (FISC 2013)
Proposed Legislation: House • H.R.3674, Promoting and Enhancing Cybersecurity
& Information Sharing Effectiveness Act (PRECISE Act) (sponsor: Dan Lungren R-Ca (lost in ’12 to Ami Bera D-Ca)
• H.R.3523, Cyber Intelligence Sharing & Protection Act (CISPA) sponsor: Mike Rogers, R-Mi) 11.30.11, passed House April 26, 2012 (248–168))
• H.R.326, Stop Online Piracy Act (SOPA) (sponsor: Lamar Smith, R-Tx 10.26.11)
• H.R. 4263: SECURE IT Act of 2012, 112th Congress, 2011–2012
Cyber-Security Policy Morass (FISC 2013)
Proposed Legislation: Senate• S.3414• S.3342• S.2105 Cybersecurity Act
– sponsors: Lieberman D-Cn & Collins R-Ma• S.2151, Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, (SECURE IT) (sponsor: J.McCain R-Az)
• S.968, Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PROTECT IP Act or PIPA) – sponsor: P.Leahy D-Vt 5.12.11
Cyber-Security Policy Morass (FISC 2013)
Presidential Exec. Order • Are EOs Const.? Or Audacious Royal Decree
– Art.II, §1, cl.1: Executive Pwr in Pres– Art.II, §1, cl.1: Pres. Duty-Faithful Execution
• Pres.Decision Directives=Exec.Orders • Legal Equivalence to Statutes
– Typically to enforce existing law … BUT …– Over 14,000, many pre-##; add PDDs > 300/Pres– Many Pres have Usurped Congress
• Ike, Harry, FDR– How Might Congress Usurp Exec.Orders?
Cyber-Security Policy Morass (FISC 2013)
HSPD No. 7 (rev?)• Finance, Energy & Cyber Infrastructures Cross-
Cutting • Business – Government “Partnerships” • Sector-Specific “Lead Agencies”
• See: Bagby, John W., Evolving Institutional Structure and Public Policy Environment of Critical Infrastructures, 9 Speaker’s J. Pa. Policy 187-204 (Sp.10)
• Strategies:– U.S. Govt. Architecture- Resilience– Information Exchange – Mplement Integration & Analysis
• Also: R&D, DHS-lead “lead,” Nat’l Plan,
Cyber-Security Policy Morass (FISC 2013)
Presidential Exec. Order• EO# 13,587 2010 Policy Document• Presidential Policy Dir. No.20 (PPD#20, 10.?.12-class.doc.)
– Reportedly: • sets broad & strict cyber-security standards for federal agencies; • distinguishes network defense from cyber operations; • Establishes vetting process; • updates “Ws” NSPD#54 (’08-classified); • violates domestic prohibition of military action
– FOIA Request to NSA, E.P.I.C. 11.14.12 (seeking public release of PDD#20)
– NSA Reply to E.P.I.C, FOIA Case No.69164 (11.20.12) (denying FOIA request for PDD#20 citing classified document under Exec.Order #13526 & exempt under FOIA Exempt.#5 by NSS designation)
Cyber-Security Policy Morass (FISC 2013)
Regulatory Action: SEC• Cybersecurity, SEC Disclosure Guidance,
CF Topic#2 (10.13.11) • What? Issuer Risks, Costs, Consequences
– Cybersecurity Risks defined • “technologies, processes & practices designed to
protect networks, systems, computers, programs & data from attack, damage or unauthorized access”
– Remediation, CyberSecurity Protection Expense, Revenue Loss, Goodwill/Reputation, Litigation
• Disclose How? If Material then Where? – Risk Factors, MD&A, Bus. Description, Litigation
(pre-incident-risks, post-incidents).
Cyber-Security Policy Morass (FISC 2013)
Externalities of Proposed Solutions• Information Sharing
– Public Disclosure (e.g., SEC) Invites • Liability Litigation (SH, investor, customer/client)• Copycat Intrusion to Further Exploit Signaled Vulnerability
– Incentivizes Industry Collusion • So What if Trade Assns Seek Antitrust Immunity ?
• Mandatory Rules-Based/Design Standards – Impose High Compliance Costs
• EX: encryption, bandwidth hog, degrades performance
– Inappropriate for Some Industries – Dis-incentivizes Innovation, Locks-In Old Tech
Cyber-Security Policy Morass (FISC 2013)
Externalities of Proposed Solutions• Laissez Faire - Rely on Market Discipline• Standardization
– Best Practice, Guidelines, Voluntary Consensus, Industry-Specific, NIST models, Regulatory Imposition
– PCI: encryption, firewalls, IDs & p/w’s (rules-based stds)
• Direct by DHS or Sector-Specific Regulator – G/L/B: PII “Safeguards Rule” (principles-only stds) – HIPPA: PHI “Security Rule” (principles-based stds)
• Expand Direct Regulation thru DoD & IC – Long History of Successful Imperialism
• Militias & Army on US’ Frontier 17th – 19th Century• Colonialism: Various Navies protect trade routes
Cyber-Security Policy Morass (FISC 2013)
Externalities of Proposed Solutions • Regulatory Liability ex post
– Permits resolution thru deference to regulatory expertise (Chevron v. NRDC)
• Civil Liability ex post– Maximizes freedom ex ante until uncertain limit reached – C/L more efficient than market discipline or ex ante
regulation (R.Posner) • Sneaking in the Back Door: Rootkits, Trojans
– Strange Bedfellows?!? - CyberNauts, Civil Libertarians
Cyber-Security Policy Morass (FISC 2013)
Cyber-Infrastructure Protection WaRoom • WaRoom-concentration of information, hypotheses,
testing assertions & debate to enable resolution – Can be physical &/or virtual – analyzed from centralized data hosting & data-mining of
diverse open & proprietary information resources • Enable decision-making thru ubiquity, lower
transaction costs & ease of communication• Crises make WaRooms useful
See: http://faculty.ist.psu.edu/bagby/CyberInfrastructureProtection/
Cyber-Security Policy Morass (FISC 2013)
WaRooms• Some Prior Examples:
– Enron– BP Macando Well– Post-9.11 Electronic Surveillance
• Current – http://faculty.ist.psu.edu/bagby/CyberInfrastructu
reProtection/– http://jobsact.ist.psu.edu– http://SportsAntitrust.ist.psu.edu
Cyber-Security Policy Morass (FISC 2013)
Churchill’s Second World War Rooms
Cyber-Security Policy Morass (FISC 2013)
Modern War Room Origins
• Derived from actual war time hostilities– Originally Centralized Physical Location – Information Gathering – Expertise Applied for “Sense-Making”– Enables Strategic Planning – Expert Analysts Findings – Informs Decision-Makers
• Traditional Physical War Room Features– Walls project images, maps, data – Informs Analysis & Planning
Cyber-Security Policy Morass (FISC 2013)
Cold War Room
Cyber-Security Policy Morass (FISC 2013)
Modern Electronic War Room• Invest in war room facilities, training & readiness
– Justified for high stakes campaign– Concentration of information, hypotheses, testing
assertions, debate, command & control decision-making – Transaction & communication costs reduced
• Public Policy Derivations– Adapted to litigation, pre-trial discovery, political
campaigns & crisis management– Crisis particularly useful organizing principles
• Document Repositories • Provide easy access to: robust literature, primary/secondary docs• Selective Availability to defined group(s)
– Strategic choice: publicly accessibility
Cyber-Security Policy Morass (FISC 2013)
Virtual War Rooms• Various Locations: Security Defense & Cost
– Dispersed Actors – Connected Electronically to Info Respositories
• Public Internet connections vs. secure lines• Communications nerve center(s),
• eDiscovery “in the Cloud” – “What is the Cloud’s Street Address Again?”
• That’s an “in rem” lawyer’s joke
• Closed systems preserve confidentiality• Open systems trade-off confidentiality
– May Destroy Confidentiality & Privacy
Cyber-Security Policy Morass (FISC 2013)
CrowdSource Investigations• Online Collaboration Lowers Costs/Barriers
– Access many people, each performs subset of tasks– Crowd Source Scholars May Argue:
• 1st Central authority organizes, sets narrow task, vets before decision-making
• Here, grassroots impetus is eventually focused– Independent Investigative Journalism
• Cite to D.Tapscott; A.D.Williams; P.Bradshaw • Derived from social networks (SN) & wikis
– Website encourages crowdsource content mgt• Ward Cunningham: "simplest online database”
• Design options:– Confidentiality; group expertise, size & dedication; raw
data vs. deep analysis through Sense Making
top related