Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Standardizing Cybersecurity Regulations Proves Difficult

After several high-profile cyber attacks, fed security officials hope to increase cybersecurity protocols to prevent further attacks. But establishing regulations that are effective and timely isn’t easy.

(TNS) — The spate of recent ransomware attacks on federal contractors and operators of critical infrastructure, culminating in the attack on Colonial Pipeline in May, has built momentum for new federal laws and regulations to require disclosure of breaches as well as mandatory cybersecurity standards.

But writing such laws and regulations in a timely manner and ensuring they are finely tailored is likely to pose a challenge involving multiple federal agencies, Congress and the new national cyber director.

In the aftermath of several high-profile cyberattacks, “I do think you’re seeing some recognition that business as usual and the status quo just isn’t going to cut it,” said Frank Cilluffo, director of Auburn University’s Charles D. McCrary Institute for Cyber and Critical Infrastructure Security and a member of the congressional Cyberspace Solarium Commission.

“My hope is that we take a scalpel and not a sledgehammer” to such regulations and mandates, Cilluffo said.

The Solarium Commission, composed of lawmakers and cybersecurity experts from industry and academia, is pushing for a combination of “carrots and sticks or benefits and burdens” focused on getting certain key industries among the larger group of critical infrastructure sectors to adopt tighter security standards and reporting requirements, Cilluffo said.

The Washington Post last week reported that in a survey of cybersecurity experts, about 86 percent out of a total of 81 respondents said the federal government ought to require companies in critical infrastructure sectors to meet minimum cybersecurity standards.

The standards being considered include coming up with a federal breach notification law that would require companies in key sectors to report cyberattacks and breaches to federal authorities within a specified time frame. Basic cybersecurity hygiene practices such as two-factor authentication and routine penetration testing of computer networks are among other actions being contemplated.

The federal government would offer carrots too, perhaps benefits such as greater sharing of sensitive intelligence with private companies and some protection from liability for private companies disclosing attacks on their systems in exchange for companies adopting tougher, mandated standards, Cilluffo said.

Although the federal government lists 16 different sectors as critical infrastructure, the effort at drawing up cybersecurity standards would focus on those among the list that would most affect national security, economic well-being, emergency preparedness and public health, Cilluffo said.

Even focusing on a smaller subset of the U.S. industrial landscape that includes chemical factories, food processing plants, water and sewage facilities, and oil and gas pipelines would likely be an overwhelming challenge involving multiple congressional committees of jurisdiction, federal departments, regulatory bodies and industry associations.
More on Cybersecurity:
Intentional or not, untrue information propagating on the Internet threatens democratic institutions and the public good. Emerging tech tools aim to help government combat the threat.
New legislation would provide residents with more control over when their personal data is deleted or sold. The data privacy bill was announced as breaches are on track to break a previous record set in 2017.
A new training program is an opportunity for lawmakers and their staffs to get up to speed so that the policies they craft address the issue in ways that don’t harm the economy.
The challenge of bringing together the various competing interests is likely to fall on Chris Inglis, nominated to become the first national cyber director. The Senate Homeland Security and Governmental Affairs Committee is expected to vote on his nomination Wednesday, and the whole chamber could take up the confirmation vote soon afterward.

Inglis’ job, often compared to that of a head coach, would be to ensure “that all of the players are moving toward the same goal with the same objectives and talking off of the same playbook,” Cilluffo said.

But not everyone is convinced the federal government is capable of crafting standards, and questions have been raised concerning whether the government should even engage in such an effort.

“I’m very skeptical of the federal government’s ability to regulate in the cyber arena for a variety of reasons,” said Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School.

“First, the federal government itself has significant cybersecurity challenges, so the idea that it has the key to solving the private sector’s cybersecurity challenges seems hard to believe,” said Jaffer, who served as a White House aide to former President George W. Bush.

Considering the pace at which cybersecurity threats evolve, by the time the federal government draws up standards across multiple sectors, those measures are likely to be outdated, Jaffer said.

That could leave companies more vulnerable because “if private sector actors are incentivized by the government to comply with dated regulations, it may actually open up vulnerabilities rather than close them,” Jaffer said.

Jaffer said the emerging understanding in Congress and among federal agencies that cyberattacks on private companies are the result of a market failure is wrong.

Instead, it’s a failure of information flow “because individual companies don’t have the information the government has about what nation-state attackers or criminal hacker gangs are doing,” and the government continues to be unaware of what’s transpiring on private networks, he said.

“The problem, thus, isn’t a market failure that requires regulation but an information gap that can be solved by dramatically better public-private collaboration,” Jaffer said.

While a federal breach notification law might create a single national standard, it might also be duplicative because there already are 50 state breach notification laws, and public companies also have to report cyberattacks to the Securities and Exchange Commission, Jaffer said.

Forcing adoption of security standards under threat of fines is likely to lead companies to do the minimum required and nothing more, leaving them vulnerable as threats change, he said.

In the place of mandates, the government should provide incentives to companies such as “strong regulatory protection, strong liability protection, including anonymity, to get good reporting,” Jaffer said. “What we really need to do is get the lawyers out of the room and let cyber operators collaborate with one another in real time.”

Cilluffo also sees many challenges in drawing up federal standards.

“Anyone who tells you it’s a simple and easy process … it just ain’t so,” Cilluffo said. “There are a lot of pieces that need to be moving in the same direction.”

(c)2021 CQ Roll Call. Distributed by Tribune Content Agency, LLC
Special Projects
Sponsored Stories
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.
As more people get vaccinated and states begin to roll back some of the restrictions put in place due to the COVID-19 pandemic — schools, agencies and workplaces are working on a plan on how to safely return to normal.
The solutions will be a permanent part of government even after the pandemic is over.
See simple ways agencies can improve the citizen engagement experience and make online work environments safer without busting the budget.
Whether your agency is already a well-oiled DevOps machine, or whether you’re just in the beginning stages of adopting a new software development methodology, one thing is certain: The security of your product is a top-of-mind concern.