Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Standardizing Cybersecurity Regulations Proves Difficult

After several high-profile cyber attacks, fed security officials hope to increase cybersecurity protocols to prevent further attacks. But establishing regulations that are effective and timely isn’t easy.

(TNS) — The spate of recent ransomware attacks on federal contractors and operators of critical infrastructure, culminating in the attack on Colonial Pipeline in May, has built momentum for new federal laws and regulations to require disclosure of breaches as well as mandatory cybersecurity standards.

But writing such laws and regulations in a timely manner and ensuring they are finely tailored is likely to pose a challenge involving multiple federal agencies, Congress and the new national cyber director.

In the aftermath of several high-profile cyberattacks, “I do think you’re seeing some recognition that business as usual and the status quo just isn’t going to cut it,” said Frank Cilluffo, director of Auburn University’s Charles D. McCrary Institute for Cyber and Critical Infrastructure Security and a member of the congressional Cyberspace Solarium Commission.

“My hope is that we take a scalpel and not a sledgehammer” to such regulations and mandates, Cilluffo said.

The Solarium Commission, composed of lawmakers and cybersecurity experts from industry and academia, is pushing for a combination of “carrots and sticks or benefits and burdens” focused on getting certain key industries among the larger group of critical infrastructure sectors to adopt tighter security standards and reporting requirements, Cilluffo said.

The Washington Post last week reported that in a survey of cybersecurity experts, about 86 percent out of a total of 81 respondents said the federal government ought to require companies in critical infrastructure sectors to meet minimum cybersecurity standards.

The standards being considered include coming up with a federal breach notification law that would require companies in key sectors to report cyberattacks and breaches to federal authorities within a specified time frame. Basic cybersecurity hygiene practices such as two-factor authentication and routine penetration testing of computer networks are among other actions being contemplated.

The federal government would offer carrots too, perhaps benefits such as greater sharing of sensitive intelligence with private companies and some protection from liability for private companies disclosing attacks on their systems in exchange for companies adopting tougher, mandated standards, Cilluffo said.

Although the federal government lists 16 different sectors as critical infrastructure, the effort at drawing up cybersecurity standards would focus on those among the list that would most affect national security, economic well-being, emergency preparedness and public health, Cilluffo said.

Even focusing on a smaller subset of the U.S. industrial landscape that includes chemical factories, food processing plants, water and sewage facilities, and oil and gas pipelines would likely be an overwhelming challenge involving multiple congressional committees of jurisdiction, federal departments, regulatory bodies and industry associations.
More on Cybersecurity:
The Missouri governor has issued legal threats against the St. Louis Post-Dispatch after the paper found a state data risk that left 100,000 social security numbers vulnerable, despite the paper not being responsible.
19 state workers participated in a scheme to fraudulently collect unemployment benefit payments while still holding full-time jobs. Only one was fired, eight were briefly suspended and none were prosecuted.
Many small businesses rely on social media to develop their community of customers and a five-hour outage across Facebook’s sites can be detrimental. It is unclear what caused the global outage on Monday.
The challenge of bringing together the various competing interests is likely to fall on Chris Inglis, nominated to become the first national cyber director. The Senate Homeland Security and Governmental Affairs Committee is expected to vote on his nomination Wednesday, and the whole chamber could take up the confirmation vote soon afterward.

Inglis’ job, often compared to that of a head coach, would be to ensure “that all of the players are moving toward the same goal with the same objectives and talking off of the same playbook,” Cilluffo said.

But not everyone is convinced the federal government is capable of crafting standards, and questions have been raised concerning whether the government should even engage in such an effort.

“I’m very skeptical of the federal government’s ability to regulate in the cyber arena for a variety of reasons,” said Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School.

“First, the federal government itself has significant cybersecurity challenges, so the idea that it has the key to solving the private sector’s cybersecurity challenges seems hard to believe,” said Jaffer, who served as a White House aide to former President George W. Bush.

Considering the pace at which cybersecurity threats evolve, by the time the federal government draws up standards across multiple sectors, those measures are likely to be outdated, Jaffer said.

That could leave companies more vulnerable because “if private sector actors are incentivized by the government to comply with dated regulations, it may actually open up vulnerabilities rather than close them,” Jaffer said.

Jaffer said the emerging understanding in Congress and among federal agencies that cyberattacks on private companies are the result of a market failure is wrong.

Instead, it’s a failure of information flow “because individual companies don’t have the information the government has about what nation-state attackers or criminal hacker gangs are doing,” and the government continues to be unaware of what’s transpiring on private networks, he said.

“The problem, thus, isn’t a market failure that requires regulation but an information gap that can be solved by dramatically better public-private collaboration,” Jaffer said.

While a federal breach notification law might create a single national standard, it might also be duplicative because there already are 50 state breach notification laws, and public companies also have to report cyberattacks to the Securities and Exchange Commission, Jaffer said.

Forcing adoption of security standards under threat of fines is likely to lead companies to do the minimum required and nothing more, leaving them vulnerable as threats change, he said.

In the place of mandates, the government should provide incentives to companies such as “strong regulatory protection, strong liability protection, including anonymity, to get good reporting,” Jaffer said. “What we really need to do is get the lawyers out of the room and let cyber operators collaborate with one another in real time.”

Cilluffo also sees many challenges in drawing up federal standards.

“Anyone who tells you it’s a simple and easy process … it just ain’t so,” Cilluffo said. “There are a lot of pieces that need to be moving in the same direction.”

(c)2021 CQ Roll Call. Distributed by Tribune Content Agency, LLC
Special Projects
Sponsored Stories
In recent years, local governments have been forced to adapt to a wildly changing world, especially as it pertains to sending bills and collecting payments.
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?