Smart Cyber Mandates

By September 1, 2015 Cybersecurity Readiness

In August, the US government encountered two serious setbacks in its quest to strengthen the nation’s cybersecurity. In Congress, the Senate failed to proceed to a vote on the Cyber Intelligence Sharing Act (CISA), with proponents of the bill becoming locked in a stalemate with privacy advocates. In the executive branch, the Department of Commerce’s Bureau of Industry and Security (BIS) withdrew a controversial proposal for new export controls on information security technology after encountering intense opposition from myriad technology firms.

A slew of high profile and embarrassing data breaches throughout the US government and private sector over the past year has pressured lawmakers and the Obama administration to move on new mandates strengthening US cybersecurity. The current difficulties the government has encountered in promulgating these two new cyber regulations may be an indication of flawed policies born from a rush to action.

Both CISA and the BIS’s new export regulations were originally devised to strengthen federal authorities’ ability to combat cyber threats. CISA aimed to incentivize private sector firms to share threat indicator data of malicious computer activity with federal agencies, like the Department of Homeland Security (DHS), in real-time. The BIS export controls were a domestic codification of the amendments made to the multilateral Wassenaar Arrangement on dual-use technologies in 2013. They sought to restrict the sale of surveillance software to repressive regimes and to keep tools used to develop zero-day exploits out of the hands of hackers.

In forging both mandates policymakers may have applied too broad a brush, crafting regulations that, if ever enacted, may do little to accomplish their goals.

CISA would boost intelligence sharing between the public and private sector, but it would do so in the least optimal way. First, CISA declares that threat data once received by DHS “are not subject to any delay, modification, or any other action that could impede real-time receipt by all of the appropriate Federal entities.”[1] DHS would be barred from anonymizing and analyzing cyber threat data before passing it on to requesting organizations, like the Department of Defense. New extended legal liability protections in CISA, to be conferred upon any participating firms, would remove the incentive to strip out personal data for technology companies. It is highly likely therefore that any data technology firms provide would be laced with the personal information of their customers.

A second problem is that it is unclear which parts of the federal government would even be able to meaningfully digest this new flood of data for the stated goal of proactive defense. DHS has raised such concerns stating that sharing data among multiple agencies rather than first processing and then selectively redistributing it through one entity would “markedly increase” the complexity and inefficiency of the program—for both government and business. Given the inclusion of personal information, other government departments would likely receive large amounts of information of “dubious value,” complicating DHS’s mission of developing a single, comprehensive picture of the range of cyber threats. This would imperil its ability to help private and public organizations prepare for cyber attacks.

The proposed export controls by BIS presented a similarly suboptimal solution to current cybersecurity problems. The intended targets of these new regulations were repressive regimes and black hat hackers, however, as currently written the BIS controls would inadvertently harm private sector technology firms too. The “Wassenaar” controls restrict equally the tools used by hackers to develop zero-day exploits for sale and those used by professional programmers (and white hat hackers) to discover security vulnerabilities and prove them valid. They would also require multinational technology firms to file for costly and time-consuming licenses to share security vulnerability information between their own employees operating in different countries. Firms like Google and Microsoft stated that such regulations would have forced them to request tens of thousands of licenses a year. It is highly doubtful that firms like these could continue to provide timely, quality security protection to their customers. It is even more doubtful that the Commerce Department would have the operational capacities necessary to adequately review and distribute the thousands of daily, around-the-clock requests of America’s global technology companies.

Perhaps the biggest flaw behind these mandates, and many of the other efforts the US government is engaged in to boost cybersecurity, is their neglect for the human element of preparedness. Neither addresses the threat to private firms from within, such as uninformed or careless workers or disgruntled employees. This is despite the fact that 95 percent of all cybersecurity incidents involve human error. Boosting the amount of threat intelligence shared by federal agencies and complicating the acquisition of certain technologies for nefarious actors would not be nearly as effective in strengthening national cybersecurity as mandating awareness training in private firms, beginning with firms affecting the critical infrastructure of the United States.

 

[1] CISA defines “appropriate Federal entities” as the following seven organizations: The Departments of Commerce, Defense, Energy, Homeland Security, Justice, and Treasury, as well as the Office of the Director of National Intelligence.