Cyber-Security Policy Morass (FISC 2013) Assessing the Public Policy Morass Surrounding Cyber-Security Protection Prof. John W. Bagby College of Info.Sci

Cyber-Security Policy Morass (FISC 2013)

Assessing the Public Policy Morass Surrounding Cyber-

Security Protection

Prof. John W. BagbyCollege of Info.Sci. &Tech.

Pennsylvania State University


Really?!? A Morass • That Which Entraps, Hinders, Overwhelms or

Impedes Progress– also; disordered or muddled situation or

circumstance; a low-lying soggy swampland– Assumes Cyber-Security Progress has Stalled– Offers Public Policy Assessment to Assist

Resolution Among Entrenched Interests

• Really any different than other current public policy situations? Like what?!?


Evidence of Vulnerabilities• Vulnerability Invited Damage

– Iranian Denial of Service on US Consumer Financial Services Sept.’12

– Shamoon virus Saudi Oil Ja.’12– TJX Hack in ’07 - 45 million customer PII

• Vulnerabilities Successfully Defended !– Empirical Counts of Probes or Thwarted Attack

• CERT Data Show Scope, Source, Failure, Resolution

– DoD under constant attack


Sensitivities: Private-Sector vs. National Security

• Cyber-Security Conundrum Defies Resolution – Vulnerability Demands Remediation– Public Policy Consensus Unlikely – Probability/Magnitude Calculus from Basic v. Levinson ‘88

• Traditional Private Sector Risk Analysis – Prof.T.– Actuarial-Based– Standard: ROI Dominates over Costs of Failure

• Traditional National Security Risk Analysis – Col.J.– Black Swans Drive Much Security Investment – Standard: Costs of Failure Dominate over ROI


What Role is there for Traditional Insurance Underwriting?

• WSJ last week: – Danny Yadron Lobbying Over Cyber Attacks vs.

• CyberSecurity more like Intell & counterespionage

– Bernard R. Horovitz, Blunting the Cyber Threat to Business, Wall St. J., A15 (1.10.13)

• Coverage Unlikely under Existing Policies – Audit using current de facto standards (principles)– Ins. Market is coming

• Perhaps Instructive: 90s Intelligent Transport – Demo ’97 San Diego Lloyds-style came JIT– Finally 16 yrs later: Google’s Driverless Car

• Will it Hasten FaceBook in YOUR Dashboard?!?


CyberSecurity: Omnibus vs. Sectoral• Omnibus: Security Measures Apply Broadly

– Permits Standardization • Vulnerabilities Broadly Reduced

– Socializes Compliance Costs • The “Cyber-Security Tax?”

• Sectoral: Security Measures Apply Narrowly– Permits Customization to Industry Risks

• Experimentation breeds experience useful elsewhere• EXs: PCI; Financial Services; NIST-Fed.Agencies; HIPAA; DoD

– Isolates Social Costs as Appropriate• Most vulnerable Infrastructures 1st: Financial, Grid, Nat’l Defense

– Slows Multi-Sectoral Deployment • Some Vulnerabilities Persist: Cyber is Broadly Cross-Cutting


Industrial Organization Analysis• Theory of firm:

– boundaries/behaviors between firms & markets, – structure of entities, competitive environment,

transactions costs, barriers to entry, information asymmetries,

– role of government policies that intervene to correct market imperfections & incentivize behaviors consistent with policy

• structure, conduct, performance models

• Proposals Will Alter Traditional I/O


Security Law & Economics• Private Sector Owns/Operates/Maintains 85% of

Critical Infrastructure • NPV: Direct & Immediate Costs-Uncertain Remote

Benefits– Incentives Appear Insufficient to Anticipate/Inhibit Black

Swans– Chronic Underestimation of Reputational Degradation

• Free rider: Weakest Link – Industry-Wide Irrationalization– First-Mover Disadvantage – Revelations Signal

Vulnerability


Security Law & Economics• Coordination problem

– Incentives limited to provide positive externalities, societal benefits

– Fragmented IT Assets Defy Coordination & Efficient Control

• Locations, control, monitoring, portability, cloud transient, duties

• Should Cyber-Security be a Public Good – Currently Under-Produced because …

• Non-Rival – marginal costs low as others benefit• Non-Excludable – positive externalities invite free

riders, investor cannot capture all benefits


Some Existing Legislation• Critical Infrastructures Protection Act of 2001

• Homeland Security Act of 2002

• G/L/B 1999

• HIPAA

• Trade Secrecy

• National Security


Proposed Legislation: House • H.R.3674, Promoting and Enhancing Cybersecurity

& Information Sharing Effectiveness Act (PRECISE Act) (sponsor: Dan Lungren R-Ca (lost in ’12 to Ami Bera D-Ca)

• H.R.3523, Cyber Intelligence Sharing & Protection Act (CISPA) sponsor: Mike Rogers, R-Mi) 11.30.11, passed House April 26, 2012 (248–168))

• H.R.326, Stop Online Piracy Act (SOPA) (sponsor: Lamar Smith, R-Tx 10.26.11)

• H.R. 4263: SECURE IT Act of 2012, 112th Congress, 2011–2012


Proposed Legislation: Senate• S.3414• S.3342• S.2105 Cybersecurity Act

– sponsors: Lieberman D-Cn & Collins R-Ma

• S.2151, Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, (SECURE IT) (sponsor: J.McCain R-Az)

• S.968, Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PROTECT IP Act or PIPA) – sponsor: P.Leahy D-Vt 5.12.11


Presidential Exec. Order • Are EOs Const.? Or Audacious Royal Decree

– Art.II, §1, cl.1: Executive Pwr in Pres– Art.II, §1, cl.1: Pres. Duty-Faithful Execution

• Pres.Decision Directives=Exec.Orders • Legal Equivalence to Statutes

– Typically to enforce existing law … BUT …– Over 14,000, many pre-##; add PDDs > 300/Pres– Many Pres have Usurped Congress

• Ike, Harry, FDR

– How Might Congress Usurp Exec.Orders?


HSPD No. 7 (rev?)• Finance, Energy & Cyber Infrastructures Cross-

Cutting • Business – Government “Partnerships” • Sector-Specific “Lead Agencies”

• See: Bagby, John W., Evolving Institutional Structure and Public Policy Environment of

Critical Infrastructures, 9 Speaker’s J. Pa. Policy 187-204 (Sp.10)

• Strategies:– U.S. Govt. Architecture- Resilience– Information Exchange – Mplement Integration & Analysis

• Also: R&D, DHS-lead “lead,” Nat’l Plan,


Presidential Exec. Order• EO# 13,587 2010 Policy Document• Presidential Policy Dir. No.20 (PPD#20, 10.?.12-class.doc.)

– Reportedly: • sets broad & strict cyber-security standards for federal agencies; • distinguishes network defense from cyber operations; • Establishes vetting process; • updates “Ws” NSPD#54 (’08-classified); • violates domestic prohibition of military action

– FOIA Request to NSA, E.P.I.C. 11.14.12 (seeking public release of PDD#20)

– NSA Reply to E.P.I.C, FOIA Case No.69164 (11.20.12) (denying FOIA request for PDD#20 citing classified document under Exec.Order #13526 & exempt under FOIA Exempt.#5 by NSS designation)


Regulatory Action: SEC• Cybersecurity, SEC Disclosure Guidance,

CF Topic#2 (10.13.11) • What? Issuer Risks, Costs, Consequences

– Cybersecurity Risks defined • “technologies, processes & practices designed to

protect networks, systems, computers, programs & data from attack, damage or unauthorized access”

– Remediation, CyberSecurity Protection Expense, Revenue Loss, Goodwill/Reputation, Litigation

• Disclose How? If Material then Where? – Risk Factors, MD&A, Bus. Description, Litigation

(pre-incident-risks, post-incidents).


Externalities of Proposed Solutions• Information Sharing

– Public Disclosure (e.g., SEC) Invites • Liability Litigation (SH, investor, customer/client)• Copycat Intrusion to Further Exploit Signaled Vulnerability

– Incentivizes Industry Collusion • So What if Trade Assns Seek Antitrust Immunity ?

• Mandatory Rules-Based/Design Standards – Impose High Compliance Costs

• EX: encryption, bandwidth hog, degrades performance

– Inappropriate for Some Industries – Dis-incentivizes Innovation, Locks-In Old Tech


Externalities of Proposed Solutions

• Laissez Faire - Rely on Market Discipline• Standardization

– Best Practice, Guidelines, Voluntary Consensus, Industry-Specific, NIST models, Regulatory Imposition

– PCI: encryption, firewalls, IDs & p/w’s (rules-based stds)

• Direct by DHS or Sector-Specific Regulator – G/L/B: PII “Safeguards Rule” (principles-only stds) – HIPPA: PHI “Security Rule” (principles-based stds)

• Expand Direct Regulation thru DoD & IC – Long History of Successful Imperialism

• Militias & Army on US’ Frontier 17th – 19th Century

• Colonialism: Various Navies protect trade routes


Externalities of Proposed Solutions

• Regulatory Liability ex post– Permits resolution thru deference to regulatory expertise

(Chevron v. NRDC)

• Civil Liability ex post– Maximizes freedom ex ante until uncertain limit reached – C/L more efficient than market discipline or ex ante

regulation (R.Posner)

• Sneaking in the Back Door: Rootkits, Trojans – Strange Bedfellows?!? - CyberNauts, Civil Libertarians


Cyber-Infrastructure Protection WaRoom • WaRoom-concentration of information, hypotheses,

testing assertions & debate to enable resolution – Can be physical &/or virtual – analyzed from centralized data hosting & data-mining of

diverse open & proprietary information resources

• Enable decision-making thru ubiquity, lower transaction costs & ease of communication

• Crises make WaRooms useful

See: http://faculty.ist.psu.edu/bagby/CyberInfrastructureProtection/

http://faculty.ist.psu.edu/bagby/CyberInfrastructureProtection/




WaRooms• Some Prior Examples:

– Enron– BP Macando Well– Post-9.11 Electronic Surveillance

• Current – http://faculty.ist.psu.edu/bagby/CyberInfrastructu

reProtection/– http://jobsact.ist.psu.edu– http://SportsAntitrust.ist.psu.edu



http://jobsact.ist.psu.edu/

http://sportsantitrust.ist.psu.edu/


Churchill’s Second World War Rooms


Modern War Room Origins

• Derived from actual war time hostilities– Originally Centralized Physical Location – Information Gathering – Expertise Applied for “Sense-Making”– Enables Strategic Planning – Expert Analysts Findings – Informs Decision-Makers

• Traditional Physical War Room Features– Walls project images, maps, data – Informs Analysis & Planning


Cold War Room


Modern Electronic War Room

• Invest in war room facilities, training & readiness – Justified for high stakes campaign– Concentration of information, hypotheses, testing

assertions, debate, command & control decision-making – Transaction & communication costs reduced

• Public Policy Derivations– Adapted to litigation, pre-trial discovery, political

campaigns & crisis management– Crisis particularly useful organizing principles

• Document Repositories • Provide easy access to: robust literature, primary/secondary docs• Selective Availability to defined group(s)

– Strategic choice: publicly accessibility


Virtual War Rooms

• Various Locations: Security Defense & Cost– Dispersed Actors – Connected Electronically to Info Respositories

• Public Internet connections vs. secure lines• Communications nerve center(s),

• eDiscovery “in the Cloud” – “What is the Cloud’s Street Address Again?”

• That’s an “in rem” lawyer’s joke

• Closed systems preserve confidentiality• Open systems trade-off confidentiality

– May Destroy Confidentiality & Privacy


CrowdSource Investigations• Online Collaboration Lowers Costs/Barriers

– Access many people, each performs subset of tasks– Crowd Source Scholars May Argue:

• 1st Central authority organizes, sets narrow task, vets before decision-making

• Here, grassroots impetus is eventually focused– Independent Investigative Journalism

• Cite to D.Tapscott; A.D.Williams; P.Bradshaw

• Derived from social networks (SN) & wikis– Website encourages crowdsource content mgt

• Ward Cunningham: "simplest online database”

• Design options:– Confidentiality; group expertise, size & dedication; raw

data vs. deep analysis through Sense Making

Documents

Cyber-Security Policy Morass (FISC 2013) Assessing the Public Policy Morass Surrounding Cyber-Security Protection Prof. John W. Bagby College of Info.Sci