Regulatory Forecast for Cyber Security
United States government, corporations, infrastructure, and media outlets are constantly under attack by cyber adversaries. Federal lawmakers are concerned about how private business handles data and intelligence around these attacks. Of highest concern are intelligence and data about attacks on banking or critical infrastructure; the breaches of which could wreak havoc across the nation. For example, consider how an attacker who compromises a nuclear power plant’s systems could, at best, shut down power to a portion of the country or, at worst, blow up the plant, causing a disaster.
The government and private sectors each have unique data and intelligence about critical attacks. Having those groups cooperate to gain mutual benefit against advanced cyber attacks is an intriguing topic. However, it seems that government intervention via regulation would be necessary to make such cooperation occur. In February 2013, President Obama took the first step by issuing a new cyber security executive order, Executive Order 136361, “Improving Critical Infrastructure Cybersecurity.” The executive order:2
- Expanded information sharing and collaboration between the government and private sector, including classified information;
- Required the development of a voluntary framework of cyber security standards and best practices;
- Established a consultative process for improving critical-infrastructure cybersecurity;
- Identified critical infrastructure with an especially high priority for protection, using the consultative process;
- Established a program offering incentives for voluntary adoption of the framework by critical-infrastructure owners and operators;
- Reviewed cybersecurity regulatory requirements to determine whether they are sufficient and appropriate; and
- Incorporated privacy and civil liberties protections in activities referenced under the order.
The executive order was initially received with optimism, and many were impressed about how privacy concerns were directly addressed in the text of the order.3 However, recent critics cite that little has been accomplished in the last year: just basic standards and minimal incentive for cooperation between the government and private sector.4 The order’s timing was also unfortunate, as cyber security issues exploded across the press in the past year. The Target Data Breach, Edward Snowden, and two University of Maryland attacks are just a few of the major cyber security events that have plagued and embarrassed the nation.
The order has a good core of ideas, especially those about privacy and cooperative information sharing, but also misses some key advances in cyber security, like social media threats, which are easy to launch, difficult to detect, and quick to cause devastation. Consider the April 2013 Syrian Electronic Army attack on the Associated Press, where hackers compromised the AP’s corporate Twitter account and tweeted about two explosions at the White House, which allegedly injured President Obama5. This caused the S&P 500 index to plummet 145 points (~1%) within a 2-minute span6. It is not hard to imagine what effect similar attacks could have on a larger scale in financial markets around the globe.
As part of the consultative process within Executive Order 13636, regulators should be encouraged to consult with leaders from companies developing new and emerging cyber security technologies to ensure our nation can combat emerging cyber attacks. Specifically, regulators should connect with organizations that focus on applying data and analytics in new ways to create predictive, proactive, and preventative solutions.
The ideas and technologies those organizations are developing, in conjunction with the data and intelligence sharing initiatives cited in Executive Order 13636, would provide an edge to both the government and private sector alike. Collaboration through initiatives like those mentioned in Executive Order 13636 will ensure that both the private sector and the government work together to protect the nation’s critical infrastructure and financial markets against a variety of currently invisible attacks.
The future of cyber security regulation must center the consultative process around both sharing information and leveraging emerging technologies to understand America’s adversaries, predict their attacks, and shut them down before damage occurs.
- http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity ↩︎
- http://www.fas.org/sgp/crs/misc/R42984.pdf ↩︎
- http://www.forbes.com/sites/andygreenberg/2013/02/12/president-obamas-cybersecurity-executive-order-scores-much-better-than-cispa-on-privacy/ ↩︎
- http://www.politico.com/story/2014/02/cybersecurity-in-slow-lane-one-year-after-obama-order-103307.html ↩︎
- http://www.telegraph.co.uk/news/worldnews/middleeast/syria/10014982/Who-is-the-Syrian-Electronic-Army.html ↩︎
- http://www.telegraph.co.uk/finance/markets/10013768/Bogus-AP-tweet-about-explosion-at-the-White-House-wipes-billions-off-US-markets.html ↩︎
Tags: Cybersecurity, Government