Regulators Can Help Obama Secure ITMelissa Hathaway on Advancing Cybersecurity Without New Laws
Two years into this administration, there are fewer options available to drive progress. The president's fiscal year 2011 budget, under review by Congress, maintains the status quo for funding cybersecurity programs. Further, the president's staff continues to struggle with the complex policy formulation regarding cybersecurity and has been slow to make progress on the nearly two dozen recommendations set forth in the administration's Cyberspace Policy Review.
Even if policy changes were imminent, little would change without a funding priority underpinning the initiatives. In the absence of a push to prioritize funding, the administration needs a new approach to mitigate our nation's vulnerability to cyberattacks. As a result of the midterm elections, the balance of power in Congress will change in January, making progress on administration policy priorities even more challenging. Nonetheless, the president does have levers of power available to him that he could use to raise awareness of what is at stake, enabling him to set the nation on a better path toward keeping our economy and citizens secure. These levers do not require congressional approval; rather, they require political resolve and determination to make dramatic changes in our risk posture during the remainder of the president's term.
This proposal asks the president to turn to three independent regulatory agencies for help. This three-pronged strategy could dramatically increase awareness of what is happening to our core infrastructure, drive an innovation agenda to strengthen our information-security posture and increase productivity, as it would reduce the losses being sustained on a daily basis by our companies and citizens.
Turning to the SEC
First, the president should consider asking the Securities and Exchange Commission to evaluate the importance of requiring chief executive officers to attest to the integrity of their companies' information infrastructure. The SEC could open a dialogue with industry through an administrative notice, informing companies that the SEC would consider a rule regarding the thresholds of materiality risk in the area of information security. This would put registrants on notice that the SEC is likely to require more information from company management to verify the existence of proper safeguards. More specifically, the SEC would request that registrants show an ability to protect proprietary and confidential personal data, demonstrate the existence of appropriate safeguards for mission-critical systems and explain their ability to quickly and effectively respond to a cybersecurity incident.
Such an announcement would recognize that companies continue to face significant challenges when it comes to their ability to appropriately protect their computer systems; to secure their proprietary, customer and financial information; and to safeguard the integrity of business and other transactions they conduct over the Internet. Reports released daily reveal that significant industry losses result from poor information-security policies and porous infrastructures. This is an area that needs greater transparency. In fact, a recent Ponemon Institute report disclosed that on "an annualized basis, information theft accounts for 42 percent of total external costs and the costs associated with disruption to business or lost productivity account for 22 percent of external costs." Many firms are resistant to public disclosure because the details of their compromises or security breaches may change public perception, or impact customer confidence or competitive advantage.
We may, however, be at a turning point. Since Google's January 2010 disclosure of Chinese-origin cyber attacks (known as Operation Aurora), more executives are discussing the topic of information security and cybersecurity. Alan Paller of the SANS Institute announced that the Google incident affected more than 2,000 companies. In January 2010, Intel Corp. disclosed risk areas in its annual report filed with the SEC, noting: "We may be subject to intellectual property theft or misuse, which could result in third-party claims and harm our business and results of operations." Intel's disclosure suggests that its management understands the risk assumed by the business. Can the SEC encourage other companies to assume more proactive measures to determine whether they have been penetrated and have lost information? Simply beginning a dialogue on this issue may force companies to better understand the scope, adequacy and effectiveness of their internal control structures and the procedures they use to protect their information assets (data and infrastructure); better yet, this dialogue could prompt them to invest in risk-mitigation actions.
But if that is not enough, in its review of registrants' quarterly and annual reports and other filings, the SEC staff could ask registrants whether they have adequately disclosed material risk to their company's protection of customer data, proprietary data and mission-critical systems and infrastructures. Separately, auditors could assess the company's internal controls for the protection of internal financial and management data. After all, if that data is not secure, how can their assessments of the company's financial position be reliable to shareholders?
There are other attendant benefits that could result from the SEC moving in this direction. First, such a move would force a national (if not international) dialogue on the extent of professional criminal activity and the depth of economic espionage being conducted against global corporations worldwide. Boardrooms around the world would turn to the CEO, chief information security officer, chief information officer and chief risk officer to ask what they are doing to improve the level of security of their infrastructure and the online environment that supports it. As material risk is discovered, reporting would result in improved data and statistics and perhaps yield a quantitative picture of the economic impact of intrusions.
This risk disclosure could also help to identify solutions to the root cause of the problem. Companies would demand industry-led innovation with a newfound sense of urgency, in order to eliminate or mitigate the risk reporting in the following year. Companies may turn to their Internet service providers to provide increased managed-security services on their behalf. Concurrently, the security-product industry would have an increased market-driven requirement to deliver products that perform with higher assurance levels. The research community would also have access to data that would facilitate idea creation and innovative solutions to increase security across the entire architecture.
The increased data that would result from such risk filings could also lead to the growth of an insurance industry to help companies absorb costs if the data shows a minimum standard of due care. Some insurance companies are beginning to offer policies designed to protect businesses should they fall victim to intrusions or other forms of online disaster. However, there is still not enough actuarial data on which to reliably base the premium rates. If companies were required to disclose intrusions and the associated external costs of lost intellectual property or lost productivity, then insurance policies and costs would be more predictable. As more data becomes available, a standard of care, or "best practices" of the enterprise, could emerge. This would allow businesses to deploy capabilities in a way that would provide adequate protection, taking into account risk requirements and business operations. Then, if a corporation had implemented adequate defenses of its networks or information assets and a breach occurred (e.g., illegal copying and movement of data), it could call upon its insurance plan to supplant the losses. Such action would lead to a discussion of liability and may in fact reveal the legal underpinnings associated therein.
This proposal may seem dramatic and industry may appeal based on the unintended consequences of implementing such a rule in this area, arguing high costs and reduced competitiveness. But regulators can compare this proposal to the Sarbanes-Oxley Act of 2002, which introduced major changes to the regulation of corporate governance and financial practice as a result of identified weaknesses, illustrated by the Enron case, among others. And why shouldn't the SEC take measures to protect the near-term economic infrastructure and long-term growth for publicly traded companies?
Turning to the FCC
Concurrent with the SEC option, the president can also turn to the Federal Communications Commission to enlist private-sector talent, requiring the core telecommunications providers and ISPs to shoulder more of the burden of protecting our infrastructure. The major telecommunications providers and ISPs collectively have unparalleled visibility into global networks, which enable them with the proper tools to detect cyber intrusions and attacks as they are forming and transiting toward their targets. They even have the ability to tell the consumer if a computer or network has been infected. For example, Comcast is "expanding a pilot program that began in Denver last year, which automatically informs affected customers [by sending them] an e-mail, urging them to visit the company's security page." Customers are receiving alerts, being offered antivirus customer service and receiving free subscriptions to Norton security software. While this enhanced service is in the nascent stages, these companies also employ sophisticated tools and techniques for countering attacks to their own infrastructure and the networks. So, why doesn't the FCC mandate that this service be provided more generally, to clean up our infrastructure? Doing so could open a dialogue or lead to a request to limit the liability for providing such a managed security service. Perhaps the "Good Samaritan" clause in the Telecommunications Act of 1996 could be reviewed and applied to quell any concerns that may surface.
Other countries are turning to their ISPs to ensure the health of their Internet backbone. For example, Germany has determined that the botnet infestation (large clusters of zombie computers controlled by third parties that can be used for cyber attacks) on its private infrastructure is a priority for national defense. As such, the German Federal Office for Information Security has mandated its ISPs to track down infected machines and advise users on how to clean their computers. Similarly, Australia's ISPs have adopted a code of conduct designed to mitigate cyber threats and to inform, educate and protect their users from cybersecurity risks. The European Parliament and Council of Ministers reached an agreement on pan-European telecommunications reform that will be transposed into national law in the coming months. It obliges the ISPs to take more responsibility for providing enhanced security services to their customers and to report all security incidents to the European Network and Information Security Agency.
If the FCC were to require such a service to be implemented in the United States, it would immediately reduce the proliferation of malware and infections. Such a requirement also would focus innovation toward more sophisticated threats and would establish a baseline of security for the broader infrastructure. Further, the FCC could request that a reporting function be associated with this service. Combining their collective network visibility would support a national warning and assessment capability and would also facilitate a real-time exchange and consolidation of threat information and response capabilities. Further, the information base they create would cut across all segments of the private and public sector, indicating where resources should be placed first.
This type of service should be required not only of the "traditional" telecommunications carriers, like AT&T, Verizon and Sprint, but should also apply to other ISPs who are providing core communications services, like Comcast, Cox Communications and Time Warner Cable. It should also include Google, Microsoft and Amazon, because of their Cloud services. The rapid adoption of technology and growing migration of essential services delivered on Internet-based infrastructure demands that the FCC classify broadband and other Internet services as core telecommunications. This is important, because as the communications infrastructure migrates from older to newer technologies, services like energy (Smart Grid) and public safety (voice-over IP), will be carried over a communications network that may or may not be built to the same standards upheld by the traditional voice telephone system. The FCC realizes that it "needs a clear strategy for securing the vital communications networks upon which critical infrastructure and public safety communications rely," but is that enough? Key in this debate is how to preserve the open Internet while allowing network operators the flexibility and freedom to manage their networks even as they provide security to our core infrastructure. Also central to this debate is whether to hold wireless broadband and wireline carriers to the same standard when growth will be derived by wireless services and technologies in the coming decade. Whether wireline or wireless, the FCC needs to take a stance to ensure that carriers contribute to the security and resiliency of our communications infrastructure. After all, this is the very service they guarantee will be available 100 percent of the time; why not provide it with less malware, spam and infections? It would certainly help the companies that are under constant barrage from those trying to illegally copy their intellectual property. It would help the average at-home consumer take action to address a compromised PC on their home network. And it would help the government to gain a better understanding of the malicious activity occurring inside the very networks and infrastructures that are key to the nation's economic growth and security posture.
Turning to the FTC
As Commerce Secretary Gary Locke recently discussed, "Each year, the world does an estimated $10 trillion of business online. Nearly every transaction you can think of can now be done over the Internet: Consumers can pay their utility bills from their smartphones; nearly 20 percent of taxpayers file [their] returns electronically; people download movies, music, books and artwork into their homes; and companies, from the smallest local store to the largest multinational corporation, are ordering their goods, paying their vendors and selling to their customers online. However, the Internet will not reach its full potential as a medium until users feel more secure than they do today when they go online." This is why the president needs to turn to the Federal Trade Commission to engage the public on cybersecurity.
Criminal activity targeting consumers is a pandemic that must be addressed head-on. Countries around the world are calling for action. Professional criminals are innovating and developing new ways to generate revenue by compromising our computers through scams, spam and malicious software. They adapt to whatever information security measures are in place so they can continue to rob our bank accounts, steal our credit cards and assume our identities. The Federal Trade Commission has a broad mandate to protect and educate consumers and businesses on the fundamental importance of good information-security practices. The FTC believes that companies must take the appropriate steps to protect consumers' privacy and information and that they should have a legal obligation to take realistic steps to guard against reasonably anticipated vulnerabilities. The FTC maintains a website that provides practical tips from the federal government and the technology industry to help consumers and businesses guard against Internet fraud, secure their computers and protect their personal information.
But this is not enough when it comes to making consumers aware of the risks associated with e-transactions. The FTC should consider a more-proactive initiative that would require all e-commerce transactions to carry a warning banner or label, informing consumers that they are assuming a risk by conducting e-transactions - that, in fact, their transactions may not be secure and could lead to compromised credentials. This can be compared to the warning labels found on tobacco and alcohol products, telling consumers they can be hazardous to their health. An e-transaction warning label may seem like a drastic step toward improving the ability of firms and consumers to keep pace with ever-evolving cybersecurity risks, but it would help to raise awareness for every person who executes online transactions. In 2009, online retail sales grew 2 percent, to reach $134.9 billion, while total retail sales fell 7 percent in that same year. This trend is expected to continue, while at the same time, security analysts anticipate that cyber crimes will increase by more than 20 percent on a year-to-year basis. Consumers must be made aware of the risks of e-commerce and providers have a responsibility to do everything possible to ensure that their infrastructure is secure - at least to a minimum standard - and that they are working diligently to protect their consumers' transactions.
The FTC might also consider establishing baseline standards for conducting trusted transactions in cyberspace - including secure encrypted envelopes, digitally signed critical information and protected serial numbering - and finding ways to provide more protection for online consumer transactions. They should not prescribe technical solutions per se, but rather principles of protection. The Commerce Department and the FTC must ensure that the Internet remain fertile ground for an expanding range of commercial and consumer activity while also doing a better job of informing Americans of the forces that put consumer e-commerce activity at risk.
Melissa Hathaway led President Obama's Cyberspace Policy Review and previously led the development of the Comprehensive National Cybersecurity Initiative for President George W. Bush. Hathaway is president of Hathaway Global Strategies LLC and senior adviser at Harvard Kennedy School's Belfer Center.