A Review of The Cybersecurity Social Contract,
Implementing a Market-Based Model for Cybersecurity, Internet Security
Alliance, 2016
This may be the most important
book on cybersecurity ever written. It
echoes many a truth that the risk manager on the front lines experiences daily. It not only resonates, it recommends a better
way.
Whatever we are doing now in cybersecurity, it is plainly
not working. In just a few days we learn
that Equifax lost control of 145 million consumer credit records, systems of
the Securities and Exchange Commission were breached, and NSA secrets were
lost. Almost unnoticed, Yahoo announced
that a 2013 attack took data on not 1 billion but 3 billion accounts.
As Equifax ex-CEO Richard Smith endured a multi-day grilling
in Congress, the calls for more government regulation and jail time were both
loud and inevitable. Meanwhile, calls
for jail time for senior government officials whose systems were also hacked
are, to put it mildly, mild. While a public debate on the data collection
practices of the credit reporting industry may be due, so too is the notion of more
government regulation as the way to fix cybersecurity.
The Structure of the Argument
The Internet Security Alliance is an international
multi-sector trade association that promotes new thinking about public policy
toward cybersecurity. The Cybersecurity Social Contract is the
ISA’s manifesto for a reformulation of public policy on internet security based
the idea of social contract, as opposed to the regulate-audit-penalize
framework that prevails in the United States.
The book has both the strengths and limitations of being
written by a committee. The best is the
first section, two chapters written by Larry Clinton, ISA’s President, making the
case that the current regulatory approach rooted in 19th-century
technology that does not work and even cannot
work in cybersecurity, and that a new approach based on the idea of a social
contract can. The second section is a
series of chapters devoted to key industries, including defense, finance,
electric power, health, telecommunications, IT, manufacturing, and the
overlooked food and agriculture sector.
Section II also has a strong chapter addressing the critical shortage of
cybersecurity talent. Chapters in the third
section cut across industries along such lines as corporate governance, compliance
audits, and cyber insurance. One of its
best chapters is what works and what doesn’t in public-private partnerships. The appendices are in the form of briefing
memos to the new President (this was in 2016) on these topics.
Regulation Does Not Work
That the current approach of regulate-audit-penalize does
not work is manifest from the headlines.
The current model of regulation is backward-looking and moves too slow
to keep up with cyber threat technology.
It is based on the implicit but false premise that government experts
know best. But they cannot secure their own systems, even with the clear and
detailed mandates of the National Institute of Standards and Technology. Industry executives are rightly jaundiced
when regulators come to them with dirty hands and say, “do what we say, not
what we do.”
A central problem of the current model is its economic
irrationality. NIST and other standards
bodies issue lists of hundreds of controls, compliance to which firms are driven
by audits. In practice the only passing
grade is 100% compliance, regardless of the stated intent that companies should
manage to the risk, not to a checklist.
“Guidance” is merely the iron fist of the regulator wrapped in a velvet
veneer of PR-speak. The FFIEC issued
guidance to financial institutions for the “voluntary” adoption of the NIST
Cyber Security Framework, but not long before the FDIC and OCC made its use
mandatory in bank examinations. NIST has
not assessed the cost-effectiveness of the CSF practices as required by the executive
order that created it. In fact tests for
economic rationality are generally absent from cyber regulations, the very idea
of which seems inimical to the idea of regulation. Instead the Open FAIR
framework to quantify the economic assessment of security investments needs to
be broadly implemented.
The result, in case after case, is a compliance structure
that is unaffordable to all but the biggest companies, and therefore erects yet
more barriers to entry by the smallest, most-innovative firms that create most
new jobs and new products in our economy.
The effect is manifest in defense, finance, health, and electric
power. This regulatory creates a
two-tier model in which only “the bigs” have the money and lobbying power to
win. It’s a prescription for economic
stagnation, and we’ve written it for ourselves.
A New Social Contract
The doer is hectored by the nattering critic who finds fault
with everything. It’s easy to criticize,
but what’s better? The ISA’s answer is a
new social contract, which means arrangements between government and industry
founded more on incentives and less on mandates, such as rate-of-return
regulation that gave us universal and reliable telephone services and electric
power. The ISA offers many suggestions,
some specific, others vague, for what this new social contract might entail. A few:
- The government, particularly the Defense Department, could require suppliers to have cyber insurance, just as it requires other forms of insurance. This could stimulate the development of the nascent cyber insurance market, and be a model to the broader economy.
- Regulatory audits could incorporate a maturity model in which companies that show a serious commitment and a record of improvement on security would be rewarded, in a sense, by a lighter-weight audit in the next year.
- Rules and regulations should be made practical for small and medium-sized businesses.
- Let economic rationality prevail. Practices of the NIST Cyber Security Framework should be assessed for cost-effectiveness, though the results may depend on circumstances and change with time. Regulators and other stakeholders should accept competent situation-specific cost-effectiveness analyses of controls.
- The Department of Energy should expedite renewal of security clearances for senior power-utility executives changing companies. Long delays hamper their effectiveness in their new companies.
- The federal government must accept the role that only it can play in protecting the portions of the nation’s critical infrastructure that is beyond the power of the private sector. Only the federal government has the resources, expertise, and legal and political power to defend the public networks that banks, utilities, health care providers, and defense contractors use against attacks by nation-states to implant malware and steal intellectual property and personal information.
- Shockingly inadequate federal resources devoted to cybersecurity must be ramped up. Total private sector spending on cyber security is estimated at $120 billion a year, compared to just $13 billion for the federal government, most of which is for cyberwar-fighting. DHS spends only $1.3 billion on protecting government systems and national infrastructure combined. By comparison just two banks spend that much. Agency IT budgets must include maintenance funds so upgrading from Windows XP does not literally require and act of Congress.
Government, Clean Up Your Act
And the government has to get its act together. Congress has
seventy-eight committees and subcommittees that have some jurisdiction over
cybersecurity. There are about as many
government agencies when you add 50 states to a dozen or so federal departments
and agencies. New laws are needed to unify the patchwork of dozens of state
disclosure requirements and offer some liability protection for sharing threat
intelligence.
The US approach to regulation has usually been
sector-specific, so a company may be subject to multiple costly, overlapping,
and sometimes conflicting rules. Every
agency seemingly wants its own patch of cybersecurity turf, regardless of their
competence to manage it. How much of the sturm
und drang of the Equifax episode would be taken care of with a
cross-industry approach to privacy like the EU’s General Data Protection
Regulation? The GDPR may go too far, but
at least it is the same for all industries.
A Few Criticisms
This is where The
Cybersecurity Social Contract has some weaknesses. Several of the chapters recommend tax
incentives and other kinds of inducements without offering specifics. It’s too easy to ask for a special tax break.
The chapter on electric power utilities pleads for the
Department of Energy to remain the main point of contact for security. This seems self-serving and destined to take
us right back to the welter of sector-specific regulations we have now.
The chapter on auditing cyber controls was also written by a
committee and reads like it. It is
filled with the impenetrable audit-speak.
It calls for cybersecurity examination reports (which generate fee
income) to be voluntary. But what’s
voluntary now becomes a de facto
mandate later, and the audit firms know it.
The examinations would be based on an evolution of “trust services
criteria” defined by the American Institute of Certified Public Accountants,
and based on the longstanding framework for internal control of the Committee
of Sponsoring Organizations (COSO), but that’s just what SOC 2 and previously
SSAE16 did, so what’s new here? Trust us;
just wait a bit for the next version.
Some Cause for Optimism
The book and this review end on a high note, that being the
chapter on best practices in public-private partnerships. If we take the main message to heart, that we
should develop the pieces of a new social contract, the question is how to do it. Larry Clinton once again comes to the rescue
by extracting lessons for what worked and what did not from a surprising
variety of past efforts. What does not
work: keeping participants compartmented from each other, unclear or unstated
selection and decision criteria, lack of access to contributed information,
lack of openness to discussion. DHS
looms large here. What does work: joint drafting of language by industry and
government officials, personal commitment, consensus decision-making, early
engagement with industry, starting without ideological preconceptions,
soliciting written input, collaboration in developing objectives and
priorities, building on past efforts, following through, having adequate
support. NIST is an exemplar. In short, commitment and open collaboration
work, hidden agendas and secrecy don’t. The
only surprise is that we need to be told this.
If you despair of progress in cyber security, read this for
a solid dose of reason for optimism based on fact and logic.