Protecting sensitive information in the electronic age is a critical matter — but the question of what the term “critical” really means has become a vexing problem for lawmakers dealing with cybersecurity issues. Equally challenging is defining the role that government should play in protecting all parties engaged in the use of information technology.
The Obama administration took another cut last week at trying to identify what is critical — and what is not — in the realm of cybersecurity. The U.S. Commerce Department released a report dealing with information security in enterprises that are primarily associated with electronic commerce — but are not considered to be at the same level as nuclear power plants or water supply facilities as critical infrastructure.
The report, developed by the department’s Internet Policy Task Force, addresses “functions and services that fall outside the classification of covered critical infrastructure, create or utilize the internet, and have a large potential for growth, entrepreneurship, and vitalization of the economy.”
Striking the Right Balance
These are referred to in aggregate as the “Internet and Information Innovation Sector,” or “I3S.” The types of activities covered by the task force include provision of information services and content; facilitation of the wide variety of transactional services available through the Internet as an intermediary; storage and hosting of publicly accessible content; and support of users’ access to content or transaction activities including, but not limited to, application, browser, social network and search providers.
“Our economy depends on the ability of companies to provide trusted, secure services online. As new cybersecurity threats evolve, it’s critical that we develop policies that better protect businesses and their customers to ensure the Internet remains an engine for economic growth,” said Commerce Secretary Gary Locke.
All of the activities noted in the report are increasingly vulnerable to cybersecurity threats, and the task force issued several recommendations for enhancing security in the I3S community:
- Establishing nationally recognized but voluntary codes of conduct to minimize risk. The report recommends that businesses employ present-day best practices such as automated security to combat threats, and implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key websites.
- Developing incentives to combat cybersecurity threats. These could include reducing insurance premiums for those companies that use best practices and that openly reveal and share information about cyberattacks for the benefit of other businesses.
- Improving public understanding of cybersecurity risk through education and research. Programs like the National Initiative for Cyber Security Education should target awareness and training to the I3S community and develop methods to show the benefits of protection versus the expense of reducing risk.
- Enhancing international collaboration on cybersecurity best practices to support expanded global markets for U.S. products.
The potential stumbling block related to the proposals is whether the goal of protection will be undermined by heavy-handed, expensive and cumbersome government regulation.
A Light Touch for Government
“On the whole, what the administration is proposing is having a lighter government presence for dealing with cybersecurity for noncritical infrastructure, and that is welcome,” Gregory T. Nojeim, senior counsel at the Center for Democracy and Technology (CDT), told the E-Commerce Times.
“A voluntary approach on developing standards — with industry leading the way — is the right way to go,” he said. “There is a risk the government could become too prescriptive, but it looks like the Commerce Department is trying to avoid that.”
While the task force report recommends that industry should voluntarily set protection standards, it poses the question of how the standards should be enforced.
Currently, the Federal Trade Commission (FTC) uses its unfair and deceptive practices authority to investigate cybersecurity breaches. However, the FTC’s protective capabilities would be enhanced if it were empowered to enforce more precise cybersecurity standards developed by the private sector, the report suggests.
“The point is trying to provide incentives to do the right thing — that is the goal,” Ari Schwartz, senior Internet advisor at the National Institute of Standards and Technology (NIST), told the E-Commerce Times.
Whatever the government role might be, the process should be flexible, Schwartz contended, versus a hard and fast law with little room for change.
“We favor a rulemaking approach which is open and can change over time,” he said. “The reason we issued this report as a ‘green paper’ instead of a white paper is that we are making suggestions and asking questions for more input from industry and the public. We are willing to work with Congress and the private sector to get this done.”
Still, the use of incentives means different things to different people. A defensive incentive would be taking steps to avoid FTC action by complying with any standards that the agency may eventually adopt, including those developed by the private sector. A more positive standard would be tax breaks for implementing security measures, including reduced insurance premiums. Another incentive that could only come from government would be legislation providing legal protection from litigation if businesses complied with certain standards — known as a “safe harbor” provision.
A Sticky Process Ahead
Getting the proper mix of voluntary and regulatory actions right is an unfoldingprocess, and it could be quite tricky.
It is possible for businesses to implement appropriate safeguards without regulation, “but other drivers might apply here, such as the fundamental concern of staying in business,” says TechAmerica in an email response provided to the E-Commerce Times by spokesperson Anne Savoie.
“For many, operational risk and reputation risk are critical factors in their risk management decisions,” the statement continues. “Proposed breach notification legislation is helpful in that it provides a safe harbor for those that take proactive security measures, thereby providing an incentive for action on the front end that obviates reaction on the back end.”
Another possible sticking point is the information-sharing proposal on breach notification. The question remains as to how detailed the “sharing” process should be.
“Breach notification is a good idea, but I think some parsing-through of the proposals is still needed,” said CDT’s Nojeim.
Even though the report has the benefit of clarifying a segment of enterprise that should not be covered by more stringent “critical infrastructure” standards, the “I3S” community is still quite broad.
“It is important to note that given the diversity in industry, no one approach will be attractive or feasible for everyone,” the TechAmerica statement notes, “and a variety of options may be more effective.”
The Commerce Department is seeking comment on the report, “Cyber Security, Innovation, and the Internet Economy.” As a result, the formulation of a final legislative proposal will take a while, and that could affect the prospects for enactment of a comprehensive cybersecurity law this year.
However, instead of enacting a single law, Nojeim pointed out, Congress may address the issue by taking an incremental approach.