Sunday, February 21, 2021

Philosophy of Cybersecurity Legislation – Part 1: What to Regulate

There has recently been a lot of talk in the national media and political theater about the need for cybersecurity legislation to protect against cybersecurity threats such as the SolarWinds hack and the water facility ‘attack’ in Florida. Before one starts talking about the potential nuts and bolts of such legislation, I think that it is important to consider what I like to call the philosophy of cybersecurity legislation; the what and why of legislative need.

What to Legislate

The first thing that you need to establish is what one wants the federal government to regulate, or more importantly what one wants to accomplish with that regulation. For cybersecurity the most obvious desire would be to stop any foreign adversary from disrupting government and private-sector cyber-operations within the United States. That would certainly fit with the ‘provide for the common Defence’ provision of Article 1, Section 8, Clause 1 of the Constitution.

Unfortunately, short of throwing up a national firewall around the United States where the federal government controls all information and communications flowing into and out of the country, there is no method that the government is going to be able to intercept and prevent all attacks via either the internet or telecommunications infrastructure. Such governmental control of information flow would be an intolerable anathema to most Americans and legislators. So, the scope of the legislative intent will almost certainly have to be reduced.

We already have legislation in place that give the DHS Cybersecurity and Infrastructure Security Agency (CISA) extensive authority for protecting the federal government (except DOD and intelligence agencies) from cyber-attacks. Thus, broad new authority is not needed; just fine tuning and perhaps funding adjustments are all that should be required for preventing future SolarWinds type attacks. (Okay, that is being a tad simplistic as the nuts and bolts of such prevention have yet to be adequately discussed, but for a philosophy discussion that is just left as an exercise for the student – GRIN.)

With a national firewall off the board as a means of defense, we have to decide if preventing all foreign adversary attacks on private-sector cyber-operations is a reasonable goal for our legislative intent. First off, do we really suspect that a foreign government is going to want to target the disruption of the private email between ordinary citizens or the operation of my wife’s jewelry sales site on Etsy (I’ve been trying for weeks to figure out how to get that advertisement into my blog)? And if they did, for some obscure reason, would that really fit within the description of ‘provide for the common defense’?

Limit the Scope to CI

A more reasonable use of the federal government’s cyber resources, both money and personnel are significant constraints on any legislative endeavor, would be to limit non-federal government cyber defense to critical infrastructure. That is still an expansive (and potentially expanding) set of cyber resources to protect, but it would certainly be a more justifiable use of federal resources.

That leaves an important gap in the area needing cyber protection, that is the protection of the cyber resources of State, local, Tribal and Territorial (SLTT) government. Because of the curious constitutional separation of rights and responsibilities of governmental authority in the United States, the current CISA authority over governmental cybersecurity does not directly extend to SLTT government operations. They are currently restricted to providing advice and limited assistance to those governments.

For the purposes of this discussion, I will assume that general SLTT government cybersecurity is going to take separate legislation from that being discussed here due to the wide disparity in the needs and desires for federal cybersecurity support from SLTT governments. I will, however, include in the remaining discussion those SLTT operated pieces of critical infrastructure like drinking water treatment plants and wastewater treatment facilities.

So, for this discussion we are looking to discuss writing legislation that attempt to prevent a foreign adversary from disrupting the cyber-operations of private-sector critical infrastructure (PSCI) including SLTT owned and operated water and wastewater operations.

What Cyber-Operations Will Be Protected?

Are we going to try to protect all of the cyber-operations of these PSCI entities? That is a very wide field of dreams, covering email, payroll, personnel administration, security, and operations. On one hand, the one thing that differentiates PSCI from other private sector entities is typically the output of their operations. The federal government’s interest is in ensuring the continued output of the critical operations (CO) of PSCI so the intent of the legislation is to protect those CO of PSCI from disruption by foreign adversaries. To be sure CO of PSCI protection may necessitate providing protections against disruption of other cyber-operations of PSCI or at least mitigating the effect of those other disruptions on the CO.

Congressional Oversight Impact

So, a critical portion of the any legislative action will be how to identify what facilities in the United States will be affected by the legislation. The problem here is that different sorts of critical infrastructure are regulated by different portions of the federal government. Even when considering security, the different executive departments did not surrender their oversight to the Department of Homeland Security.

Even if new legislation did give CISA authority to regulate cybersecurity at PSCI, there would still be the problem of congressional oversight to deal with. We have specifically seen this with the CFATS program legislation. While there is frequently disagreement between the House and Senate on legislative matters, the larger stumbling block for CFATS legislation has been the conflict between the House Homeland Security Committee and the Energy and Commerce Committee. This has more to do with the different foci of the two Committees than inter-party conflict we typically seen in House-Senate relations. The internecine conflict between House committees would be intense in any PSCI cyber-legislative effort.

The National Infrastructure Protection Plan (NIPP) provides a methodology to overcome the problems identified above. The federal government has already designated which executive departments are responsible for the oversight of security at the 16 different critical infrastructure sectors; these are designated as Sector Specific Agencies (SSA). Thus, our cybersecurity legislation does not need to identify who will be responsible for regulating which sectors, it can simply rely on the oversight designations that already exist.

Identifying Operations to be Protected

With these political considerations and the inevitable push-back by industry against any new regulations, defining what cyber-operations would be covered in different industries would be difficult. The general definition though, should be easier. We would only have a federal interest in regulating those cyber-operations that have a direct impact on the entities capability of providing the critical output for which receive the critical infrastructure definition. While protecting other cyberoperations might be beneficial, the federal interest in ensuring critical output should limit the application of federal influence to just those operations.

Legislation would each SSA to establish by regulations criteria for identifying PSCI entities that require cybersecurity oversight to protect national security and national preparedness. The intent would not be a broad definition to encompass as many facilities as possible, but rather to limit the identification of facilities to those that are the most critical to the economy or national security of the United States. The reason for this limitation is that the government agencies responsible for the oversight have only limited resources for ensuring that the resulting cybersecurity regulations are followed by the identified agencies.

And make no mistake about it, enforcement of cybersecurity regulations will be necessary. We need look no further than the various OSHA and EPA safety regulations to see that without effective enforcement many facilities are going to only have paperwork, check-the-box, cybersecurity programs. Even with the facilities that are going to make an  honest effort to comply with the regulations, the lack of facility cybersecurity expertise will limit the effectiveness of those efforts.

In Part 2, I will look at the philosophy of how to regulate that should drive cybersecurity legislation.

No comments:

/* Use this with templates/template-twocol.html */