Thursday, October 11, 2012

Analysis of Cybersecurity as a Public Good: US Government Implications: Government as Trustee

The Federal Government has recognized the potential danger of cyber threats since 1998 when President Clinton announced via Presidential Decision Directive 63 that he wanted to close up vulnerabilities to the nation’s growing cyber infrastructure. Presidential attention to the issue has since continued through both Bush administrations and into the current Obama term. (Heilbrun & Brown, 2011)

In 2011, a legislative proposal was presented by the Administration to encourage the adoption of several significant cybersecurity changes which would have impacted several portions of the country’s economy. A significant one that follows up on the sections above was to create a federal standard for doing National Data Breach Reporting after breaches that accessed customer’s personal data. It would have been a change from 47 states having separate breach reporting laws. (Heilbrun & Brown, 2011) The Obama proposal would have strengthened the current laws that affect cybercrime. Proposed changes included requiring minimum sentence for knowingly attempting to damage critical infrastructure. It, and multiple bills started in the houses of Congress, would have allowed for a voluntary program where non-federal targets of cybercrime would be able to get federal assistance.(Heilbrun & Brown, 2011)

Additionally, the legislative proposal would have established a system to identify and protect critical infrastructure. The Department of Homeland Security would have had authorization to monitor the operations and review their cybersecurity plans, ensuring that they addressed cybersecurity risks. Lastly, it would have streamlined the process for DHS to get and keep cybersecurity management, professionals, and fresh entries to the field. (Heilbrun & Brown, 2011)

Government mandated protection of data will probably be legalized though laws that follow the style, or as expansions to, the existing privacy data protection statutes. The existing laws focus directly on the protection of nonpublic personal information, in the form of the Financial Services Modernization Act of 1999 (commonly GLB), and individually identifiable health information, in the form of HIPAA from 1996. (Heilbrun & Brown, 2011)

Though currently GLB is regulated by the Securities and Exchange Commision and HIPAA is regulated by Heath and Human Services, future data protection laws will probably be regulated by DHS. This prediction is consistent with current legislative attempts and discussed potential executive order to put in place cybersecurity policies if Congress doesn’t pass something. (Heilbrun & Brown, 2011)

The drafting of cybersecurity legislations will need to be careful that they do not interfere with future innovation or security. The Digital Millennium Copyright Act of 1998 is an example that can cause security issues. The analysis of software, hardware, and cryptographic devices and components includes reverse engineering to examine exactly what is happening under-the-hood. The prohibitions in DMCA makes a lot of people uncomfortable performing reverse engineering, including the students we would expect to grow into security researchers. If the law abiding citizens are not reverse engineering the products, they won’t find the flaws that the non-law abiding vulnerability analysts do. Overall security is left more insecure when the illicit analysis is significantly more advanced than the legal. (Lewis, 2009)

Heilbrun, M. R., & Brown, I. (2011). Cybersecurity Policy and Legislation in the 112th Congress. Intellectual Property & Technology Law Journal, 23(12), 14-20.

Lewis, J. A. (March 2009). Innovation and Cyberspace Regulation. Center for Strategic and International Studies.

Analysis of Cybersecurity as a Public Good:
US Government Implications
Workstation Cybersecurity a Public Good?
Data Security a Public Good?
Government as Trustee
Implementation Reliance back with Industry

No comments:

Post a Comment