On May 12, 2011 the White House formally unveilled its newest legislative proposal on cybersecurity.
Many of the aspects are not new, but are rather "more of the same": the need to facilitate information sharing with the private sector (among other things, by way of providing immunity from liability and from FOIA), the need to foster technological innovation, and so on.
However, there is one REAL policy change in the proposal. According to the proposal, specifically the Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act, the Secretary of Homeland Security shall have the authority to regulate private critical infrastructures and mandate cybersecurity standards.
This is a (small scale) revolution in the manner in which the U.S. thinks about the regulatory governance of critical infrastructure protection. Put differently, the proposal implies a shift in how the U.S. addresses the regulation of cybersecurity in critical infrastructures (I will call it CIIP - Critical Information Infrastructure Protection) - from a "hands off" approach to a more intervening role for government.
The problem of providing adequate levels of CIIP is similar to public problems that governments encounter and, thus, requires remedy by government through intervention or through facilitation of private sector remedies. Governments may employ a variety of institutional arranements to ensure that adequate levels of security are provided. These arrangements are characterized by varying degrees of government intervention, from market provision (no intervention at all), through industry self-regulation, collaborative arrangements between the public and private sector (co-regulation, mandated self-regulation), command-and-control regulation, to pure market provision of CIIP. I term this the "regulatory continuum" (see Assaf, Models of Critical Information Infrastructure Protection, 1 International Journal of Critical Infrastructure Protection Volume 1, December 2008, Pages 6-14).
Since P.D.D. 63 (1996), the U.S. government has attempted to enhance the cybersecurity of its critical infrastructures. Albeit, with very little success. One of the key assumptions underlying the U.S. policy for protecting critical information infrastructure was that since the vast majority of the critical infrastructures are owned and operated by the private sector, the government should refrain from intervening and mandating cybersecurity standards. first, there was the notion that the private sector (the market) can adequately protect itself and has all the needed incentives to do so (as it wants to keep the provision of services or supplies running in order to maximize its profits).
This policy was critiqued on various grounds. One of the main arguments was that the market for critical information infrastructure protection is susceptible to a series of market failures - externalities, public goods, and information deficiencies. As a result, the private sector cannot provide adequate levels of cybersecurity in critical infrastructures. It followed then, that some sort of government intervention is required in order to ensure that adequate levels are provided. For additional reading see Assaf, Government Intervention in Critical Information Infrastructure Protection, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 29-39, 2007.
Understanding that the market itself cannot provide adequate levels of CIIP, the government has moved along the regulatory continuum to another possible arrangement - that of industry self-regulation. The government endorsed the creation of industry-specific ISACs (information and analysis centers), with the view that this will encourage industry associations to promulgate industry-specific CIIP standards. While the ISACs became information sharing centers (more in the financial and energy sector, less so in other sectors), they failed to generate effective (or any) self-regulation.
The next move along the regulatory continuum was a collaborative regulatory arrangement relating to the electricity and chemical sectors: In the case of the chemical sector, section 550 of the Homeland Security Appropriations Act of 2007 mandated federal standards (including cyber security regulations) for securing high ¬risk chemical facilities. The act authorized the Department of Homeland Security (DHS) to promulgate interim final regulations to assure the security of high¬ risk chemical facilities. On April 2007, DHS issued an interim final rule (effective June 8, 2007) that established risk¬-based performance standards and required thousands of chemical facilities that use or store significant quantities of toxic chemicals to perform vulnerability assessments and take steps to secure their facilities. In the case of the energy sector, the Federal Energy Regulatory Commission (FERC) approved in 2006 a number of CIP standards developed by the North ¬American Electric Reliability Corporation (NERC), the energy sector trade association. The US Congress authorized this regulatory activity via the Energy Policy Act of 2005. This led FERC to certify NERC as an electric reliability organization (ERO) with the mission to develop and enforce (subject to FERC approval) mandatory reliability standards (including cyber security rules) for bulk power systems. According to NERC’s implementation initial plans, all applicable organizations were required to be fully compliant and pass audits by 2010, although someone from within this industry was quoted describing NERC CIP standards "as ‘a giant exercise in avoidance’" (see Ross Anderson and Shailendra Fuloria, Security Economics and Critical National Infrastructure - a very interesting article discussing self-regulation in the U.S. It should be noted, though, that although Prof. Anderson argues that the U.S. "has gone for regulation", it is pretty much the opposite - self-regulation rather than classic, command and control regulation).
The current regulatory move taken by the Obama Administration represents another move towards an interventionist approach. It is a direct continuation of the Cyberspace Policy Review. This policy review still emphasised the importance of the notion of "public-private partnerships", which was the cornerstone of the U.S. CIIP policy since its inception, however it did admit that this notion was rather empty and that the government should inject some more "public" into these "public-private Partnerships".
The new legislative proposal suggests that the government (but not necessarily Congress that is required to formalize and legislate it) has stronger commitment toward the path of reinforcing the ‘public’ in public-private partnership and creating a better balance between public and private values. The move from a pure market approach, through voluntary industry self-regulation, to enforced self-regulation in the energy and chemical sectors described above, to proposed enforced self-regulation (and perhaps even agency regulation) serves the purpose of altering the incentive structures of the private owners and operators of the U.S. critical infrastructures, albeit to a limited extent (profit-maximisation remains their main objective). The private sector is still developing and setting cyber-security standards but the requirement to obtain the government’s approval for those standards, together with the threat of government enforcement, change the way in which management in these critical infrastructures considers cyber-security issues and so enhances accountability to public values or interests.
I want to reiterate, that this is still only a proposal. President Obama proved, thus far, that if he wants Congress to adopt legislation, he can deliver (for example, the much contested health care reform approved by Congress in 2010). Nevertheless, without a real commitment toward this path, whatever its challenges are, from both the public and private sectors, the U.S. (as well as other countries that adopted the same or similar regulatory model) will remain vulnerable to attacks on its critical infrastructures.
