Assessing the Public Policy Morass Surrounding Cyber-Security Protection - PowerPoint PPT Presentation
1 / 27
Title:
Assessing the Public Policy Morass Surrounding Cyber-Security Protection
Description:
Assessing the Public Policy Morass Surrounding Cyber-Security Protection Prof. John W. Bagby College of Info.Sci. &Tech. Pennsylvania State University – PowerPoint PPT presentation
Number of Views:392
Avg rating:3.0/5.0
Title: Assessing the Public Policy Morass Surrounding Cyber-Security Protection
1
Assessing the Public Policy Morass Surrounding
Cyber-Security Protection
- Prof. John W. Bagby
- College of Info.Sci. Tech.
- Pennsylvania State University
2
Really?!? A Morass
- That Which Entraps, Hinders, Overwhelms or
Impedes Progress - also disordered or muddled situation or
circumstance a low-lying soggy swampland - Assumes Cyber-Security Progress has Stalled
- Offers Public Policy Assessment to Assist
Resolution Among Entrenched Interests - Really any different than other current public
policy situations? Like what?!?
3
Evidence of Vulnerabilities
- Vulnerability Invited Damage
- Iranian Denial of Service on US Consumer
Financial Services Sept.12 - Shamoon virus Saudi Oil Ja.12
- TJX Hack in 07 - 45 million customer PII
- Vulnerabilities Successfully Defended !
- Empirical Counts of Probes or Thwarted Attack
- CERT Data Show Scope, Source, Failure, Resolution
- DoD under constant attack
4
Sensitivities Private-Sector vs. National
Security
- Cyber-Security Conundrum Defies Resolution
- Vulnerability Demands Remediation
- Public Policy Consensus Unlikely
- Probability/Magnitude Calculus from Basic v.
Levinson 88 - Traditional Private Sector Risk Analysis
Prof.T. - Actuarial-Based
- Standard ROI Dominates over Costs of Failure
- Traditional National Security Risk Analysis
Col.J. - Black Swans Drive Much Security Investment
- Standard Costs of Failure Dominate over ROI
5
What Role is there for Traditional Insurance
Underwriting?
- WSJ last week
- Danny Yadron Lobbying Over Cyber Attacks vs.
- CyberSecurity more like Intell counterespionage
- Bernard R. Horovitz, Blunting the Cyber Threat to
Business, Wall St. J., A15 (1.10.13) - Coverage Unlikely under Existing Policies
- Audit using current de facto standards
(principles) - Ins. Market is coming
- Perhaps Instructive 90s Intelligent Transport
- Demo 97 San Diego Lloyds-style came JIT
- Finally 16 yrs later Googles Driverless Car
- Will it Hasten FaceBook in YOUR Dashboard?!?
6
CyberSecurity Omnibus vs. Sectoral
- Omnibus Security Measures Apply Broadly
- Permits Standardization
- Vulnerabilities Broadly Reduced
- Socializes Compliance Costs
- The Cyber-Security Tax?
- Sectoral Security Measures Apply Narrowly
- Permits Customization to Industry Risks
- Experimentation breeds experience useful
elsewhere - EXs PCI Financial Services NIST-Fed.Agencies
HIPAA DoD - Isolates Social Costs as Appropriate
- Most vulnerable Infrastructures 1st Financial,
Grid, Natl Defense - Slows Multi-Sectoral Deployment
- Some Vulnerabilities Persist Cyber is Broadly
Cross-Cutting
7
Industrial Organization Analysis
- Theory of firm
- boundaries/behaviors between firms markets,
- structure of entities, competitive environment,
transactions costs, barriers to entry,
information asymmetries, - role of government policies that intervene to
correct market imperfections incentivize
behaviors consistent with policy - structure, conduct, performance models
- Proposals Will Alter Traditional I/O
8
Security Law Economics
- Private Sector Owns/Operates/Maintains 85 of
Critical Infrastructure - NPV Direct Immediate Costs-Uncertain Remote
Benefits - Incentives Appear Insufficient to
Anticipate/Inhibit Black Swans - Chronic Underestimation of Reputational
Degradation - Free rider Weakest Link
- Industry-Wide Irrationalization
- First-Mover Disadvantage Revelations Signal
Vulnerability
9
Security Law Economics
- Coordination problem
- Incentives limited to provide positive
externalities, societal benefits - Fragmented IT Assets Defy Coordination
Efficient Control - Locations, control, monitoring, portability,
cloud transient, duties - Should Cyber-Security be a Public Good
- Currently Under-Produced because
- Non-Rival marginal costs low as others benefit
- Non-Excludable positive externalities invite
free riders, investor cannot capture all benefits
10
Some Existing Legislation
- Critical Infrastructures Protection Act of 2001
- Homeland Security Act of 2002
- G/L/B 1999
- HIPAA
- Trade Secrecy
- National Security
11
Proposed Legislation House
- H.R.3674, Promoting and Enhancing Cybersecurity
Information Sharing Effectiveness Act (PRECISE
Act) (sponsor Dan Lungren R-Ca (lost in 12 to
Ami Bera D-Ca) - H.R.3523, Cyber Intelligence Sharing Protection
Act (CISPA) sponsor Mike Rogers, R-Mi) 11.30.11,
passed House April 26, 2012 (248168)) - H.R.326, Stop Online Piracy Act (SOPA) (sponsor
Lamar Smith, R-Tx 10.26.11) - H.R. 4263 SECURE IT Act of 2012, 112th Congress,
20112012
12
Proposed Legislation Senate
- S.3414
- S.3342
- S.2105 Cybersecurity Act
- sponsors Lieberman D-Cn Collins R-Ma
- S.2151, Strengthening and Enhancing Cybersecurity
by Using Research, Education, Information, and
Technology Act of 2012, (SECURE IT) (sponsor
J.McCain R-Az) - S.968, Preventing Real Online Threats to Economic
Creativity and Theft of Intellectual Property Act
(PROTECT IP Act or PIPA) - sponsor P.Leahy D-Vt 5.12.11
13
Presidential Exec. Order
- Are EOs Const.? Or Audacious Royal Decree
- Art.II, 1, cl.1 Executive Pwr in Pres
- Art.II, 1, cl.1 Pres. Duty-Faithful Execution
- Pres.Decision DirectivesExec.Orders
- Legal Equivalence to Statutes
- Typically to enforce existing law BUT
- Over 14,000, many pre- add PDDs gt 300/Pres
- Many Pres have Usurped Congress
- Ike, Harry, FDR
- How Might Congress Usurp Exec.Orders?
14
HSPD No. 7 (rev?)
- Finance, Energy Cyber Infrastructures
Cross-Cutting - Business Government Partnerships
- Sector-Specific Lead Agencies
- See Bagby, John W., Evolving Institutional
Structure and Public Policy Environment of
Critical Infrastructures, 9 Speakers J. Pa.
Policy 187-204 (Sp.10) - Strategies
- U.S. Govt. Architecture- Resilience
- Information Exchange
- Mplement Integration Analysis
- Also RD, DHS-lead lead, Natl Plan,
15
Presidential Exec. Order
- EO 13,587 2010 Policy Document
- Presidential Policy Dir. No.20 (PPD20,
10.?.12-class.doc.) - Reportedly
- sets broad strict cyber-security standards for
federal agencies - distinguishes network defense from cyber
operations - Establishes vetting process
- updates Ws NSPD54 (08-classified)
- violates domestic prohibition of military action
- FOIA Request to NSA, E.P.I.C. 11.14.12 (seeking
public release of PDD20) - NSA Reply to E.P.I.C, FOIA Case No.69164
(11.20.12) (denying FOIA request for PDD20
citing classified document under Exec.Order
13526 exempt under FOIA Exempt.5 by NSS
designation)
16
Regulatory Action SEC
- Cybersecurity, SEC Disclosure Guidance, CF
Topic2 (10.13.11) - What? Issuer Risks, Costs, Consequences
- Cybersecurity Risks defined
- technologies, processes practices designed to
protect networks, systems, computers, programs
data from attack, damage or unauthorized access - Remediation, CyberSecurity Protection Expense,
Revenue Loss, Goodwill/Reputation, Litigation - Disclose How? If Material then Where?
- Risk Factors, MDA, Bus. Description, Litigation
(pre-incident-risks, post-incidents).
17
Externalities of Proposed Solutions
- Information Sharing
- Public Disclosure (e.g., SEC) Invites
- Liability Litigation (SH, investor,
customer/client) - Copycat Intrusion to Further Exploit Signaled
Vulnerability - Incentivizes Industry Collusion
- So What if Trade Assns Seek Antitrust Immunity ?
- Mandatory Rules-Based/Design Standards
- Impose High Compliance Costs
- EX encryption, bandwidth hog, degrades
performance - Inappropriate for Some Industries
- Dis-incentivizes Innovation, Locks-In Old Tech
18
Externalities of Proposed Solutions
- Laissez Faire - Rely on Market Discipline
- Standardization
- Best Practice, Guidelines, Voluntary Consensus,
Industry-Specific, NIST models, Regulatory
Imposition - PCI encryption, firewalls, IDs p/ws
(rules-based stds) - Direct by DHS or Sector-Specific Regulator
- G/L/B PII Safeguards Rule (principles-only
stds) - HIPPA PHI Security Rule (principles-based
stds) - Expand Direct Regulation thru DoD IC
- Long History of Successful Imperialism
- Militias Army on US Frontier 17th 19th
Century - Colonialism Various Navies protect trade routes
19
Externalities of Proposed Solutions
- Regulatory Liability ex post
- Permits resolution thru deference to regulatory
expertise (Chevron v. NRDC) - Civil Liability ex post
- Maximizes freedom ex ante until uncertain limit
reached - C/L more efficient than market discipline or ex
ante regulation (R.Posner) - Sneaking in the Back Door Rootkits, Trojans
- Strange Bedfellows?!? - CyberNauts, Civil
Libertarians
20
Cyber-Infrastructure Protection WaRoom
- WaRoom-concentration of information, hypotheses,
testing assertions debate to enable resolution - Can be physical /or virtual
- analyzed from centralized data hosting
data-mining of diverse open proprietary
information resources - Enable decision-making thru ubiquity, lower
transaction costs ease of communication - Crises make WaRooms useful
- See http//faculty.ist.psu.edu/bagby/CyberInfrast
ructureProtection/
21
WaRooms
- Some Prior Examples
- Enron
- BP Macando Well
- Post-9.11 Electronic Surveillance
- Current
- http//faculty.ist.psu.edu/bagby/CyberInfrastructu
reProtection/ - http//jobsact.ist.psu.edu
- http//SportsAntitrust.ist.psu.edu
22
Churchills Second World War Rooms
23
Modern War Room Origins
- Derived from actual war time hostilities
- Originally Centralized Physical Location
- Information Gathering
- Expertise Applied for Sense-Making
- Enables Strategic Planning
- Expert Analysts Findings
- Informs Decision-Makers
- Traditional Physical War Room Features
- Walls project images, maps, data
- Informs Analysis Planning
24
Cold War Room
25
Modern Electronic War Room
- Invest in war room facilities, training
readiness - Justified for high stakes campaign
- Concentration of information, hypotheses, testing
assertions, debate, command control
decision-making - Transaction communication costs reduced
- Public Policy Derivations
- Adapted to litigation, pre-trial discovery,
political campaigns crisis management - Crisis particularly useful organizing principles
- Document Repositories
- Provide easy access to robust literature,
primary/secondary docs - Selective Availability to defined group(s)
- Strategic choice publicly accessibility
26
Virtual War Rooms
- Various Locations Security Defense Cost
- Dispersed Actors
- Connected Electronically to Info Respositories
- Public Internet connections vs. secure lines
- Communications nerve center(s),
- eDiscovery in the Cloud
- What is the Clouds Street Address Again?
- Thats an in rem lawyers joke
- Closed systems preserve confidentiality
- Open systems trade-off confidentiality
- May Destroy Confidentiality Privacy
27
CrowdSource Investigations
- Online Collaboration Lowers Costs/Barriers
- Access many people, each performs subset of tasks
- Crowd Source Scholars May Argue
- 1st Central authority organizes, sets narrow
task, vets before decision-making - Here, grassroots impetus is eventually focused
- Independent Investigative Journalism
- Cite to D.Tapscott A.D.Williams P.Bradshaw
- Derived from social networks (SN) wikis
- Website encourages crowdsource content mgt
- Ward Cunningham "simplest online database
- Design options
- Confidentiality group expertise, size
dedication raw data vs. deep analysis through
Sense Making
Recommended
CrystalGraphics Presentations
