The US and India face significant cyber security threats that jeopardise critical infrastructure, the freedoms that democracies exercise online and the economic viability of businesses. The cyber security status quo is unstable, especially considering the enormous and growing scope of these threats, particularly to the private sector. To mitigate these threats, this chapter provides a framework for legislative action that harnesses the power of US and Indian industry and ingenuity, while safeguarding the freedoms and privacy of individual citizens. Through dynamic and cost-effective solutions, our respective lawmakers can make cyberspace a safer and more productive place.
The latent nature of this threat leads many in the private sector to forgo investment in security because it has not yet harmed their organisation or because they mistakenly believe that they have nothing a cyber adversary would want. More important, they misunderstand that their own cyber insecurity has collateral effects on others―effects for which they are responsible. There is, therefore, a role for the central government to encourage actions that will improve the overall cyber security posture. That role, however, is not to set mandatory regulations. As the US Government Accountability Office (GAO) has found, such an approach would be more like an anchor holding back US entities without providing additional security.<1>
India and the US should reject a regulatory approach and adopt legislation that will actually improve cyber security. Such legislation must be able to adjust to the continuously developing challenge that is today’s cyber environment. Additionally, any legislation must provide robust protection for privacy and individual freedoms. There are five key components that need to be included in truly effective cyber legislation:
Regulation Is Not the Answer
Proponents of a regulatory approach believe that regulation will improve the general cyber security posture. The problem is that heavy-handed government regulation is a 19th-century solution to a 21st-century problem. It simply will not help. Such proponents claim that “doing anything” is better than “doing nothing.” In fact, the regulatory approach can make matters worse than doing nothing. A network of regulations will force a slow and static compliance culture on the most dynamic technology the world has ever known. It will set a standard that will do nothing more than offer an invitation to adversaries in cyberspace. They will know that regardless of what that standard is, they only need to exceed it by the slightest bit to do severe damage. This clearly will not suffice if the goal is to improve the national cyber security posture instead of “just doing something” so that politicians and the public can feel better.
Regulation, particularly federal regulation, is slow, cumbersome and static. Once in place, regulations are very difficult to remove or even change. This is precisely the wrong approach for dealing with the fast-moving and incredibly dynamic field of cyber security. Cyber security regulations will already be outdated on the day they are issued―and quick updates will not be possible. Faced with a slow, static standard, hackers, whether working independently or for another government, will easily circumvent the standard.
There Is a Real Issue Here
While there is disagreement over the correct role of the federal government in cyber security, there is little disagreement that something must be done to improve cyber security. The threats that India and the US face from adversaries in the cyber realm are real and daunting. Indeed there are three tiers of cyber threats to consider. First, cybercrime hits many Indians and Americans in the form of identity theft, phishing or cyber vandalism. These crimes are usually committed by individual criminals, so-called hacktivists, or criminal organisations, and represent the most common form of cyber threats. Next is the threat of cyber espionage. Espionage pursues large, important targets, such as military blueprints or proprietary business plans, and is often state-sponsored. Finally, while cyber crime and espionage are serious problems, the US and India also face a threat from cyber warfare. The ability to impair the functioning of critical systems, as a stand-alone attack or in connection with a kinetic attack, is a worrisome proposition. Taking down communications, transportation or other systems would severely impair the US response to a physical attack, increasing the damage sustained.
Nearly everyone understands that to deal with such serious problems, the respective federal governments have a role to play. Cyber legislation should contain the following six major components if it is to actually lower the risk to private sector businesses and be sufficiently flexible to avoid a static culture of compliance.
Information Sharing is the Key
The first element of any legislation must be to enable and foster information sharing between the public and private sectors, and among private-sector entities themselves.
Effective information sharing is a critical and fundamental part of today’s cyber security measures. Various organisations and government agencies collect and analyse information regarding cyber threats and vulnerabilities. Examples of the types of shared information include analysis of a completely new cyber attack that penetrated an entity’s system, or the discovery of a hole in the coding of a piece of software. This information is helpful to all cyber security actors, as it allows them to prepare for these threats and patch or disable offending software.
Unfortunately, critical data on threats and vulnerabilities often remains locked within each company or organisation due to different concerns and fears. These include fear of liability if shared information turns out to be wrong or causes unintended damage; concerns that sharing information could put proprietary information within the reach of Freedom of Information Act (FOIA) requests by competitors; and worries that shared information might be used against a company by regulators.
Our governments have their own rules, concerns and processes that inhibit information sharing on their part. While these processes must be respected, they should not be considered sacrosanct. For example, the government is reluctant to share intelligence for fear of revealing classified “sources and methods.” This reluctance should be overcome by more appropriate classification of information and providing more clearances to appropriate personnel in the private sector. By opening up the process, industry’s confidence, trust and ability to work with the government will improve, increasing opportunities for private and public collaboration.
There are four steps that can be taken to enable and encourage the needed cyber information sharing. First, we must remove barriers to voluntary private-sector sharing. Voluntary sharing will also allow organisations with manifest privacy concerns to simply avoid sharing their information, while still receiving helpful information from the government and other organisations.
Second, those entities that share information about cyber threats, vulnerabilities and breaches should have legal protection. The fact that they shared data about an attack, or even a complete breach, with the authorities should never open them up to legal action. This is one of the biggest hindrances to sharing today, as it seems easier and safer to withhold information than to share it, even if it will benefit others. Strong liability protection is critical to expanding information sharing.
Third, the information that is shared must be exempted from governmental systems like the US FOIA requests and use by regulators. Without such protection, a competitor can get its hands on potentially proprietary information through an FOIA action. Alternatively, if information is shared with a regulator, it will dampen voluntary sharing, since organisations will fear a backlash from regulators, who could use shared information to penalise a regulated party or tighten rules.
Fourth, the government must be compelled to share information and intelligence with the private sector much more quickly and completely than it currently does. If that is not done, the private sector will never feel confident that it is truly a partner in the fight to maintain the security of computer networks.
Cyber Insurance Will Encourage Responsibility
The creation of a workable liability system often naturally leads to the development of an insurance system against liability. The insurance function allows a further spreading of risk in a way that fosters broad private sector responsiveness. With enough data, insurance companies routinely and efficiently price the comparative costs and benefits of preventative actions and required cost-effective protective measures as a condition of insurance. Indeed, in maturing markets, insurance companies often take the lead in setting reasonable standards of care.
Cyber Supply Chain Security Is Essential
One of the biggest holes in the global cyber system is in the area of supply chain security, especially hardware and key infrastructure components.
Once malicious hardware has been built into a chip, a hardware attack can be initiated and can act in a wide variety of ways. An attack can be internally triggered, based, for example, on the arrival of a particular calendar day. Alternatively, an external trigger could be hidden within data sent by an attacker. More complex hybrid triggers could also be used. For example, a malicious circuit hidden within a GPS chip could be configured to attack only when the chip is located in a specific geographical area after a certain date.
This risk must be mitigated without impairing the highly effective global system that keeps cutting-edge technology affordable and accessible to most people. The American Open Group consortium, an organisation focused on improving businesses through IT standards, has developed the most viable model to deal with the supply chain, and it should be adapted by Congress. An effective cyber policy should establish a nonprofit organisation that will evaluate and accredit technology companies’ supply chain security, even to the point of giving them grades.
For example, if a company has outstanding supply chain security across its entire global process, it would receive a high grade. Another firm might have a less comprehensive system and only receive a middling grade. Those companies with the highest grades would be able to charge higher prices for their technical equipment and software than companies with lower grades. This has the benefit of giving the consumer a way to “vote” on the level of security he or she feels is adequate and make better risk-based decisions on the acquisition of technical equipment. If an organisation needs multiple systems for a certain budgeted amount, it might have to buy from a company with a lower grade. Again, market forces would push companies to have better security in order to have a competitive advantage, while allowing the consumer to make more informed choices.
Cyber Self-Defence to Utilise All Assets
Presently, there are no well-defined rules to tell businesses what they can and cannot do to establish self-defence mechanisms in the cyber domain.
Our respective law enforcement military, and intelligence communities are not capable of addressing all cyber breaches and attacks that occur across the growing network of the cyber realm. At the same time, many companies have internal capabilities to fight back against those who threaten to pillage their intellectual property or corrupt their critical data. This is not to advocate making the Internet more of a Wild West environment than it already is―quite the contrary. It is an attempt to codify rules within which cyber self-defence can take place. These would need to be realistic and have provisions to inform and foster cooperation with law enforcement. They would also have to allow actions beyond simple static defensive measures. This would clearly be a controversial component, but nonetheless an important one.
Awareness, Education and Training Are Often Forgotten
People in both the US and India are aware that there is a problem with securing the cyber domain. They hear about it regularly on the news, and know, abstractly, that it is there. The difficulty is that they receive mixed messages. What the public lacks is consistent, accurate and up-to-date information. More must be done by the private sector and local organisations to bring this issue to the attention of the public.
There must also be a viable programme of professional base-level training for the general non-IT workforce, which it should be encouraged to undergo. Nearly every job now involves the use of digital devices in some aspect or other. The general workforce must receive continuing education that goes beyond the present systems which accomplish little beyond checking off a box. These cyber “survival skills” should employ a dynamic curriculum, developed by the private sector, which keeps the workforce current and prevents it from being easily victimised. Any legislation should acknowledge this and encourage meaningful but dynamic training from non-governmental sources.
A Cyber Security Policy that Works
The US and India should both pursue a unified cyber security policy that avoids a cumbersome and expensive regulatory approach and includes the five key elements that will produce truly dynamic cyber security defences. Such an approach should:
Cyber security is one of the most critical issues we face today. The threats are real and the need is pressing. Despite the best intentions of those involved, a regulatory basis simply will not work. It will not improve security and may actually lower it by providing a false level of comfort and tying the private sector down with outdated regulations. Cyberspace’s dynamic nature must be acknowledged and addressed by policies that are equally dynamic, and that leverage market forces.
This article originally appeared in “Indo-US Cooperation on Internet Governance and Cyber Security”, a joint research project of the Observer Research Foundation and the Heritage Foundation, published in October 2014.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PREV
