Well-intentioned Legislators Miss the Mark

The Flawed Cybersecurity Act

INTRO

The Cybersecurity Act of 2015 (The Act) was a legislative effort that took the better part of two decades to enact. Government, industry, and legislative responses were subdued since The Act was essentially lauded as a “little step” and a “good first step” by technology and policy expert James Lewis, Ph.D.[1] The Act sought to encourage data sharing between the commercial market and government bodies, protect companies from related liabilities, and enhance the U.S. Department of Homeland Security’s (DHS) role as chief cybersecurity data sharing broker and advocate between government and commercial organizations. [2]

Yet some see The Act as corrosive to government-industry relations. [2] In 2015, the future of implementing The Act appeared to be the U.S. government’s first step forward despite the uncertainty about its impacts. Our critical insights formed from collective commentary over time provide a basis from which to assess that impact. The design made an impact, but not one the architects likely had in mind. These observations can be used to inform improvements in this complex policy landscape.

“security is not efficient, and privacy is not easy”

EFFECTS

Architects of The Act (HR. 2029–694 [3]) impacted government and commercial sector responsibilities in ways not envisioned. While the intent was earnest, the impacts have resulted in further rifting commercial and enforcement entities from one-another. Supporters for The Act were in line with Dr. Lewis. Each imagined incremental improvement, acknowledging The Act was not a silver bullet. Senator Susan Collins (R-ME) compared cyber-attacks to infectious disease reporting mandates highlighting how The Act would resolve that gap in federal policy. Former Representative Nuñez even went as far in 2015 to suggest that “sharing…can’t do any harm.” [2]

Others saw The Act as flawed since the threat was well-known whereas securing private data is less understood. Elissa Shevinsky, Chief Product & Technology Officer for an array of technology companies and evangelist of data privacy as public policy [4], commented on the divergence between policy and reality. Elissa stated The Act­ was at odds with her own corporate privacy policy. Elissa opined that the focus should seek to “build and enforce real security” nodding to the fact that safeguarding privacy is not such an easy task. She sees enforcement agencies often performing below the standard for which they themselves enforce in the marketplace. Even Dr. Lewis acknowledged that The Act­ lacked any real authority, fails to incentivize sharing and relationships, and only provided positive performance indicators which measure The Act’s performance as a reduction in systems penetrated and data loss volume. [2] Architects of The Act may not have realized how hard it is to prove a negative.

In 2019, the DHS Office of the Inspector General (OIG) published a report on the limited progress since The Act’s inception. OIG blamed the subdued impacts on factors such as low numbers of participants sharing indicators with DHS, delayed threat intel standards, and “insufficient CISA office staff.” [5] The Cybersecurity and Infrastructure Security Agency (CISA), a new subordinate organization to DHS formed in 2018, [6] it appears, was not staffed to meet the policy mandate. While DHS blamed these factors, they did not address the challenge in terms of authority or enforcement limitations. [5] This is incongruent with early opinions on the inadequacies of The Act. It was not formed to adequately address the complexity of the issue. This is not the result the architects had in mind.

IMPROVING AS-IS

Transformation from the current policy landscape to a functional stratum of nested policy will require major reforms. A key component for maturing U.S. policy on data sharing should more clearly define the privacy problem as element of security-related societal concerns.

Government bodies need to demonstrate good will to the public and corporate America. The federal government must take actions to include transparency and inclusion, in particular those enforcement agencies seeking to enhance American collective defense as well as those seeking to police privacy infractions. Policy alone will not solve challenges facing federal and corporate entities. Rigid requirements that provide little-to-no motivation are unhelpful to the larger cause.

The federal government must adopt those security and privacy standards. Legislative, judiciary and executive branches should lead the effort by enacting concepts the corporate world inspires like zero trust architecture (ZTA). Furthermore, failures blaming staffing inadequacies does not sit well with the public. The problem is deeper and more endemic than body counts. In almost every case, the issue with thoughtful policy-in-action and expertise in government to drive that change boils down to aptitudes, knowledge and experience, and compensation. A streamlined approach to standardized controls and maturity modelling can be achieved via investments in external expertise to drive a cleaner policy environment.

Some improvements are underway. Recent initiatives within the federal space seeking to mature security practices such as directives for full-scale adoption of ZTA by end of 2024. The executive branch has taken the initiative to improve the situation, [7] but more must follow, and legislation should match exemplars set by other branches of government with carrot and stick components to regulation. In 2019, over 31 out 40 states that introduced legislation enacted law that were cybersecurity-centric, but only limited language in those bills focused on privacy-related components of data and trust.[8] The trend is positive, but velocity of effort must consolidate vectored at a more comprehensive policy framework.

CONCLUSION

Wrangling related, interdependent, and independent policies to streamline a policy framework will only get more complex. A more comprehensive and concise policy framework that drives local and state action through federal backing will be a better instantiation than The Act. Reforming legislative and executive policy aimed at security is overdue. More add-ons only complicate cohesive strategy, regulation, standards, enforcement, and compliance. The Act was motivated by a positive end state, but the problem statement it sought to solve was unclear and imprecise. There are good examples of policy that the U.S. should consider for its own optimized landscape, but in the end — security is not efficient, and privacy is not easy. It will take some true thought leadership to drive us through this muddy bog to arrive at a better vista.

REFERENCES:

[1] “James Andrew Lewis.” https://www.csis.org/people/james-andrew-lewis (accessed Dec. 03, 2022).

[2] “Will a new cybersecurity law make us safer?,” PBS NewsHour, Dec. 29, 2015. https://www.pbs.org/newshour/show/will-a-new-cybersecurity-law-make-us-safer (accessed Nov. 28, 2022).

[3] “H. R. 2029–694: CYBERSECURITY ACT OF 2015.” https://webcache.googleusercontent.com/search?q=cache:A7gtLl7y2mMJ:https://www.intelligence.senate.gov/sites/default/files/legislation/Cybersecurity-Act-Of-2015.pdf&cd=4&hl=nl&ct=clnk&gl=nl&client=firefox-b-d (accessed Dec. 03, 2022).

[4] “Elissa Shevinsky | LinkedIn.” https://www.linkedin.com/in/elissashevinsky/ (accessed Dec. 03, 2022).

[5] “DHS Made Limited Progress to Improve Information Sharing under the Cybersecurity Act in Calendar Years 2017 and 2018.” https://webcache.googleusercontent.com/search?q=cache:U371ZvPQ9TgJ:https://www.oig.dhs.gov/sites/default/files/assets/2020-09/OIG-20-74-Sep20.pdf&cd=12&hl=nl&ct=clnk&gl=nl&client=firefox-b-d (accessed Dec. 03, 2022).

[6] “ABOUT CISA | CISA.” https://www.cisa.gov/about-cisa (accessed Dec. 03, 2022).

[7] “M-22–09 Federal Zero Trust Strategy.” https://webcache.googleusercontent.com/search?q=cache:AifrWjbE5FkJ:https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf&cd=1&hl=nl&ct=clnk&gl=nl&client=firefox-b-d (accessed Dec. 03, 2022).

[8] “Cybersecurity Legislation 2019.” https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2019.aspx (accessed Dec. 03, 2022).