Cyber-security regulation
Encyclopedia
In the United States
government, cyber-security regulation comprises directives from the Executive Branch and legislation
from Congress
that safeguards information technology
and computer systems. The purpose of cyber-security regulation is to force companies and organizations to protect their systems and information from cyber-attacks. Cyber-attacks include viruses
, worms, Trojan horses, phishing
, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber-attacks. Cyber-security measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption
and login passwords. Federal and state governments in the United States have attempted to improve cyber-security through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cyber-security.
s (ISPs) and software companies. Furthermore, these regulations do not specify what cyber-security measures must be implemented and require only a “reasonable” level of security. The vague language of these regulations leaves much room for interpretation. Bruce Schneier, founder of Cupertino’s Counterpane Internet Security, argues that companies will not make sufficient investments in cyber-security unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts.
passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, social security number
, driver’s license number, credit card
number or financial information. Several other states have followed California’s example and passed similar security breach notification regulations. These security breach notification regulations punish firms for their cyber-security failures while giving them the freedom to choose how to secure their systems. Also, this regulation creates an incentive for companies to voluntarily invest in cyber-security to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber-attack.
In 2004, California passed California Assembly Bill 1950 which also applies to businesses that own or maintain personal information for California residents. This regulation dictates that businesses maintain a reasonable level of security and that these required security practices also extend to business partners. This regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cyber-security. However, like the federal legislation, it requires a “reasonable” level of cyber-security, which leaves much room for interpretation until case law is established.
made the Department of Homeland Security (DHS) responsible for security recommendations and researching national solutions. The plan calls for cooperative efforts between government and industry “to create an emergency response system to cyber-attacks and to reduce the nation’s vulnerability to such threats.” In 2004, Congress allocated $4.7 billion toward cyber-security and achieving many of the goals stated in the President’s National Strategy to Secure Cyberspace.
Some industry security experts state that the President’s National Strategy to Secure Cyberspace is a good first step but is insufficient. Bruce Schneier stated that “The National Strategy to Secure Cyberspace hasn’t secured anything yet.” However, the President’s National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem. Yet, companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions.
to require disclosure of security breaches by financial institutions. Congressmen have also proposed “expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card.” Congress has proposed cyber-security regulations similar to California’s Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers “ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals.”
In addition to requiring companies to improve cyber-security, Congress is also considering bills that criminalize cyber-attacks. The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) is a bill of this type. This bill which focuses on phishing and spyware
bill that was passed on May 23, 2005 in the United States House of Representatives
and is currently in committee in the Senate
. This bill “makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect or induce the owner to disclose personally identifiable information, install unsolicited software, and tamper with security, anti-spyware, or anti-virus software.”
(D-VA
) proposes improving cyber-security by making software companies liable for security flaws in their code. In addition, to improving software security, Clarke believes that certain industries, such as utilities and ISPs, require regulation.
, believes that regulation inhibits innovation. Rick White, President and CEO of TechNet
, also opposes more regulation. He states that, “The private-sector must continue to be able to innovate and adapt in response to new attack methods in cyber space, and toward that end, we commend President Bush and the Congress for exercising regulatory restraint.” Another reason many private-sector executives oppose regulation is because it is costly. Firms are just as concerned about regulation reducing profits as they are about regulation limiting their flexibility to solve the cyber-security problem efficiently.
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
government, cyber-security regulation comprises directives from the Executive Branch and legislation
Legislation
Legislation is law which has been promulgated by a legislature or other governing body, or the process of making it...
from Congress
United States Congress
The United States Congress is the bicameral legislature of the federal government of the United States, consisting of the Senate and the House of Representatives. The Congress meets in the United States Capitol in Washington, D.C....
that safeguards information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
and computer systems. The purpose of cyber-security regulation is to force companies and organizations to protect their systems and information from cyber-attacks. Cyber-attacks include viruses
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, worms, Trojan horses, phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber-attacks. Cyber-security measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
and login passwords. Federal and state governments in the United States have attempted to improve cyber-security through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cyber-security.
Reasons for cyber-security
The United States government believes the security of computer systems is important to the world for two reasons. The increased role of Information Technology (IT) and the growth of the e-commerce sector, have made cyber-security essential to the economy. Also, cyber-security is vital to the operation of safety critical systems, such as emergency response, and to the protection of infrastructure systems, such as the national power grid.Federal government regulation
There are few federal cyber-security regulations, and the ones that exist focus on specific industries. The three main cyber-security regulations are the 1996 Health Insurance Portability and Accountability Act, the 1999 Gramm-Leach-Bliley Act and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). These three regulations mandate that healthcare organizations, financial institutions and federal agencies protect their systems and information . For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.” But, these regulations do not address numerous computer related industries, such as Internet Service ProviderInternet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s (ISPs) and software companies. Furthermore, these regulations do not specify what cyber-security measures must be implemented and require only a “reasonable” level of security. The vague language of these regulations leaves much room for interpretation. Bruce Schneier, founder of Cupertino’s Counterpane Internet Security, argues that companies will not make sufficient investments in cyber-security unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts.
State government regulation
State governments have attempted to improve cyber-security by increasing public visibility of firms with weak security. In 2003, CaliforniaCalifornia
California is a state located on the West Coast of the United States. It is by far the most populous U.S. state, and the third-largest by land area...
passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, social security number
Social Security number
In the United States, a Social Security number is a nine-digit number issued to U.S. citizens, permanent residents, and temporary residents under section 205 of the Social Security Act, codified as . The number is issued to an individual by the Social Security Administration, an independent...
, driver’s license number, credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
number or financial information. Several other states have followed California’s example and passed similar security breach notification regulations. These security breach notification regulations punish firms for their cyber-security failures while giving them the freedom to choose how to secure their systems. Also, this regulation creates an incentive for companies to voluntarily invest in cyber-security to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber-attack.
In 2004, California passed California Assembly Bill 1950 which also applies to businesses that own or maintain personal information for California residents. This regulation dictates that businesses maintain a reasonable level of security and that these required security practices also extend to business partners. This regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cyber-security. However, like the federal legislation, it requires a “reasonable” level of cyber-security, which leaves much room for interpretation until case law is established.
Other government efforts
In addition to regulation, the federal government has tried to improve cyber-security by allocating more resources to research and collaborating with the private-sector to write standards. In 2003, the President’s National Strategy to Secure CyberspaceNational Strategy to Secure Cyberspace
In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 terrorist attacks...
made the Department of Homeland Security (DHS) responsible for security recommendations and researching national solutions. The plan calls for cooperative efforts between government and industry “to create an emergency response system to cyber-attacks and to reduce the nation’s vulnerability to such threats.” In 2004, Congress allocated $4.7 billion toward cyber-security and achieving many of the goals stated in the President’s National Strategy to Secure Cyberspace.
Some industry security experts state that the President’s National Strategy to Secure Cyberspace is a good first step but is insufficient. Bruce Schneier stated that “The National Strategy to Secure Cyberspace hasn’t secured anything yet.” However, the President’s National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem. Yet, companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions.
Proposed regulation
The U.S. Congress has proposed numerous bills that expand upon cyber-security regulation. The Consumer Data Security and Notification Act amends the Gramm-Leach-Bliley ActGramm-Leach-Bliley Act
The Gramm–Leach–Bliley Act , also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress...
to require disclosure of security breaches by financial institutions. Congressmen have also proposed “expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card.” Congress has proposed cyber-security regulations similar to California’s Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers “ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals.”
In addition to requiring companies to improve cyber-security, Congress is also considering bills that criminalize cyber-attacks. The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) is a bill of this type. This bill which focuses on phishing and spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
bill that was passed on May 23, 2005 in the United States House of Representatives
United States House of Representatives
The United States House of Representatives is one of the two Houses of the United States Congress, the bicameral legislature which also includes the Senate.The composition and powers of the House are established in Article One of the Constitution...
and is currently in committee in the Senate
United States Senate
The United States Senate is the upper house of the bicameral legislature of the United States, and together with the United States House of Representatives comprises the United States Congress. The composition and powers of the Senate are established in Article One of the U.S. Constitution. Each...
. This bill “makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect or induce the owner to disclose personally identifiable information, install unsolicited software, and tamper with security, anti-spyware, or anti-virus software.”
Pro-regulation opinions
While experts agree that cyber-security improvements are necessary, there is disagreement about whether the solution is more government regulation or more private-sector innovation. Many government officials and cyber-security experts believe that the private-sector has failed to solve the cyber-security problem and that regulation is needed. Richard Clarke states that, “Industry only responds when you threaten regulation. If industry doesn’t respond [to the threat], you have to follow through.” He believes that software companies must be forced to produce more secure programs. Bruce Schneier also supports regulation that encourages software companies to write more secure code through economic incentives. U. S. Rep. Rick BoucherRick Boucher
Frederick Carlyle "Rick" Boucher is the former U.S. Representative for , serving from 1983 until 2011. He is a member of the Democratic Party.-Early life, education and career:...
(D-VA
Virginia
The Commonwealth of Virginia , is a U.S. state on the Atlantic Coast of the Southern United States. Virginia is nicknamed the "Old Dominion" and sometimes the "Mother of Presidents" after the eight U.S. presidents born there...
) proposes improving cyber-security by making software companies liable for security flaws in their code. In addition, to improving software security, Clarke believes that certain industries, such as utilities and ISPs, require regulation.
Anti-regulation opinions
On the other hand, many private-sector executives believe that more regulation will restrict their ability to improve cyber-security. Harris Miller, president of the Information Technology Association of AmericaInformation Technology Association of America
The Information Technology Association of America is a leading industry trade group for information technology companies. The Association's membership contains most all of the world's major ICT firms and accounts for over 90% of ICT goods and services sold in North America.Former Under Secretary...
, believes that regulation inhibits innovation. Rick White, President and CEO of TechNet
TechNet (lobbying organization)
TechNet is a United States political lobbying organization which represents public policy interests for technology issues. TechNet operates through a network of CEOs and Senior Executives to promote the growth of technology and the innovation economy...
, also opposes more regulation. He states that, “The private-sector must continue to be able to innovate and adapt in response to new attack methods in cyber space, and toward that end, we commend President Bush and the Congress for exercising regulatory restraint.” Another reason many private-sector executives oppose regulation is because it is costly. Firms are just as concerned about regulation reducing profits as they are about regulation limiting their flexibility to solve the cyber-security problem efficiently.
See also
- computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- National Strategy to Secure CyberspaceNational Strategy to Secure CyberspaceIn the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 terrorist attacks...
- National Cyber Security DivisionNational Cyber Security DivisionThe National Cyber Security Division is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Directorate for National Protection and Programs...
- United States Department of Homeland SecurityUnited States Department of Homeland SecurityThe United States Department of Homeland Security is a cabinet department of the United States federal government, created in response to the September 11 attacks, and with the primary responsibilities of protecting the territory of the United States and protectorates from and responding to...
- US-CERT
- CERT Coordination CenterCERT Coordination CenterThe CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
- National Security Directive
- Cyber security standardsCyber security standardsCyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific...