In the United States
government, Cyber-security regulation
is directives from the Executive Branch
that safeguards information technology
and computer systems
. The purpose of cyber-security regulation is to force companies and organizations to protect their systems and information from cyber-attacks. Cyber-attacks include viruses
, worms, Trojan horses, phishing
, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyber-attacks. Cyber-security measures include firewalls
, anti-virus software
, intrusion detection and prevention systems, encryption
and login passwords. Federal and state governments in the United States have attempted to improve cyber-security through regulation and collaborative efforts between government and the private-sector to encourage voluntary improvements to cyber-security.
Reasons for cyber-security
The United States government believes the security of computer systems is important to the world for two reasons. The increased role of Information Technology (IT) and the growth of the e-commerce sector, have made cyber-security essential to the economy. Also, cyber-security is vital to the operation of safety critical systems, such as emergency response, and to the protection of infrastructure systems, such as the national power grid
Federal government regulation
There are few federal cyber-security regulations, and the ones that exist focus on specific industries. The three main cyber-security regulations are the 1996 Health Insurance Portability and Accountability Act, the 1999 Gramm-Leach-Bliley Act and the 2002 Homeland Security Act, which included the Federal Information Security Management Act
(FISMA). These three regulations mandate that healthcare organizations, financial institutions and federal agencies protect their systems and information . For example, FISMA, which applies to every government agency, “requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.” But, these regulations do not address numerous computer related industries, such as Internet Service Providers
(ISPs) and software companies. Furthermore, these regulations do not specify what cyber-security measures must be implemented and require only a “reasonable” level of security. The vague language of these regulations leaves much room for interpretation. Bruce Schneier, founder of Cupertino’s Counterpane Internet Security, argues that companies will not make sufficient investments in cyber-security unless government forces them to do so. He also states that successful cyber-attacks on government systems still occur despite government efforts.
State government regulation
State governments have attempted to improve cyber-security by increasing public visibility of firms with weak security. In 2003, California
passed the Notice of Security Breach Act which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, social security number
, driver’s license number, credit card
number or financial information. Several other states have followed California’s example and passed similar security breach notification regulations. These security breach notification regulations punish firms for their cyber-security failures while giving them the freedom to choose how to secure their systems. Also, this regulation creates an incentive for companies to voluntarily invest in cyber-security to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber-attack.
In 2004, California passed California Assembly Bill 1950 which also applies to businesses that own or maintain personal information for California residents. This regulation dictates that businesses maintain a reasonable level of security and that these required security practices also extend to business partners. This regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cyber-security. However, like the federal legislation, it requires a “reasonable” level of cyber-security, which leaves much room for interpretation until case law is established.
Other government efforts
In addition to regulation, the federal government has tried to improve cyber-security by allocating more resources to research and collaborating with the private-sector to write standards. In 2003, the President’s National Strategy to Secure Cyberspace
made the Department of Homeland Security
(DHS) responsible for security recommendations and researching national solutions. The plan calls for cooperative efforts between government and industry “to create an emergency response system to cyber-attacks and to reduce the nation’s vulnerability to such threats.” In 2004, Congress allocated $4.7 billion toward cyber-security and achieving many of the goals stated in the President’s National Strategy to Secure Cyberspace.
Some industry security experts state that the President’s National Strategy to Secure Cyberspace is a good first step but is insufficient. Bruce Schneier stated that “The National Strategy to Secure Cyberspace hasn’t secured anything yet.” However, the President’s National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem. Yet, companies that participate in the collaborative efforts outlined in the strategy are not required to adopt the discovered security solutions.
The U.S. Congress has proposed numerous bills that expand upon cyber-security regulation. The Consumer Data Security and Notification Act
amends the Gramm-Leach-Bliley Act
to require disclosure of security breaches by financial institutions. Congressmen have also proposed “expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card.” Congress has proposed cyber-security regulations similar to California’s Notice of Security Breach Act for companies that maintain personal information. The Information Protection and Security Act requires that data brokers “ensure data accuracy and confidentiality, authenticate and track users, detect and prevent unauthorized activity, and mitigate potential harm to individuals.”
In addition to requiring companies to improve cyber-security, Congress is also considering bills that criminalize cyber-attacks. The Securely Protect Yourself Against Cyber Trespass Act (SPY ACT) is a bill of this type. This bill which focuses on phishing and spyware bill that was passed on May 23, 2005 in the United States House of Representatives and is currently in committee in the Senate. This bill “makes unlawful the unauthorized usage of a computer to take control of it, modify its setting, collect of induce the owner to disclose personally identifiable information, install unsolicited software, and tamper with security, anti-spyware, or anti-virus software.”
While experts agree that cyber-security improvements are necessary, there is disagreement about whether the solution is more government regulation or more private-sector innovation. Many government officials and cyber-security experts believe that the private-sector has failed to solve the cyber-security problem and that regulation is needed. Richard Clarke states that, “Industry only responds when you threaten regulation. If industry doesn’t respond [to the threat], you have to follow through.” He believes that software companies must be forced to produce more secure programs. Bruce Schneier also supports regulation that encourages software companies to write more secure code through economic incentives. U. S. Rep. Rick Boucher
) proposes improving cyber-security by making software companies liable for security flaws in their code. In addition, to improving software security, Clarke believes that certain industries, such as utilities and ISPs, require regulation.
On the other hand, many private-sector executives believe that more regulation will restrict their ability to improve cyber-security. Harris Miller, president of the Information Technology Association of America
, believes that regulation inhibits innovation. Rick White, President and CEO
, also opposes more regulation. He states that, “The private-sector must continue to be able to innovate and adapt in response to new attack methods in cyber space, and toward that end, we commend President Bush and the Congress for exercising regulatory restraint.” Another reason many private-sector executives oppose regulation is because it is costly. Firms are just as concerned about regulation reducing profits as they are about regulation limiting their flexibility to solve the cyber-security problem efficiently.
- " A chronology of data breaches reported since the ChoicePoint incident" (2005). Retrieved October 13, 2005.
- " Does good cybersecurity require government regulation?" (2005). Retrieved December 4, 2005.
- " Electronic privacy information center bill track: Tracking privacy, speech and civil liberties in the 109th congress" (2005). Retrieved October 23, 2005.
- " How computer viruses work" (2005). Retrieved October 10, 2005.
- " The National Strategy to Secure Cyberspace" (2003). Retrieved December 14, 2005.
- " Notice of security breach - civil code sections 1798.29 and 1798.82 - 1798.84" 2003). Retrieved October 23, 2005.
- " Richard Clarke interview" (2003). Retrieved December 4, 2005.
- Gordon, L. A., Loeb, M. P., Lucyshyn, W. & Richardson, R. (2005). " 2005 CSI/FBI computer crime and security survey" Retrieved October 10, 2005.
- Heiman, B. J. (2003). Cybersecurity regulation is here. RSA security conference, Washington, D.C. Retrieved October 17, 2005.
- Kirby, C. (2003, December 4, 2003). Forum focuses on cyber-security. San Francisco Chronicle.
- Lemos, R. (2003). " Bush unveils final cybersecurity plan" Retrieved December 4, 2005.
- Menn, J. (2002, January 14, 2002). Security flaws may be pitfall for Microsoft. Los Angeles Times, pp. C1.
- Rasmussen, M., & Brown, A. (2004). " California Law Establishes Duty of Care for Information Security" Retrieved October 31, 2005.
- Schmitt, E., Charron, C., Anderson, E., & Joseph, J. (2004). " What Proposed Data Laws Will Mean for Marketers" Retrieved October 31, 2005.