In this article I ponder whether or not legislation and regulation are a viable means of making people and organizations do a better job of securing data systems and devices. In other words, I'm not talking about FIAT the car maker, but fiat: "an official order given by someone who has power."
[Please note: a version of this article first appeared in the September 2013 issue of Virus Bulletin and is reproduced here by kind permission of Virus Bulletin, a great source of objective information about information security.]
[Also note: several links in this article point to U.S. government websites that were closed at the time this was published, I just hope for all our sakes that they open again, soon.]
Is cybersecurity by fiat DOA?
Government-sponsored efforts to improve cybersecurity are currently underway in several parts of the world, including the USA, the UK, and the EU, but will they accomplish their goals? The answer has serious implications for many groups of people, from security practitioners to taxpayers, CIOs and CISOs, intelligence agencies and the military. Depending on your perspective, not all of the implications are positive.
I recently participated in the latest American endeavor to secure all things cyber and critical by attending the Third Cybersecurity Framework Workshop, organized by the National Institute of Standards and Technology (NIST). As you may know, something called Executive Order 13636 directed NIST to "work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure".
I respect NIST as one of the rare government agencies which, like the Federal Trade Commission, just seems to get on with doing useful things, including the distribution of useful information (notably the Special Publication 800 series). A lesser agency might have balked when asked to create a cybersecurity framework "in an open manner with input from stakeholders in industry, academia and government, including a public review and comment process, workshops and other means of engagement". But so far, NIST seems to be rising to that challenge.
At the workshop I attended, over 300 participants were spun out into eight working groups, led by a team of facilitators who did a great job of taking input from all sides. The starting point was a draft outline of the framework, based on the two previous workshops. As we evaluated the work so far, there was a lot of learned and considered discussion, but one point of friction did emerge: fear that this voluntary framework, once completed and approved, will become a stick to beat companies into compliance. Might a law be passed to punish companies that do not comply with the framework? The folks from NIST insisted they had no interest in seeing this happen, but some attendees eyed the Department of Homeland Security attendees with suspicion.
And that brings us to malware. It might seem like a stretch, but please bear with me and turn to the Code of Federal Regulations 45 CFR 164.308(a)(5)(ii)(B). This is the Health Insurance Portability and Accountability Act (HIPAA) security rule that states that a Covered Entity must implement "Procedures for guarding against, detecting and reporting malicious software". For years now, compliance with this rule has been the law in the USA, enforced with financial penalties running into millions of dollars. Now turn to page 16 of the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security. Larry Ponemon’s team conducted 324 interviews and compiled stats on 80 healthcare organizations.
When the results of the study were published last year, the headline was that 94% of healthcare organizations had experienced at least one data breach in the past two years, and 45% reported more than five incidents in that period. Figure 13 in the report ("Measures to ensure devices are secure enough to connect to the network") shows that a staggering 46% of healthcare organizations don’t engage in any of seven listed measures to protect critical systems. Only 23% insist on having anti-malware on mobile devices that connect to the network, and only 21% scan devices for malware prior to connection. Sadly, there are many more data points beyond the Ponemon study.
For me, this all adds up to a strong case for saying that you can’t legislate security. A voluntary framework might help, but as several of my fellow attendees at the NIST workshop pointed out: information security requires serious will power and commitment. Absent that, and regulation is apt to do more harm than good.
For more on the NIST cybersecurity framework for critical infrastructure, see these We Live Security articles. You can also check NIST.gov when it re-opens and the August update of the draft should be here (.pdf).