As I write this article, there are currently more than 10 different bills being evaluated in various Congressional committees, all of which address some aspect of cybersecurity.
Many of these bills are large, over-arching concepts – FISMA 2.0 and the like. But many others are being developed to address the specific risks and threats of certain types of systems, from “critical infrastructure” (generally regarded as assets that associated with energy production and distribution, the food supply, and national defense), to financial systems, healthcare and pharmaceuticals, and other industries. Many of these bills – if passed and signed into law – will mandate industry-specific security controls, risk calculations, and other requirements for private organizations.
There’s no doubt that some types of industries – too important to our national security to fail – require a degree of cybersecurity governance that goes beyond most others, I would argue that Congress is not the place to mandate the details of these cybersecurity controls. The problem with this approach is one that has plagued cybersecurity regulation for years: technology changes over time, and is very “micro”-focused, whereas these regulations are meant to be long-term “macro”-focused mandates. In other words, technology gets so far ahead of regulatory mandates that, often times, the laws themselves are functionally obsolete.
How do we get out of this cycle?
I think the most effective solution is for legislation to focus much less on specific security and privacy controls, and focus more on outcomes: things like minimizing calculable risks and reducing breaches of confidential data. Federal legislation needs to focus on these high-level objectives, but most importantly, it needs to avoid mandating the specifics of how organizations – and in particular, private industry – goes about achieving those goals.
Perhaps the best example of how to do this lies in the past: HIPAA. HIPAA was really the first federal-level legislation that addressed an outcomes-based approach to both security and privacy. The HIPAA law itself didn’t tell organizations to establish minimum password lengths on all their systems, nor did it mandate the need to implement role-based access controls to healthcare data. Instead, HIPAA was focused on ensuring that an important type of data – in this case, protected healthcare information – was maintained in a secure manner.
What made HIPAA different was how the law itself deferred the details to existing federal agencies that better understood the nuances of healthcare information management better than Congress did: agencies like the Department of Health and Human Services, and sub-agencies such as CMS and JHACO (and as of last year, the Office of Civil Rights) were given the task of developing the details, and conducting audits. This model – using existing federal agencies who already regulate and (in particular) audit private sector verticals – makes far more sense than mandating detailed security controls at the highest level of government.
Agencies already exist to provide detailed regulatory guidance to specific industries including financial services (the SEC, FINRA, SIPC, FDIC, FFIEC and others), healthcare (DHHS, CMS, JHACO, and OCR), energy (FERC), pharmaceuticals (FDA), and others. Moreover, private industry already has built extensive communication channels with these agencies: banks and credit unions know intimately well how to acquire FDIC and FINRA mandates, hospitals have tools to receive guidance from JHACO and CMS, and energy distributors constantly evaluate requirements from FERC and NERC. These existing communications frameworks should be respected in the legislative process. Congress should be responsible for establishing the “who”, “when” and “what” of cybersecurity – but these agencies should be responsible for establishing, communicating and auditing the “how”.
As we move forward into an era where new technologies – mobile devices, cloud computing, and others – lead to new and previously unforeseen threats, it will be critical for Congress to ensure that it doesn’t hamper either federal agencies or private industry by adding layers of prescriptive management that overshadow the experienced, knowledgeable agencies that better understand the specific nuances, capabilities and limitations of the industries they regulate.