The White House recently released its long-awaited cybersecurity legislative proposal, finally adding its voice to the ongoing debate over government cybersecurity authorities. This is the first of a four-part analysis from CDT of various elements of the Administration’s far-reaching package. Part II, Part III, Part IV
Part I: Emergency Powers, Regulation, and the ‘Call Switch’
This first post discusses an issue that has been at the heart of the debate: Whether and to what extent the government should set or influence standards for private sector networks deemed to be “critical” and enforce compliance with those standards. Approaches can range from telling the private sector to take risk management into account all the way to giving the government the power to dictate private-sector network security and to take over its operation in an emergency. The White House proposal forgoes heavy-handed controls for a lighter regulatory touch – trading the “kill switch” for the “call switch.”
No “Kill Switch”
The most coercive form of regulation would be to allow the government to take control of private-sector network security in an emergency and to restrict or eliminate traffic to that section of the Internet. The White House package is notable for omitting this kind of “kill switch.” Two years ago, one Senate bill from Senators Rockefeller and Snowe included a provision that would have expressly granted kill switch authority to the President. A newer bill introduced last year and again in modified form this year by Senators Lieberman, Collins and Carper does not contain an explicit kill switch, but nonetheless would grant the government extensive power to tell the private sector how it should run its networks. Provisions in the Senate bill would allow the government to mandate the development of risk mitigation measures for private sector actors, to direct those actors to put such measures into action when the government declares a cyber emergency, and even to develop its own emergency measures and require private sector actors to perform those as well.
The White House has taken a different tack: Its legislative draft offers the Department of Homeland Security (DHS) the ability to set standards for critical sector infrastructure, but not to legally mandate that those standards be carried out. Nor does it create any special emergency powers that would allow the federal government to direct action on private sector networks. As CDT’s Greg Nojeim recently said, “[t]he president himself may have killed the Internet kill-switch proposal once and for all.”
Under New Risk Management
What the White House bill does share with several Senate bills is a risk management regime that allows a federal agency, here the Department of Homeland Security (DHS), to set standards for certain private-sector infrastructure providers designated as “critical.” The White House regime is an improvement over some existing proposals, but it nevertheless contains several areas of concern.
Defining “Critical Infrastructure”
The White House proposal does little to ensure that its regime covers only genuinely critical infrastructure. A narrow definition of “critical infrastructure” burdens only the select set of private sector operators who are truly critical to the national interest with onerous government reporting requirements and regulatory compliance concerns. Instead, the proposal defines critical infrastructure as those entities whose incapacity or disruption would cause “a debilitating impact.” This standard is ambiguous enough to be read very broadly or fairly narrowly by the Department of Homeland Security (DHS), which has the regulatory mandate to interpret it, and to require a court to give deference to that interpretation.
Leading Senate proposals have done a better job of making this definition more substantive. For example, the Cybersecurity and Internet Freedom Act of 2011 requires that the disruption of any critical infrastructure system would cause “a mass casualty event which includes an extraordinary number of fatalities,” “severe economic consequences,” ‘‘mass evacuations with a prolonged absence,” or ‘‘severe degradation of national security capabilities, including intelligence and defense functions.’’ This definition, while still imperfect, provides helpful assistance to a court needing to understand the extent of the required impact when reviewing the designation of a given network as critical.
The Department of Homeland Security uses even more particularized definitions – including numbers of fatalities and evacuees – to set criteria for the Tier 1 and Tier 2 “Critical Infrastructure and Key Resources” that are used to channel funding to protect that which is truly critical. Those criteria, already in use to channel funding, should likewise be used to determine what infrastructure should be under the risk management regime to ensure that it is carefully targeted.
One thing the White House proposal gets right is defining how critical different systems are in relation to one another. Disruption within a small financial services company may only cause the loss of a few dollars, but disruption in a nuclear power plant network might lead to the loss of thousands of lives. The proposal asks DHS to develop risk-based tiers and to assign entities to those tiers based on threats, vulnerabilities, and consequences of an attack. This type of prioritization should be a component of any risk management regime, and CDT welcomes it here.
Consultation, Not Dictatorial Action
The White House proposal envisions the government in the role of standards coordinator in consultation with the private sector and respected standards-setting bodies, but also gives it the power to override private sector decisions about appropriate risk frameworks. It asks DHS to request that representatives of standards setting organizations, state and local governments, and the private sector coordinating councils and information sharing and analysis centers propose standardized frameworks for assessing risk. Importantly, “frameworks” cannot require the use of particular measures; the decision about measures to employ is left where it belongs – with the entity to which the framework applies. After consulting with those representatives, DHS would consider whether the framework reasonably assesses risks, is cost-effective, has outcome-based metrics, and will sufficiently evaluate performance. If the framework comes up short, DHS can impose its own. While this approach does require DHS consultation with the private sector, it may not give DHS sufficient incentive to consider the private sector solutions before moving on to its own ideas. Ongoing dialogue between the private sector and DHS, rather than propose-and-accept/deny, should be the preferred model.
Persuasion, Not Coercion
The White House legislative draft’s enforcement regime is an improvement over Senate proposals that use legal penalties to enforce compliance. After DHS has approved or established a standards framework, the proposal would require each covered entity to create a plan to comply with the appropriate framework and hire an accredited evaluator to determine its compliance with that plan. In the event of failures on the part of an entity or group of entities, DHS would be allowed to demand consultation from those entities, to issue a public statement alerting citizens to the cybersecurity deficit, or to take other unspecified action, but not to impose fines, penalties, shutdown orders, or injunctive remedies requiring particular action. It would also require those entities to report the results of their evaluations within their SEC filings, thus disclosing them to their shareholders. In other words, the proposal uses transparency rather than mandates as a tool to coerce compliance – rather than a “kill switch” aimed at shutting down networks, it’s a “call switch” aimed at drawing public attention to cybersecurity concerns.
Being transparent about vulnerabilities in a private-sector network may seem like an invitation to malicious actors to exploit those vulnerabilities. In fact, the White House plan calls for only a high-level disclosure to the public of a) the security plan and b) the results of annual security evaluations. This does not and should not include the kind of technical information that leads to system breach. As a result, the “call switch” approach offers significant security benefits: By bringing the state of network security to the attention of a company’s customers and business partners, it makes network security part of the decision-making process in choosing a supplier and kicks off a virtuous circle in which companies are given a greater business incentive to improve their security to meet customer needs independent of any standards framework.
While this “name and shame” regime is a useful step away from heavy-handed government mandates and towards persuasion, DHS authority should probably be more cabined than it is in the current draft. In particular, a better approach to granting open-ended power to take “action as may be determined appropriate by the Secretary [of DHS]” would be to specify the actions that are permissible. This both limits the universe of possible actions and promotes clarity. It is unclear whether, for example, requiring an entity to drop certain kinds of incoming traffic (without specifying the means by which the network operator would do so) would count as mandating “a particular measure” or would fall under the Secretary’s general power to act.
A Step Forward, But Not the Last Step
In our view, the White House approach is more likely to advance cybersecurity with fewer risks to innovation, competition, privacy, and other values than many of the other proposals currently on the table. However, it contains several areas of concern. Its definition of covered critical infrastructure may be overbroad, which could potentially subject a large portion of the Internet to DHS oversight. It has a lighter regulatory touch than other proposals, but still includes some “sticks” and few “carrots.” Perhaps most importantly, it contemplates an information-sharing regime in which private sector companies report all “significant cybersecurity incidents” (an undefined term) to DHS, a policy that in combination with the loose information-sharing regime created in a different section of the bill could lead to massive disclosures to the government of citizens’ private data. Nevertheless, this regulatory regime moves the debate over government-developed standards for private-sector cybersecurity in a positive direction.