The U.S. Government’s Top Priority for 2013; Or, it should be…

by Jane Ginn

On April 26, 2012 the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA).  It was referred to the Senate’s Select Committee on Intelligence on May 7^th (Sottek, 2012, April 26). The Senate version was sponsored by a bi-partisan group of Senators, led by Joseph Lieberman (I-CT) (2012, July 23).  Shortly after this, President Obama offered commentary on the cybersecurity risks posed to the nation in an Op-Ed article published in the Wall Street Journal (Obama, 2012, July 19).  Called the Cybersecurity Act of 2012, the Senate version (S.3414-112th Congress) significantly expanded the scope making it a more comprehensive approach.^[i] However, it failed cloture in the Senate on August 2^nd, even after the President’s public appeal (GovTrack.us, 2012).

As a result of this, the Obama Administration began external review of an Executive Order (EO) to accomplish some of the same objectives (Economist, 2012, December 8th-14th).  Concurrent with this, the Administration issued a classified Presidential Policy Directive (PPD-20) that “establishes guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber-attacks” (Verton, 2012). This latter, classified action raised criticism from Congressional representatives and some in the press (ibid.)

Given the partisan politics of the 112^th Congress, and, against the backdrop of escalating cybersecurity concerns, the Obama Administration decided to take preemptive action to issue PPD-20 and subject its own unclassified EO to critical analysis and review (White House, 2012, November 21). The design of the Administration’s EO, although greatly streamlined from the Senate bill version, includes explicit provisions on information protection; the subject of this analysis. Specifically, I will discuss the provisions for the protection of private sector information within the banking and financial services sector (BFSS) as defined by the U.S. Department of Homeland Security (DHS).[ii]  Importantly, I will draw upon recommendations by a key private sector BFSS council and interview results from professionals in the BFSS in drawing my own conclusions.

Summary of CISPA

H.R.2523 was sponsored by Michigan Representative Mike Rogers (R) and co-sponsored by 112 others (86 Republicans and 26 Democrats). The main thrust of CISPA was to establish a framework for information sharing between government agencies and private sector entities designated as meeting the definition of critical infrastructure companies or utilities.  It defined key terms, exempted shared information from the Freedom of Information Act (FOIA), called for an annual report to Congress from the Inspector General of the intelligence community and called for establishment of metrics on gauging the success of civil liberties and privacy protections (Rogers, 2012, April 26).

Protection of Information in S.3414

            Lieberman’s bill, S.3414, was methodically constructed to provide a comprehensive framework for research and development, public/private sector information sharing, education and awareness, international cooperation, and an approach to how the U.S. critical infrastructure would be affected by cybersecurity considerations.[iii]  But, beyond this, S.3414 would have established a National Cybersecurity Council (Sec. 101), provided for an inventory of critical infrastructure resources (Sec. 102), streamlined and coordinated U.S. federal agency activities on cybersecurity (Sec. 201), and established a mechanism for the protection of information submitted voluntarily by companies within one or more of 18 critical infrastructure sectors (Sec. 106). It goes far beyond CISPA in establishing a workable cybersecurity institutional infrastructure.

The public policy design of the Lieberman bill clearly reflects aspects of the approach outlined in a strategic planning document produced by the DHS in 2009, the National Infrastructure Protection Plan (Chertoff) called for by Homeland Security Presidential Directive-7 (HSPD-7) (Bush, 2003, December 17). It built on and expanded the work of DHS in outlining a method for improving U.S. critical infrastructure protection.

A key sticking point for the 112^th Congress debate on S.3414 between Senate Democrats and Republicans was whether or not information sharing by private sector owners of critical infrastructure assets would be mandatory or voluntary.  Compromise language established that it would be voluntary as defined by “Section 214 of the Homeland Security Act of 2002 (6 U.S.C. 133)” which was consistent with the version of CISPA that passed the House.[iv]

Other issues revolved around: (1) liability protections for individuals within private companies acting in good faith to share threat information; (2) participating companies seeking to avoid antitrust actions; (3) incentives to be offered to companies to encourage participation in the information sharing programs; and (4) efforts to reduce administrative burdens on those in the private sector that would elect to participate.

On November 14, a second cloture motion on S.3414 was rejected and the bill was unable to make it to the floor for a vote (GovTrack.us, 2012).

Overview of Cybersecurity EO

             During the time Congress was debating S.3414 President Obama issued a draft cybersecurity EO to 28 members of his administration for review (McKeon, 2012, September 28). This version closely reflected the Lieberman bill language.  Figure 1 provides a high-level overview of the proposed implementation process.

I have illustrated:

• How the Director of National Intelligence will provide guidance to create unclassified versions of documents on critical infrastructure documents (consistent with several CISPA provisions);
• How the Secretary of the U.S. Department of Commerce will direct the Director of the National Institute of Standards and Technology (NIST) to define a baseline framework to reduce cyber risk; and
• How the Secretary of DHS will initiate a consultation process with the private sector and, ultimately, establish a public/private Critical Infrastructure Partnership Advisory Council (CIPAC).

Figure 1. Cybersecurity EO Implementation Process

I have also shown how the various steps come together sequentially to roll-out the voluntary Enhanced Cybersecurity Services Initiative (the heart of the program).  Also shown is how the information sharing process will help identify companies that have been determined to be at the “greatest risk.”

The draft cybersecurity EO public policy objectives are two-fold:  1) to expedite coordinated action on further cyber security assessment and remediation efforts, and 2) to establish a framework for public/private collaboration. Many of the other provisions of CISPA and S.3414, including liability protection for individuals and corporations are missing.  Given the timing of the issuance of the draft EO, and the bare bones framework, it might be that the Administration is using this version to apply political pressure on the members of the Senate to take proactive action on real and present cybersecurity threats.

Implications for the Banking and Financial Services Sector

Information assurance for the BFSS has matured over the past few decades due, in part, to domestic standards such as the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule at 16 CFR 314 and Privacy Rule at 16 CFR 313. GLBA regulated parties must protect against unauthorized access, insure the security and confidentiality of customer records and information, and protect against any anticipated threats or hazards to the security or integrity of records.[v]

In addition, the requirements of the Federal Financial Institutions Examination Council (FFIEC) rules govern how information assurance programs for the BFSS are designed and implemented. The FFIEC established important standards regarding accessibility, authentication, confidentiality, non-repudiation, accountability, and record-keeping aimed at best management practices for safeguarding against fraud and cyber-crime (2012, June 28).[vi]

Some information security analysts also claim that the regulatory compliance requirements of Section 404 Audits of the Sarbanes-Oxley Act of 2002 (SOX) have had a bearing on how companies apply security measures. As noted by a specialist cybersecurity attorney, “SOX is about internal controls for financial reporting; it is not about protection of assets or business continuity.  To single out SOX as a significant vehicle for promoting national cyber security is a misunderstanding” (personal communication, December 26, 2012).

Nonetheless, SOX introduced accounting reform including provisions for quality control and independence of standards and rules which has had bearing on how information assurance programs within the BFSS are implemented (Herold, 2006).

When these three programs are combined, the aggregate rules provide significant regulatory guidance to companies within the BFSS. An emerging consensus within the sector is that certain provisions of CISPA, S.3414 and the cybersecurity EO would be redundant and might even conflict with some of these existing programs.

If the Obama Administration EO is signed, a series of steps relating to civil liberties, privacy and business confidentiality would be undertaken. A short discussion of some of the key issues follows.

Civil liberties protection.  U.S. civil liberties scholars point out that an individual has a right to a reasonable expectation of privacy when browsing to sites on the Internet, sending emails, participating in chat rooms, and engaging in interactions on the various social media platforms (MacKinnon, 2012, p. 88 et.seq.).  This expectation stems from the Fourth Amendment to the U.S. Constitution as contained in the Bill of Rights. In the U.S. and other Western countries with Constitutional protections this has come to be interpreted as a right to engage anonymously in any or all of these forums. Advocates of anonymity promote the use of The Onion Network (TOR) [see: www.torproject.org] to facilitate anonymous Internet activities.  TOR traffic uses encrypted packets that pass through at least three proxy servers before being forwarded on to the destination Internet Protocol (IP) address.

Critics of anonymity on the Internet acknowledge that, although the U.S. founding fathers used anonymity to protect life and limb during the run-up to the revolutionary war (e.g., in The Federalist Papers), the use of unattributed speech on the Internet has had some negative effects.  They note the use of cyber bullying, the use of vicious verbal attacks, the use of false rumors to influence group behavior and other troubling effects (MacKinnon, 2012).  While acknowledging these negative effects, civil liberties advocates still believe that the net benefit of anonymity outweighs the net loss that could accrue if citizens were not able to comment without fear of reprisal.

As a point of contrast between the Obama Administration’s approach to anonymity as a civil liberty and the Chinese government’s approach, the recently installed Chinese National People’s Congress just released new regulations governing registration for online services for Chinese citizens.  It is now prohibited to obtain any services without registering under one’s full name; and the Internet Service Providers (ISPs) have been designated as the entities responsible for policing this new requirement (Bradsher, 2012, December 28).

Censorship. Censorship is another difficult issue that civil libertarians are concerned about where the U.S. and Chinese approach contrasts sharply. The foundational principles of the Internet as currently governed by various multi-stakeholder entities including the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Engineering Task Force (IETF) are based on the idea of the free flow of information. China’s approach has been one that carefully monitors Internet traffic through the “Great Chinese Firewall” actively censoring sites that do not conform to pre-approved visions of official truth (MacKinnon, 2012).

This contrasts sharply with official policy of the U.S. government. U.S. constitutional lawyer Lee Bollinger argues that: “Political majorities and government officials cannot be trusted to exercise the power of censorship in a moderate fashion. Intolerance is natural, especially in times of stress”(ibid. p.89).  U.S. advocates of an uncensored Internet frequently point to the human rights abuses in the Chinese system to warn against the use of censorship over content.  In fact, the U.S. Ambassador to the December, 2012 International Telecommunications Union conference in Dubai, U.A.E. was recently quoted as stating: “the United States remains fully committed to the values of freedom of expression and the free flow of information and ideas on the Internet” (Kramer, 2012, December 13).

Privacy. Closely tied to the Fourth Amendment concerns is the issue of privacy. Privacy is an even more important issue within the BFSS due to the legal liabilities of unauthorized release of personally identifiable information (PII). The National Conference of State Legislatures provides a listing of all of the State security breach notification laws that are in force in the U.S.[vii] CISPA called for specific exclusions of certain types of documents on browsing behavior of individuals under investigation for an Internet-related crime.  Such exclusions would include PII from library records, gun purchase records, and health records, among others (Rogers, 2012).  This provision was not in the Senate version or the draft EO. Nor does it reflect issues more closely associated with cyber security investigation practices.  For example, browsing history and website registration information would be a more accurate reflection of a user’s recent actions.

Business confidentiality. The draft cybersecurity EO also calls for Obama Administration officials to conduct a review of business confidentiality issues that would stem from the proposed Enhanced Cybersecurity Services Initiative.  This would address the concerns of many who cite intellectual property protection issues as a reason for choosing not to voluntarily participate.  These issues and others would be put under review as part of the Obama EO process on civil liberties and privacy.

Proposed Implementation Process for Civil Liberties and Privacy Review

The review that would be required by the draft cybersecurity EO, as shown in Figure 2, varies slightly from the approach taken in S.3414.  The EO calls for the privacy and civil liberties reviews to be initiated by the sector specific agencies. These sector specific agencies would have more in-depth knowledge of the vulnerabilities and attack vectors for companies within their sectors; however civil liberties might not necessarily be a high priority.  In contrast, the more centralized approach, as outlined in the Lieberman bill, would ensure that these concerns would be handled comprehensively through a single Privacy Officer that reports to the Secretary of DHS.

As the designated sector specific agency for the FBSS, the Department of Treasury would conduct the primary review for this sector.  Treasury would also work closely with all of the regulatory agencies that have oversight over institutions subject to GLBA, SOX and the FFIEC and other BFSS entities.[viii]  This review of privacy and civil liberties issues is integral to the information sharing framework that is envisioned by CISPA, S.3414 and the cybersecurity EO.

Figure 2. Privacy and Civil Liberties Review of Cybersecurity EO Implementation

Civil libertarians fear that the privacy of customer information could be compromised with extensive information sharing and that, without transparency, there could be abuses by government agency users.  Advocates of tougher cybersecurity laws argue that information sharing is critical in order to gain a more comprehensive picture of the threat patterns the entire sector is facing.  Since it is envisioned as a voluntary program, the challenge then becomes how to incentivize private sector companies in a way so the benefits outweigh the potential costs of participation.

Information Sharing Issues of Cybersecurity EO Compliance

To better gauge how the private sector would respond to S.3414, Senator John D. Rockefeller IV (D-WV), Chairman of the Senate Committee of Commerce, Science and Transportation wrote a letter to the private sector Financial Services Sector Coordinating Council (FSSCC) and the CEOs of Fortune 500 companies with eight questions (Wainstein, 2012, October 12).  The FSSCC Chairman and Vice Chair wrote a response to Senator Rockefeller IV on October 15th.  They argued that additional risk assessments would be counterproductive and redundant to GLBA and SOX, given the already high level of oversight in the sector.  Therefore, they did not support provisions calling for additional risk assessments for the BFSS.

Conversely, the FSSCC argued that a 2010/2011 pilot project for threat-based information sharing was highly successful and should be continued. The Government Information Sharing Framework (GISF), co-implemented by the U.S. Department of Defense, DHS and the Financial Services-Information Sharing Advisory Council (FS-ISAC)[ix] “allowed for the sharing of advanced threat and attack data between the federal government and 16 financial services firms” (ibid. p.4). Although the budget for this pilot project ran out in 2011, they deemed it to be highly successful in identifying threat activity from actors first identified through the GISF.  They strongly recommended continuation. They argued that it drove innovation and helped to protect the privacy of the customers of the 16 participating organizations (ibid. p.5). They would like to see the program made available to other organizations that might choose to participate.

In my own interview with the CISO of a major brokerage firm posing some of the same questions on the draft cybersecurity EO, a key distinction between sharing information on “threats” versus “risks” was made (personal communication, December 20, 2012).  This respondent noted “A fact is that sharing risk information within the BFSS introduces different risk, but the unintended consequences that may come to fruition are likely to pale compared to failing to protect the sector.  However, firms should be sharing threat information more than risk information” [emphasis added] (ibid). This is a subtle, but important distinction. In cyber security a threat can be defined as: a danger that a vulnerability could be exploited to cause harm to the enterprise (e.g., the release of personally identifiable information from customer records).  This differs from a risk.  A risk typically refers to the business implications of sustaining an exploit such as a data breach.  Business risks are typically held as confidential information and would not be appropriate for external disclosure.

In a separate conversation I had with the Chief Investment Officer at a major retirement plan consulting group I found that he had a concern about the EO if the process was not accompanied by the necessary funds for implementation (personal communication, December 8, 2012).

In yet more direct feedback to the White House on the draft EO, in late December House of Representatives members submitted a letter to the Executive office signed by 46 of the 113 co-sponsors of CISPA.  Co-authored by Marsha Blackburn (R-TN) and Steve Scalise (R-LA) this letter cited the successful passage of the House bill, CISPA[x], during the 112^th Congress and urged the President not to preempt Senate action on S.3414 or its successor (2012, December 21).[xi]

As the reader can see, the proposed information sharing programs of both S.3414 and the draft cybersecurity EO, while theoretically strengthening joint efforts at fending off cyber threats, would also be wrought with controversy, given the civil liberties, censorship, privacy and business confidentiality issues it would bring up.

Conclusions

            The Obama Administration appears to have crafted its cybersecurity EO as a stop-gap measure in the event that the Lieberman bill did not pass. Although elegant in its construction, it does not cover some of the key issues covered in the Lieberman bill. The classified PPD-20 was issued to provide federal agencies with the authority to fend off the advanced persistent threats that agencies and critical infrastructure entities are now facing. The timing of the release of PPD-20 appears to have exacerbated concerns about the decision-making process in the Obama Administration and House representatives are now urging the President to terminate action on the unclassified cybersecurity EO. At the same time, the Administration must have determined that politics as usual would not allow the U.S. to respond to the immediacy of advanced persistent threats.  I suspect that the Administration still hopes that the Lieberman bill, or a subsequent version, will pass in the early days of the 113^th Congress, and that the White House will not be compelled to act preemptively by signing the EO into force.

The BFSS would like to see a more comprehensive approach to unifying the overall critical infrastructure protection strategy with an emphasis based on sharing of threat information not risk information. The BFSS would prefer a program that builds on previous successes and does not impose additional administrative burdens, and it would like to see more resources devoted to remediation as opposed to assessment (Blauner, 2012, October 15).

It is my conclusion that the Lieberman bill includes a fuller range of issues that must be addressed with cybersecurity legislation. Furthermore, it handles liability issues, training and incentive programs not addressed in the EO.  The President’s approach to civil liberties and privacy protections review by sector specific agencies is likely to be more effective and less redundant; however a centralized approach as envisioned by Lieberman et. al. would ensure that the issues are systematically and consistently addressed.

I urge Senators considering any 113^th Congress’ follow-up bill to act quickly on a Senate version, to consider funding commensurate with increased federal agency responsibilities, and ensure that impacts on business confidentiality also be included.  Furthermore, the successor bill should make it clear that threat information, not risk information is to be shared between the private and public sectors.  Also, the existing sector specific Information Sharing Advisory Councils should be the venue for sharing threat information, as in the successful pilot project in the BFSS.

I also urge the President to give the Senate’s Congressional process a chance to resolve itself to ensure a more comprehensive approach while still exerting pressure for quick and early action in the 113th Congress.

References

Blackburn, M., Scalise, S. (2012, December 21). House Republicans Letter to President Obama on Draft Cybersecurity E.O.  Washington, D.C.: House of Representatives.

Blauner, C., and Wells III, J.M. (2012, October 15). Response to Letter from Senator John D. Rockefeller IV. Washington, D.C.: Financial Services Sector Coordinating Council [FSSCC].

Bradsher, K. (2012, December 28). China toughens its restrictions on use of the Internet. New York Times. Retrieved from http://www.nytimes.com/2012/12/29/world/asia/china-toughens-restrictions-on-internet-use.html?ref=technology&_r=0

Bush, G. W. (2003, December 17). Homeland Security Presidential Directive-7.  Washington, D.C.: Department of Homeland Security Retrieved from http://www.dhs.gov/homeland-security-presidential-directive-7#1.

Chertoff, M. (2009). National Infrastructure Protection Plan: Partnering to Enhance Protection and Resiliancy.  Washington, D.C.: Department of Homeland Security [DHS] Retrieved from http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.

Economist. (2012, December 8th-14th). Cyberwarfare: Hype and fear. The Economist, p. 62-63.

Federal Financial Institutions Examination Council [FFIEC]. (2012, June 28). Supplement to authentication in an Internet banking environment. Washington, D.C.: FFIEC.

Federal Financial Institutions Examination Council [FFIEC]. (n.d.). IT examination handbook infobase   Retrieved from http://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/personnel-security-/training.aspx

Federal Trade Commission [FTC]. (2006, April). Financial institutions and customer information: Complying with the Safeguards rule.  Washington, D.C.: Federal Trade Commission.

FTC, Privacy of consumer financial information; Final rule, 16 C.F.R. § Part 313 (2000, May 24).

GovTrack.us. (2012). Senate Vote #202 in 2012., from Civic Impluse, LLC http://www.govtrack.us/congress/votes/112-2012/s202

Gramm–Leach–Bliley Act [GLBA], Pub.L. No. 106-102, 113 U.S.C., § 1338 et. seq. Stat. (1999, November 12).

Herold, R. (2006). Introduction to computer ethics. In H. Tipton (Ed.), Official (ISC)2 Guide. New York: Auerbach Publications.

Kramer, T. (2012, December 13). Amb. Kramer Remarks on World Telecommunications Meeting. IIP Digital. Retrieved from http://translations.state.gov/st/english/texttrans/2012/12/20121214139976.html#axzz2GP1rNDyZ

Lieberman, J. (2012, July 23). Cybersecurity Act of 2012 (Draft).  Washington, D.C.: Government Printing Office Retrieved from http://www.govtrack.us/congress/bills/112/s3414/text.

MacKinnon, R. (2012). Consent of the Networked: The Worldwide Struggle for Internet Freedom. New York, NY: Basic Books.

McKeon, B. P. (2012, September 28). Discussion paper for Paper Deputies Committee meeting on E.O. on Improving Critical Infrastructure Cybersecurity Practices [Unclassified].  Washington, D.C.: White House.

Obama, B. (2012, July 19). Taking the cyberattack threat seriously. Wall Street Journal, U.S. Edition. Retrieved from http://online.wsj.com/article/SB10000872396390444330904577535492693044650.html?mod=googlenews_wsj

Rogers, M. (2012, April 26). Cyber Threat Intelligence and Information Sharing [CISPA], H.R. 2523. U.S. House of Representatives.

Sarbanes–Oxley Act [SOX], Pub. L. No. 107-204, 116, § 745 et. seq. Stat. (2002, July).

Sottek, T. C. (2012, April 26). U.S. House passes controversial CISPA bill, now on to Senate. The Verge. Retrieved from http://www.theverge.com/2012/4/26/2978395/us-house-passes-cispa

Stevens, G. M. (2003, February 28). Homeland Security Act of 2002: Critical Infrastructure Information Act.  Washington, D.C.: Congressional Research Service [CRS]. Retrieved from http://www.fas.org/sgp/crs/RL31762.pdf.

Verton, D. (2012). Cybercom: Critical issues in national cybersecurity. HS Today. Retrieved from http://www.hstoday.us/blogs/critical-issues-in-national-cybersecurity/blog/first-signs-of-national-cyber-doctrine-emerging/d7fcea03bc3df4bf44ea7726bd470687.html

Wainstein, K. (2012, October 12). The Rockefeller Letter and the Cybersecurity Debate Clients&Friends Memo. New York: Cadwalader, Wickersham & Taft, LLP.

White House. (2012, November 21). DRAFT: Improving Critical Infrastructure Cybersecurity [Unclassified], from http://thenextweb.com/us/2012/12/01/legislative-options-dead-a-fresh-draft-of-the-executive-order-on-cybersecurity-has-been-leaked/

End Notes: