Running head: GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY

Government Role in Private Sector Cyber Security By: Daniel K Chang

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY Table of Contents Introduction .......................................................................................................................... 3 I. Sociopolitical Arguments for Government Regulations ...................................................... 3 II. Methods of Government Intervention ................................................................................. 5 A. Executive Branch ........................................................................................ 5 B. Legislative Branch...................................................................................... 6 III. Regulatory Impacts and Effects on National Security ....................................................... 7 IV. Responsibility of the Private Industry Toward National Security ..................................... 8 Conclusion ............................................................................................... 9

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY

Introduction Modern society has come to depend on the proper function of information systems. The collective body of government, businesses, and individual citizens rely on these networks which are often interconnected and part of the global network termed the internet (Haimes & Longstaff, 2002). Similarly, the countrys critical infrastructures are often controlled and managed through Supervisory Control and Data Acquisition (SCADA) systems that are connected to the internet (UMUC, 2011). These systems provide critical functions the nation and its citizens rely upon for safety, prosperity, and survival. In essence, the information systems sustaining the aforementioned industries have become items tied to national security. As deployment and dependence on networked information systems have proliferated, so have attacks on these systems. According to Ngak (2013), a slew of popular websites acknowledged attacks and have been actively strengthening their security measures. Furthermore, system security became a front page issue due to the terrorist attacks on 9/11, corrupt corporate practices such as Enron, and other cybercrimes. The United States realized how vulnerable its critical infrastructures are and how destructive it can be to its national security should critical IT systems, procedures, and security be successfully compromised. This paper argues that it is the obligation of the federal government to ensure that the private sector bolster their cyber security postures to mitigate against the ever increasing threat of cyber warfare. Sociopolitical Arguments for Government Regulations

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY The U.S. Constitution empowers and obligates the federal government to act on behalf of its citizens in matters of national security (Talent, 2010). Article I, Section 8 of the Constitution grants Congress 17 powers, with 6 of those relating to authorities necessary to establish the defense of the nation. Article IV, Section 4 allows the federal government to provide common defense against invasion. Likewise, Article II installs the President as the countrys chief executive officer and commander in chief, to preserve, protect, and defend the Constitution The founding fathers clearly designated the federal government for national defense and issues of security, regarded as public good. These obligations translate into defending national security against modern cyber threats. Just as national security is a public good, cyber security can often be regarded as a collective action issue and a public good. The security of the global internet is interdependent by the security practices subscribed by its collective users, according to Anderson (2001). A partys computers with a high level of security benefit the public by been less likely to incur loss for its stakeholders and/or used as a tool for further attacks such as Distributed Denial of Service (DDoS) attacks. Good cyber security requires that groups of people collaborate to achieve a desirable result while the motivation for investment and teamwork is low, a situation unlikely to be provided by the free market without government regulations. The usual aim of private businesses is to be financially profitable for their stakeholders and to invest in the minimum amount of cyber security necessary to support that objective. Fortifying cyber security to a level that benefits the public good may be at odds with their business goals, which may include operation efficiency and lean budget. According to Etzioni (2011), companies often conclude that the costs of increasing cyber security are higher than the losses from system infiltration. Moreover, when calculating the cost and benefit of investing in

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY cyber security, a firm does not take into account the harm a system breach brings to the community. Further harm to overall cyber security preparedness is the disincentives to disclose security breaches to avoid negative publicity, and to share useful security information with others out of maintaining a competitive advantage or mistrust. Without government regulations, each party is left to determine the appropriate cyber security that best serves its interest, regardless of the cost to the public cyber good. The aforementioned concern is especially relevant to critical infrastructures, defined by a 1997 Presidents Commission as industries, institutions, and distribution networks and systems that provide goods and services essential to defense and economic security of the country, and to the health, welfare, and safety of its citizens. (Michel-Kerjan, 2003). National security, a classic public good, is heavily tied to the private sectors as they own roughly 85 percent of the critical infrastructure (Powell, 2005). Charged with defending national security, the federal government must proactively regulate and manage the cyber security of private firms whose assets are so closely linked to the facilities and services that affect the well-being of the nation. Methods of Government Intervention Executive Branch The Executive branch issued a series of Presidential Directives that brought the arms of government to manage cyber security not only for federal agencies, but also on the private sector. In 1997, the Report on the Presidential Commission on Critical Infrastructure Protection formed the foundation for governmental involvement to protect critical infrastructure and its cyber security (Lewis, 2005). Consequently, the president created a new bureaucracy to tackle the challenge of creating a national strategy for critical infrastructure protection. He signed

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY Presidential Decision Directive 63 (PDD-63) established critical infrastructure protection (CIP) as a national objective and prompted federal agencies to strengthen the continuity and viability of critical infrastructures by launching a framework of physical and cyber security protection planning, including collaborations between the federal government and the private sector. It installed new federal offices and officials to oversee the effort and cooperation with the private sector. After the Directive was updated in 2003, it was later superseded by the Homeland Security Presidential Directive 7 (HSPD-7) that empowered the Homeland Security Department to prepare and develop plans to counter threats from cyber terrorism and weapons of mass destruction (Homeland Security Presidential Directive-7, 2003). Legislative Branch Congress passed the Homeland Security Act of 2002 that created a new agency, the U.S. Department of Homeland Security (DHS) and consolidated the functions of 22 existing agencies. The main missions of combating terrorism and cyber terrorism have impact on cyber security in the private industry, as it set up the DHS to carry out risk assessments of the key resources and critical infrastructure of the United States, which in turn identifies assets for supportive and protective measures by federal, state, and local governing bodies (Bhaskar & Bhushan, 2009). Congress has also passed legislation that impacted cyber security through regulations designed for other purposes (Waleski, 2006). The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established standards for privacy protection of individually identifiable health information. The Gramm-Leach-Bliley Financial Reform Act (GLB) in 1999 mandates protection standards for non-public personal information collected by financial

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY institutions. The Sarbanes-Oxley Act (SOX) was enacted in 2002 to ensure accurate corporate accounting practices and holds the senior officers of a publically traded corporation accountable. These regulated requirements created incentives for firms to strengthen their IT security because data confidentiality and integrity cannot exist without sound system security measures and procedures. Aside from the federal laws, State legislation such as the California Information Practices Acts also mandate corporate reporting of security breaches in regards to consumer data. The legislation has created incentive for corporations doing business in California to fortify their cyber security in order to mitigate the risk of having to report business-damaging security breaches to the state authorities. Regulatory Impacts and Effects on National Security It is difficult to assess the regulatory impact and effects on national security. The challenges are many. It is difficult to make meaningful measurements and thus comparison of before and after effect of regulation. There are too many variables that cannot be controlled, including the always changing landscape of the private industry, the ever increasing number of complex federal legislation and involved parties, issues of classified information, as well as the evolution of cyber attacks, just to name a few. Short of being able to make a sweeping statement on the national security impact of government regulation on the private sector, researchers turn to other avenues to gain knowledge into regulatory effect on the private industry. As government legislations in regards to protecting critical infrastructure emphasize on information sharing and voluntary adoption of suggested security measures, Hare (2009) attempted to find out how and why the private industry responds to the governments call to share information and to collaborate. Among several hypotheses, the researcher was interested in whether private organizations were motivated to share and

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY collaborate (a) out of empowerment to shape the cyber security measures placed upon the industry, (b) to avoid the threat of government mandates, (c) to gain informational benefits from other participants, or (d) out of obligation to the common good. Although the sample size was small in his case study, Hare (2009) yielded a few interesting findings. There was no substantial sense of empowerment to influence cyber security practices, as the respondents saw themselves as followers. Secondly, a desire to avoid regulation was not a motivator for collaboration, as the subjects welcomed guidance from the DHS to fortify security practices in their company. They do have potential incentive to collaborate in order to gain information from other sources. They were interested in knowing whether regular cooperation and partnership with the DHS will yield valuable information that will help with their cyber security practices. Lastly, responses to the questionnaire suggested that the companies had civic-mindedness as motivators in participating and collaborating with the DHS. One response stated that the firm desired to be good citizens where another party wanted to be regarded as a positive contributor to national security. Although the case study is limited in its scope, one is encouraged that the governments regulatory effort to foster and strengthen partnership with the private sector seems to be successful in increasing collaboration. Responsibility of the Private Industry Towards National Security The interconnection of information systems and interdependence of critical infrastructures mean that the asset owners have an obligation to each other, and towards the general community to invest in and to install strong cyber security measures. Because of the aforementioned self-serving factors that contributes to the disincentives for the common cyber

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY good, private businesses should cooperate with government intervention to share information and to ensure that their networks is fortified with the recommended security measures. As previously discussed, private organizations play a crucial role in achieving federal cybersecurity objectives (Busch & Givens, 2012). The authors listed examples of current collaboration towards critical infrastructure protection and cyber security. The Critical Infrastructure Partnership Advisory Council (CIPAC) is the framework in which government and private industry exchange information and cooperate in critical infrastructure protection. Private members in the CIPAC include BASF Corp., the Trump Organization, Verizon, Boeing, Google, to name a few. Furthermore, private companies regularly work with the government to share information and address cyber security challenges. An organization such as the National Cyber Security Alliance (NCSA) promotes cyber security awareness training, with membership including popular names such as AT&T, Cisco Systems, Lockheed Martin, Microsoft, Google, Facebook, etc. Conclusion Due to cyber security becoming a forefront issue in matters of national security, the federal government must take the lead in regulating and collaborating with the private industry to achieve the required initiative of securing critical infrastructures and information systems. Private firms must recognize the integral role they play in this endeavor. More research needs to be conducted to measure the impact of federal regulations in securing the nations critical infrastructure and crucial information systems. Although frameworks for information sharing and collaboration have been set up and are ongoing, more work needs to be performed to improve the security measure practices set forth by regulations.

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY References Bhaskar, R., & Bhushan, K. (2009). Homeland Security. In J. R. Vacca, Computer and Information Security Handbook (p. 665). Burlington: Kaufmann Publishers.
Busch, N. E., & Givens, A. D. (2012). Public-Private Partnerships in Homeland Security: Opportunities and Challenges. Journal of the Naval Postgraduate School Center for Homeland Defense and Security, VIII. Retrieved from http://www.hsaj.org/?fullarticle=8.1.18

10

Haimes, Y. Y., & Longstaff, T. (2002). The role of risk analysis in the protection of critical infrastructures against terrorism. Risk Analysis: An International Journal, 22, 439-444. Hare, F. B. (2009, January). Private Sector Contributions to National Cyber Security: A Preliminary Analysis. Journal of Homeland Security and Emergency Management, 6(1). doi:10.2202/1547-7355.1426 Homeland Security Presidential Directive-7. (2003, December 17). Retrieved from U.S. Department of Homeland Security: https://www.dhs.gov/homeland-security-presidentialdirective-7#1 Lewis, J. A. (2005). Aux Armes, Citoyens: Cyber Security and Regulation in the United States. Telecommunications Policy, 29(11), 821-830. doi:http://dx.doi.org/10.1016/j.telpol.2005.06.009 Michel-Kerjan, E. (2003). New challenges in critical infrastructures: A U.S. perspective. Journal of Contingencies & Crisis Management, 11, 132-141. Ngak, C. (2013, February 22). Are Facebook, Twitter, Apple, New Yor Times, NBC hacks a sign of things to come? Retrieved from cbsnews.com: http://www.cbsnews.com/8301-

GOVERNMENT ROLE IN PRIVATE SECTOR CYBER SECURITY 205_162-57570805/are-facebook-twitter-apple-new-york-times-nbc-hacks-a-sign-ofthings-to-come/ Powell, B. (2005). Is Cybersecurity a Public Good? Evidence from the Financial Services Industry. 1 JL Econ. & Pol'y 497, 1. Retrieved from http://www.benjaminwpowell.com/scholarly-publications/journal-articles/iscybersecurity-a-public-good.pdf UMUC. (2011). CSEC 630 Module 11: Critical Infrastructure Protection Module posted in University of Maryland University College CSEC 630 online course content, archived at: http://webtyco.umuc.edu

11