Dialogue with Congress, DHS, and FTC Advances CISO Cybersecurity Priorities: A Recap of the 2019 NTSC Mid-Atlantic Regional CISO Policy Roundtable

Dialogue with Congress, DHS, and FTC Advances CISO Cybersecurity Priorities: A Recap of the 2019 NTSC Mid-Atlantic Regional CISO Policy Roundtable

While attendees discussed many topics with policymakers in Washington, D.C. on February 27, 2019 at the NTSC’s Mid-Atlantic Regional CISO Policy Roundtable (hosted by David Katz, Partner at Nelson Mullins and member of the NTSC Policy Council), the overarching theme across a day of lively, diverse discussion was dialogue. As part of the NTSC’s mission to forge stronger public-private partnerships between CISOs and the federal government, our recent roundtable event allowed CISOs to directly engage with Congress, the Federal Trade Commission (FTC), and the Department of Homeland Security (DHS) about some of the most pressing cybersecurity issues affecting American businesses today.

In this post, we offer a high-level recap of these important discussions that encompassed an important proposed bill by Congressman John Katko (R-NY), a clearer understanding about how CISOs can engage with the FTC, and an update on DHS’s new Cybersecurity and Infrastructure Security Agency (CISA).

Opening Remarks: Timothy Wang, Senior Legislative Assistant at the U.S. House of Representatives, speaking on behalf of Congressman John Katko (R-NY), Ranking Member of the House Cybersecurity, Infrastructure Protection & Innovation Subcommittee

We began our roundtable discussion with a special visit from Timothy Wang who spoke on behalf of Representative Katko about cyber and legislative priorities in 2019. Of special interest and focus was an important proposed bill under review by DHS that will provide Christopher Krebs, head of the newly named and elevated CISA, an advisory committee of CISOs and other cybersecurity subject matter experts. The switch from the National Protection and Programs Directorate (NPPD) to the CISA gave Krebs direct access to DHS and removed some bureaucracy. If Katko’s bill passes, Krebs will benefit from the advice and guidance of non-partisan, industry-agnostic CISOs—giving our constituency a greater voice in this important public-private partnership.

This CISO advisory committee will help with DHS’s formulation of policy and rulemaking. If Krebs or any future director of CISA has an issue, this diverse committee will provide direct stakeholder feedback and give unbiased recommendations. DHS wants wide representation on this committee, and so the bill will designate 35 individuals representing different industries and sectors. This committee will give an annual report to Congress and provide recommendations on how the DHS can engage with the private sector.

The need for such public-private partnership is more critical than ever. Crowdstrike recently reported that Russia can break our networks in 19 minutes. DHS has labeled China as one of our top security concerns. And cyberattacks from varied sophisticated threat actors hit our nation’s companies every day. It’s clear that we need to take public-private partnerships to the next level, and there is broad interest across many stakeholders to add the thinking and experience of CISOs to help CISA.

Bipartisan interest exists around this bill—and we are optimistic it could get signed if introduced. Such a bill would also benefit overall cyber threat intelligence sharing and increase information sharing with ISACs and ISAOs. The message of this partnership is that the federal government wants to work with companies to protect infrastructure in the name of mutual defense.

During the discussion, some concerns were raised by CISOs about lingering issues with DHS’s effectiveness, its small staff, and its comparatively small budget. But overall, seeing as this bill clearly reaches out to CISOs and the public sector for guidance, attendees were overall positive and supportive of such legislation.

Privacy and Security: A Discussion with the FTC

  • Maneesha Mithal, Associate Director of the Division of Privacy & Identity Protection. FTC’s Bureau of Consumer Protection
  • Peter Miller, Senior Counsel, Crowell & Moring and former Chief Privacy Officer at the FTC

The Federal Trade Commission (FTC) has been the primary federal agency protecting consumer privacy since the enactment of the Fair Credit Reporting Act (FCRA) in 1970. Particularly since the 1990s, the FTC has used its broad authority under the FTC Act and other statutes within its jurisdiction to identify and enforce privacy and data security practices to protect consumers and their personal information. The FTC also actively engages in policy, consumer, and business education along with other federal, state, and international privacy and data security initiatives.

Much has changed in the 48 years since the FCRA was enacted, including the:

  • Interaction of consumer data, privacy, and technological innovation
  • Increasing number of federal agencies exercising privacy and data security powers
  • Expanding influence of state and international data protection law
  • Tension between consumer and commercial interests
  • Near ubiquity of incidents involving personal information

A huge debate exists in Washington and elsewhere around the most effective means of protecting consumer data while supporting innovation and commercial activities. The FTC is at the heart of that debate. That’s why it was productive to feature Mithal and Miller as discussion leaders to talk about their experiences at the FTC, how they work with the private sector, and their perspectives on CISO issues of concern.

Personal familiarity from CISOs with the FTC is not high, and so Mithal and Miller reviewed its basic mission. They also heavily referenced recent progress and specific cases detailed in its last annual Privacy and Data Security Update. Some of the key points included:

  • The FTC is a civil enforcement agency that encompasses the enforcement of specific laws (such as the Gramm-Leach-Bliley Act) under data security. Its reach is broad across a wide variety of industry sectors (excluding some areas such as banks, carriers, and non-profits).
  • The FTC is also a federal rulemaking authority that can issue industry-wide regulations.
  • The FTC does not specify that businesses adhere to a specific data security framework, but its process-based approach helps guide enforcement and maps to a framework such as NIST.
  • The FTC does not consider itself an entity that would “partner” with an organization like the NTSC. However, it can discuss issues and enter into dialogue within certain parameters.
  • The FTC’s work also consists of developing policy initiatives and educating businesses, in addition to its law enforcement mission.
  • Some of the laws and rules it enforces include the Safeguards Rule, COPPA, FCRA, the Identity Theft Red Flags rule, and the FTC Act.

Much of the discussion focused on specifics—definitions, approaches to cases, and questions about enforcement. For example, the FTC uses phrases such as “harm,” “industry standard security,” and “reasonable security.” Such definitions are often kept loose on purpose so as not to be too prescriptive and interfere with the way CISOs do their jobs. However, attendees pointed out that loose definitions can be open to wide interpretation—and some argued that standards can become arbitrary if not well-defined.

In lieu of a compliance checklist, companies need to prepare a security story to tell, pick up the phone, and talk to the FTC. Early in the process, a company has the opportunity to cooperate, tell their story, and temper first impressions. Company representatives should talk to the FTC who understand and are involved in the incident instead of providing rigid talking points. While companies often perceive the FTC as unapproachable, the agency encourages voluntary disclosure, which can disrupt the process of the FTC just showing up and asking for information as part of an investigation.

To counter the argument that some cases seem arbitrary, it appears that company failures must be multiple, systemic, and egregious for the FTC to pursue action against a company. Even in cases involving an FTC investigation, many end up settled with consent orders where a CISO must carry out a specific plan of action to correct mistakes. If that occurs, then the case is dropped (although administrative assessments and audits may still occur for up to 20 years). The FTC does not administer financial penalties for first-time FTC Act violations—although it can do so for additional violations. Separately, it enforces and imposes financial penalties related to the Children's Online Privacy Protection Act (COPPA) and Fair Credit Reporting Act (FCRA).

However, several attendees asked pointed questions about the fairness of certain cases that seemed to favor companies with the money to litigate versus ones that did not. Small businesses are particularly at a disadvantage because they may hold a lot of data but not have the resources to deal with cyberattacks from sophisticated threat actors. Also, some attendees wondered aloud why companies continue to get “beat up” when they are often victims of a crime, but the FTC must still uphold data security standards even if companies are victims.

Many FTC cases, because they are made public, also become guidance and examples for an entire industry—as the agency often performs “industry sweeps” when they go after what they see as systemic problems within an industry. The FTC uncovers leads for cases through media and trade publication articles, Twitter, tech blogs, security researchers, academics, and the FTC’s own PrivacyCon event. Attendees also received some insights into the FTC’s process of approaching a company with preservation letters, administrative subpoenas, and investigative hearings. An FTC settlement is not like a normal settlement process in the private sector. There is no finding of liability, the five FTC commissioners must approve all settlements, and the company usually adheres to a compliance program as a result of the settlement.

While a lively and sometimes heated discussion, we found that the FTC agrees with the NTSC around the need for national data breach notification legislation, preemption of state and local standards (if the federal standard is higher), and national data privacy legislation to make sure we don’t have a patchwork of 50 data privacy laws from each state. Public-private partnerships are also important, although the FTC is not necessarily an organization that CISOs can “partner” with, per se. Instead, using the term “mutual education,” CISOs can share input with the FTC—and the NTSC clarified that the process of sharing input with the FTC may need reexamining after pointing out some obstacles and confusion around participation.

Overall, the fact that CISOs and the FTC entered a spirited dialogue that tackled crucial issues is a good sign. Nothing in our industry progresses without discussion and getting everyone in the same room to talk was beneficial to all.

Cybersecurity and Infrastructure Security Agency (CISA) Update: Rick Driggers, Deputy Assistant Secretary for Cybersecurity and Communications at the U.S. Department of Homeland Security

Our second session focused on the DHS’s new Cybersecurity and Infrastructure Security Agency (CISA) and its efforts to work with the private sector on securing critical infrastructure. Rick Driggers provided an update about CISA along with reviewing the DHS’s recent evolution and key priorities over the last year. This discussion continued our ongoing dialogue between the public and private sector about cyber threat intelligence exchange.

As we noted in a recent whitepaper, “In October, the NTSC applauded the passage of the Cybersecurity and Infrastructure Security Agency Act by the US Senate. This bill redesignates the NPPD as the Cybersecurity and Infrastructure Security Agency (CISA). By rebranding the NPPD and elevating it to the status of a standalone agency under DHS (giving it the same status as the Secret Service and the Transportation Security Agency), this bill helps the United States better protect critical infrastructure and strengthen public-private sector partnerships around cybersecurity. The legislation reflects the needs of the private sector to work more productively with DHS to share cyber threat intelligence and communicate about critical cybersecurity issues that affect national security. A dedicated agency such as the CISA, with a clear mission, helps DHS carry out this important work.”

Focused on making sure critical infrastructure is secure and resilient, CISA currently prioritizes election security, hometown security (e.g. securing soft targets and crowded spaces), malicious cyber activity from China, federal network security, and protecting industrial control systems. Partnership between the public and private sector is crucial to the success of CISA and the vitality of cyber threat intelligence sharing.

As usual when DHS is in the room, discussion about cyber threat intelligence sharing progress and obstacles took up a lot of the discussion. DHS continues to gather information across the intelligence community and 30 percent of its shared indicators are unique. However, DHS still needs industry help and lacks the unique vantage points that companies have watching threat indicators. Sadly, only 4 percent of those participating in Automated Indicator Sharing (AIS) are sharing information back to DHS. Most indicators are coming to DHS through ISACs, which are directly connected to AIS.

Unfortunately, the federal government still makes it difficult to share information. AIS is taking longer than planned to make STIX [Structured Threat Information eXpression] and TAXII [Trusted Automated eXchange of Indicator Information] improvements that will help provide context for threat indicators. Security clearances are still backlogged, a lot of shared information remains classified, and the private sector process to participate with AIS is arduous.

The good news is that CISA, the proposed Katko bill, and other continuous improvements have increased DHS’s reputation in the eyes of many attendees. One attendee shared a story about how fast US-CERT responded to a cyber incident. The DHS’s National Cybersecurity and Communications Integration Center (NCCIC) responded to about 1000 incidents last year and deployed 23 times onsite. Also, DHS offers to participate in a company’s tabletop exercises and NCCIC can even help design the exercise. Under CISA, Krebs’ priorities are to further partner with and help the private sector, hopefully with the help of Representative Katko’s bill.

The discussion emphasized the importance of having one place within the federal government to receive and share cyber threat intelligence. When a cyber incident occurs, the government must pull the right entities together in a non-public way. DHS positions itself as the right organization to mitigate the risk, learn about the incident, discover what happened, and provide IoCs to the public and private sector while supporting the asset owner and operator. Otherwise, if every federal department stands up its own team, we run into national security problems similar to ones we faced before September 11, 2001.

High-Level Overview of House and Senate Meetings

While our CISO meetings with staff from the U.S. Senate Armed Services Committee and House Homeland Security Committee were not public, we can make a few high-level observations about what we discussed and how it relates to the NTSC’s overall policy priorities:

  • National data breach notification legislation is still a no-brainer for many in the House and Senate, but various parties cannot seem to agree on specifics. Conflicts between different industries, uncertainty about supply chain accountability, and pre-emption issues have all contributed to a lack of progress in this area despite a high desire to get a bill passed.
  • National privacy legislation is on lawmakers’ radar because of the likely chance that, if they do nothing, states will make their own laws. The California Consumer Privacy Act (CCPA) has been a launching point for many current ongoing discussions about national privacy laws. A lot of discussion centered around definitions (e.g. “personal information”) and specifics (such as the practicality of a 72-hour response time to a data privacy incident).
  • Cyber threat intelligence sharing and issues with AIS continue to be top-of-mind for many lawmakers who want to address issues between the public and private sector and encourage more companies to share information with the federal government while DHS shares useful information back.
  • We talked at length in a bipartisan fashion about cybersecurity workforce development, the lack of women and diversity in the cybersecurity workforce, how we can get more people interested in cybersecurity in the long-term, and how the federal government can help K-12, technical colleges, and other programs encourage and recruit talent.
  • We continued to ask how the CISO’s voice can be heard along various stages of the legislative process and strengthened existing relationships with important lawmakers and committees.

The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, underwriter, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.