From left to right: Pete Chronis (Turner CISO and Roundtable host), Patrick Gaul (Executive Director of the NTSC), Kimberly Steele (Associate Director of the NTSC), and Larry K. Williams (President and CEO of the NTSC)
CISOs Advocate for Beneficial Legislative and Regulatory Policies Affecting the Security of the Private Sector
As we enter an anti-regulatory era, it remains to be seen if this current landscape will benefit the cybersecurity industry. Currently, very little useful cybersecurity regulation exists. Issues such as data breaches, active defense, and cybersecurity standards of care are left for businesses to determine with minimal help, consistency, or oversight.
During the inaugural National Technology Security Coalition (NTSC) Southeast Regional Chief Information Security Officer (CISO) Policy Roundtable on February 1, 2017 (hosted by NTSC Board Member, Pete Chronis, CISO of Turner, at Turner Techwood Campus in Atlanta, Georgia), CISOs discussed the present and future implications of cybersecurity policy on three key questions:
- What are the pros and cons of nationalizing data breach disclosure laws?
- Can legislation help the cybersecurity community grapple with emerging threats?
- What can we learn from European Union security and privacy laws as we shape our own legislative agenda?
Overall, CISOs talked about how they are the missing voice when many cybersecurity laws and regulations are enacted. Without a CISO’s business-oriented, practical viewpoint on cybersecurity, laws and regulations are watered down or skew too much in favor of unrealistic privacy standards.
At a high level, a summary of our CISO discussion shows that plenty of opportunities exist for these executives to begin forming a strong, consistent voice that sits at the table when cybersecurity laws and regulations are drafted, debated, and passed at the national level.
What are the pros and cons of nationalizing data breach disclosure laws?
Moderator: Robert Ball, Chief Legal Counsel, Ionic Security
Today, there is no national data breach notification law—and that is “brutal” for CISOs dealing with 47 different state laws (plus data breach laws in the District of Columbia, Guam, Puerto Rico, and the Virgin Islands). How do you follow a clear, consistent process when faced with so many laws?
This situation is a costly mess and many companies are not prepared—legally, financially, or technically—to handle a data breach. According to Ponemon Institute’s 2016 Cost of Data Breach Study, a data breach costs companies an average of about $4 million. Even at best, a data breach will ruin a company’s life for months in terms of customer turnover, reputation damage, threat detection, incident response, victim notifications, employee training and more. Handoffs to the U.S. government are mired in confusion between different federal agencies. And international companies must follow both United States and EU laws.
The good news? The need for national data breach legislation holds bipartisan support—and so it may be a matter of time until it’s passed. The bad news? If CISOs don’t raise their voice at the table, then legislation may present more administrative and financial compliance burdens.
Luckily, Congress is interested in hearing from CISOs and the NTSC has already begun lobbying on the Hill to push this issue in 2017. Discussion about a national data breach notification law is just one of many opportunities to get a practical, reasonable law passed about an important issue.
Can legislation help the cybersecurity community grapple with emerging threats?
Moderator: Robert Ball, Chief Legal Counsel, Ionic Security
As a higher-level question that looks ahead long-term, the answer was a resounding yes—but with some qualifications. CISOs admitted they, as a group, currently are not vocal on the Hill. This is the reason the NTSC exists, and it’s an important observation for a few reasons.
- Legislative efforts work better than executives figuring out cybersecurity policies on their own. When executives try to define cybersecurity policy by themselves, inconsistent policies and best practices result.
- The alternative to legislation is a random court in a state arbitrarily deciding crucial cybersecurity issues. This situation leaves important cybersecurity decisions to chance.
- An authentic, practical voice is needed to reflect cybersecurity reality. Consumer activists, theorists, and academics contribute important voices to the cybersecurity debate. But they are not in the trenches every day like CISOs. Additionally, CISOs need to counter the voices of industry and trade groups that often advocate cybersecurity in ways that are harmful to business.
As an example, active defense is an area mired in a lot of confusion. Cybercriminals and nation-state actors often attack both large and small businesses. Yet, CISOs feel that the government doesn’t do enough to protect businesses from these attackers. Lack of government involvement or help means more red teams (to test security by “attacking” systems, networks, or data access), hackbacks (reverse engineering hacking efforts), and lawyers—all of which lead us down a slippery slope[ST1] . CISOs feel there is too much focus on company liability and yet the government often lacks answers or information about attackers.
At the roundtable discussion, attendees began to flesh out a list of top issues (including active defense) that are incorrectly legislated or described—and that are ripe for possible legislation influenced by CISOs.
What can we learn from European Union security and privacy laws as we shape our own legislative agenda?
Moderator: Peter Swire, Huang Professor of Law & Ethics, Georgia Institute of Technology Scheller College of Business
CISOs agreed that while the EU is years ahead of the United States in creating national cybersecurity legislation, the EU is much stricter on business than the United States would prefer. In the EU, data protection is considered a human right—implying that nations not following EU data protection laws are violating human rights. That harsh indictment of anything outside of EU law poses problems for the United States and the rest of the world.
While data protection is important, laws that are too strict can create problems. For example, Microsoft is currently winning a case in the United States against prosecutors who wanted the company to turn over email account data related to a crime. Law enforcement obtained a warrant, but the desired information was stored on servers in Ireland. That country’s laws don’t permit the release of this information despite Microsoft’s headquarters being located in the United States and the state of New York issuing the warrant.
This request for information is not unreasonable. If a crime is committed and evidence involves email, then it’s logical to issue a warrant to collect the email as evidence. But if the email cannot be given up due to strict European privacy laws, then data privacy might interfere with U.S. interests. If this case ultimately sides with Microsoft, then this may set a precedent of substantial separation of data between United States and European servers.
Strict regulations such as the EU General Data Protection Regulation (GDPR), the updated ePrivacy Directive, and additional proposed regulations around the Internet of Things all have many United States companies scrambling. The deadlines for fixing vulnerabilities to meet EU laws appear nearly impossible to meet, and EU fines are increasing dramatically (in some cases between 2-4% of a company’s annual worldwide turnover, which generally means 2-4% of a company’s annual worldwide gross sales revenue).
Yet, we can learn from the more negative effects of these strict laws—especially because it’s so difficult in the United States to enforce EU-style laws. In learning from the EU, we can craft laws that protect privacy, aid law enforcement, and help businesses remain as unfettered and competitive as possible.
Conclusions
Despite a variety of viewpoints at NTSC’s inaugural roundtable, the group was in agreement about:
- CISOs need a greater voice on the Hill. It’s clear they have been unrepresented too often in past legislative cybersecurity efforts and activities.
- Cybersecurity legislation and regulation are needed in an anti-regulatory climate. Lacking significant cybersecurity legislation, the United States is in dire need of legislation and regulations that help clarify important issues hurting information protection efforts and American business.
- The US needs to strike a balance between no regulations and over-regulating. The EU offers lessons in how to craft cybersecurity legislation and regulations, but also serves as a warning of consequences if those efforts are too strict.
The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, sponsor, or contributing expert? Visit NTSC to learn about ways you can contribute.