Enacting tough federal cybersecurity standards an uphill battle, experts say

Passing new cybersecurity standards would involve many congressional committees, federal departments, and regulatory bodies

A gasoline station ran out of gasoline in Arlington, Va., on May 11 in the wake of the Colonial Pipeline shutdown caused by a cyberattack.
 (Xinhua News Agency via Getty Ima)
A gasoline station ran out of gasoline in Arlington, Va., on May 11 in the wake of the Colonial Pipeline shutdown caused by a cyberattack. (Xinhua News Agency via Getty Ima)
Posted June 15, 2021 at 5:45am

The spate of recent ransomware attacks on federal contractors and operators of critical infrastructure, culminating in the attack on Colonial Pipeline in May, has built momentum for new federal laws and regulations to require disclosure of breaches as well as mandatory cybersecurity standards. 

But writing such laws and regulations in a timely manner and ensuring they are finely tailored is likely to pose a challenge involving multiple federal agencies, Congress and the new national cyber director. 

In the aftermath of several high-profile cyberattacks, “I do think you’re seeing some recognition that business as usual and the status quo just isn’t going to cut it,” said Frank Cilluffo, director of Auburn University’s Charles D. McCrary Institute for Cyber and Critical Infrastructure Security and a member of the congressional Cyberspace Solarium Commission. 

“My hope is that we take a scalpel and not a sledgehammer” to such regulations and mandates, Cilluffo said. 

The Solarium Commission, composed of lawmakers and cybersecurity experts from industry and academia, is pushing for a combination of “carrots and sticks or benefits and burdens” focused on getting certain key industries among the larger group of critical infrastructure sectors to adopt tighter security standards and reporting requirements, Cilluffo said. 

The Washington Post last week reported that in a survey of cybersecurity experts, about 86 percent out of a total of 81 respondents said the federal government ought to require companies in critical infrastructure sectors to meet minimum cybersecurity standards. 

The standards being considered include coming up with a federal breach notification law that would require companies in key sectors to report cyberattacks and breaches to federal authorities within a specified time frame. Basic cybersecurity hygiene practices such as two-factor authentication and routine penetration testing of computer networks are among other actions being contemplated.  

[DHS orders pipeline firms to report cyberattacks to government]

The federal government would offer carrots too, perhaps benefits such as greater sharing of sensitive intelligence with private companies and some protection from liability for private companies disclosing attacks on their systems in exchange for companies adopting tougher, mandated standards, Cilluffo said.  

Although the federal government lists 16 different sectors as critical infrastructure, the effort at drawing up cybersecurity standards would focus on those among the list that would most affect national security, economic well-being, emergency preparedness and public health, Cilluffo said. 

Even focusing on a smaller subset of the U.S. industrial landscape that includes chemical factories, food processing plants, water and sewage facilities, and oil and gas pipelines would likely be an overwhelming challenge involving multiple congressional committees of jurisdiction, federal departments, regulatory bodies and industry associations. 

The challenge of bringing together the various competing interests is likely to fall on Chris Inglis, nominated to become the first national cyber director. The Senate Homeland Security and Governmental Affairs Committee is expected to vote on his nomination Wednesday, and the whole chamber could take up the confirmation vote soon afterward. 

Inglis’ job, often compared to that of a head coach, would be to ensure “that all of the players are moving toward the same goal with the same objectives and talking off of the same playbook,” Cilluffo said. 

But not everyone is convinced the federal government is capable of crafting standards, and questions have been raised concerning whether the government should even engage in such an effort.  

“I’m very skeptical of the federal government’s ability to regulate in the cyber arena for a variety of reasons,” said Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School.

“First, the federal government itself has significant cybersecurity challenges, so the idea that it has the key to solving the private sector’s cybersecurity challenges seems hard to believe,” said Jaffer, who served as a White House aide to former President George W. Bush. 

Considering the pace at which cybersecurity threats evolve, by the time the federal government draws up standards across multiple sectors, those measures are likely to be outdated, Jaffer said.   

That could leave companies more vulnerable because “if private sector actors are incentivized by the government to comply with dated regulations, it may actually open up vulnerabilities rather than close them,” Jaffer said. 

Jaffer said the emerging understanding in Congress and among federal agencies that cyberattacks on private companies are the result of a market failure is wrong. 

Instead, it’s a failure of information flow “because individual companies don’t have the information the government has about what nation-state attackers or criminal hacker gangs are doing,” and the government continues to be unaware of what’s transpiring on private networks, he said.

“The problem, thus, isn’t a market failure that requires regulation but an information gap that can be solved by dramatically better public-private collaboration,” Jaffer said. 

While a federal breach notification law might create a single national standard, it might also be duplicative because there already are 50 state breach notification laws, and public companies also have to report cyberattacks to the Securities and Exchange Commission, Jaffer said. 

Forcing adoption of security standards under threat of fines is likely to lead companies to do the minimum required and nothing more, leaving them vulnerable as threats change, he said. 

In the place of mandates, the government should provide incentives to companies such as “strong regulatory protection, strong liability protection, including anonymity, to get good reporting,” Jaffer said. “What we really need to do is get the lawyers out of the room and let cyber operators collaborate with one another in real time.” 

Cilluffo also sees many challenges in drawing up federal standards. 

“Anyone who tells you it’s a simple and easy process … it just ain’t so,” Cilluffo said. “There are a lot of pieces that need to be moving in the same direction.”