This is the first op-ed article in a new monthly series by ISAO SO working group members focusing on current topics impacting the Information Sharing Ecosystem. The content is not endorsed by the ISAO SO but provided to stir conversations and engage stakeholders of the ecosystem.
By Stuart M. Gerson[1]
“We must all hang together, or assuredly we shall all hang separately.” Benjamin Franklin
The freedom to innovate, which our dynamic society has allowed, has made America the world’s most developed and complex technology and information driven society. And from its periphery to its cyber core, America has proved vulnerable to successful attack by adversary nation states both directly and through their sponsored or protected surrogates.
Most recently, the Colonial Pipeline ransomware attack took down the largest gasoline pipeline in the country. With delays to service stations curtailed, local panic caused runs on the existing supply, leading to shortages and risk to the free flow of commerce and our economy, and perhaps not abstractly, our ability to respond to national and international crises.
Not too long before that, we experienced the Solar Winds hack that compromised an estimated hundred companies, including technology giants like Microsoft, Intel and Cisco, and at least a dozen agencies of the federal government, including the Departments of Defense, Treasury, Justice and Energy, and even the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) which was formed to protect the nation from cyber attack.
Add to that mix, the reported $40 million ransom that the CNA insurance company paid to ransomware criminals, and you get a strong sense of the fact that you get the inescapable conclusion that there is a shared problem that requires a shared solution.
Thus, it is no surprise that a new report from the Office of the Director of National Intelligence describes challenges facing the United States in cyberspace. The report cites Chinese cyber espionage and growing offensive capabilities, Russian willingness to engage in disruptive and potentially devastating cyber attacks, and ongoing threats from Iran, North Korea and criminal syndicates.
None of this should leave the impression that our government and the private sector are sitting around passively sucking their thumbs while adversary governments and cyber criminals are rampaging through our critical infrastructure, political institutions, private data, and our technologic and scientific treasures. Agencies like CISA and the National Institute of Standards and Technology (NIST), as well as numerous private organizations, have provided best practices and guidelines for avoiding or responding to cybercrime. And agencies like the Department of Justice and its component the FBI, the Department of Treasury Office of Foreign Assets Control and CISA itself, have made cyber enforcement a priority.
But clearly these things have not been enough.
As to the federal government, Solar Winds and a series of intra-governmental surveys demonstrate clearly that the government is unable sufficiently to protect itself. And while security agencies are becoming more aggressive, it remains a fact that government cannot match private sector salaries, and so is admittedly deficient in being able to attract top cyber response talent. State governments and their subdivisions, many of which have been subjected to ransomware attacks and a variety of Zero-Day exploits, are even in a weaker position than the federal government.
As to the private sector, despite massive compliance, training and resilience efforts, Colonial Pipeline is yet another in a long and continuous string of exploits showing that the private sector is just as vulnerable. This is particularly noteworthy in that, while maintenance of the security of the critical infrastructure is essential to overall national security, around 80 percent of the critical infrastructure, including everything from hospitals to gasoline pipelines, is in private hands.
As to the human element, a string of recent enforcement actions and indictments punctuates what is a reality in the marketplace: the personal data of employees and customers, and the intellectual property of companies, universities and governmental departments, are being purloined and exploited by adversary nation states and criminal organizations that they encourage and protect.
It has long been recognized that intense cooperation between the public and private sectors is required to meet and defeat this common enemy.
Indeed, there is a host of industry and other groups like various ISAOs and InfraGard that consult regularly with government counterparts. And agencies like CISA and NIST also receive both formal and informal input from private companies and individuals in their rulemaking and policy guidance functions. And, in an attempt to enhance sharing about cybersecurity threats, Congress passed the Cybersecurity Information Sharing Act of 2015; it not only created a system for the government to receive information, but a limited form of immunity that is seen to apply only to the fact of sharing.
None of these things have met the need. Most private sector entities have proven reluctant to share more than limited electronic threat vector information, either with their competitors or with the government. And the reason for this is quite simple. What limited protection afforded in the federal arena is not extensive enough to insulate companies and other private entitles from liability under various federal regimes like the Health Insurance Portability and Accountability Act (“HIPAA”), and the often-contradictory data privacy and breach reporting requirements of all 50 states and each U.S. territory. Some, like the California Consumer Privacy Act, specifically empower private suits, even without a showing of demonstrable economic injury. And, increasingly, both federal and state courts are allowing class action litigation, again without any showing of present injury. Public companies also face securities lawsuits.
That litigation briar patch is premised essentially on the understandable desire to assure the privacy of the confidential health, financial and other personal information of the individuals whose data are held by subject entities. This litigation-centric regime focuses on data retention and access, breach notification and regulatory compliance. It is fundamentally penal in nature. That stance recognizes the fact that most breaches are attributable to human error and related negligent administrative practices. But it also is a fact that private entities with the strongest adherence to compliance best practices (just like the public agencies, e.g., CISA itself, that write the regulations) are still victims of cyber intrusions that threaten the integrity and operability of core public facilities like our power grid and health care delivery system, and our overall national security.
Recognizing that we can’t have true security without privacy (or, in fact, privacy without security), is there something that we might do to lessen the burden of litigation without weakening incentives to adopt and follow best practices for compliance?
In the wake of the rash of ransomware and other incidents that are afflicting the nation, Congress is considering a range of legislative options. None of them, however, would truly be effective without federalizing the breach notification and data privacy regime. Especially since most of the private entities that are being attacked are businesses that operate in many states, and we otherwise ought to have consistent national standards to meet a national security threat, the Congress should pass a uniform law and, in so doing, pre-empt the morass of state laws. Enforcement and litigation sanctions should not be negated, but compliance with best practices ought to be incented by the availability of a qualified immunity safe-harbor for subjects and defendants who can demonstrate compliance with pertinent national standards like those published by NIST, CISA and the Department of Health and Human Services Office of Civil Rights (the enforcement agency for HIPAA). Moreover, to the extent that private lawsuits are recognized, there should be a requirement, consistent with Article III of the Constitution, for a showing of injury in fact.
In sum, there is a transcendent national security need that must be addressed by increased public-private cooperation. And getting there substantially would be facilitated by adjusting federal law.
[1] Stuart M. Gerson, a member of the law firm Epstein Becker Green, and former Acting Attorney General of the United States, is a member of several Working Groups of the ISAO Standards Organization.
