States try incentive-based cybersecurity – GCN
A major element of the cybersecurity laws that three states have passed puts the burden of proof on the accused. This means that an organization that suffers a breach can avoid facing punitive damages if it can show that it conformed to recognized cybersecurity frameworks and implemented the best controls available at the time.
That’s intentional, panelists said June 6 during a session titled “The State(s) of Cyber Incentives – Creative Laws Driving Better Security” at the 2022 RSA Conference. Providing an incentive, especially one that is financial in nature, spurs better security.
“There’s an implicit model that we’ve used for decades: If we just could scare people enough or inspire them enough, they’ll just go out and solve this problem,” said Tony Sager, senior vice president and chief evangelist at the Center for Internet Security (CIS). “None of those have ever worked. I’ve done this for 45 years. What we have missed in this industry is: ‘Why would I do that? What’s the incentive?’”
He and CIS worked with Connecticut on its Cybersecurity Standards Act, which was enacted in 2021. It assumes that cybersecurity is voluntary and therefore needs to be incentivized to encourage adoption. To earn the incentive, organizations must use frameworks such as the National Institute of Standards and Technology’s Cyber Security Framework (CSF) and CIS’s Critical Security Controls, and they must be meet certain requirements about scale and protection.
The idea is that compliance doesn’t provide a get-out-of-jail-free card, but rather sets up an organization’s ability to argue that it took reasonable actions based on flexible frameworks, said Brian Ray, professor of law and director of the Center for Cybersecurity and Privacy Protection at Cleveland State University’s Cleveland-Marshall School of Law.
The Ohio Data Protection Act (ODPA) was the first incentive-based cybersecurity law to be passed, in 2018. Utah’s Cybersecurity Affirmative Defense Act came in 2021 and is essentially a “carbon copy” of ODPA, said Kirk Herath, whom Ohio Gov. Mike DeWine appointed the state’s cybersecurity strategic advisor in April. Both laws are based on affirmative defense, which means the defendant introduces evidence and if it’s found to be credible, it negates criminal or civil liability even if the defendant committed the alleged acts.
Connecticut’s law differs in that instead of the complete affirmative defense, it is an affirmative defense that precludes punitive damages.
The trick, Sager said, is in translating technology, attacks and attackers into public policy and market incentives – things that will help people not become experts in technology and security but make rational, risk-based decisions.
“When we [CIS] make a recommendation, we don’t expect people to just read this and interpret it, we expect them to implement it,” he said. “We’ve got to write it in the most straightforward way that will lend itself to implementation, measurement, reporting, etc.”
He’s learned that the best way to do it is to ask for one thing at a time: Do this one thing and then determine how to implement it, measure its maturity and monitor it over time.
Standards like CSF and CIS’ controls are what Herath calls gap-fillers. They don’t require legislative action or changes to regulations. Instead, they’re about “the give and take of where are the risks and the vulnerabilities and the threats and then where are the controls and the mitigations that you need to apply to those and how has that evolved?” he said. “You end up having an evolving standard that evolves with time without a lot of political fighting.”
The panelists also addressed the need for but also struggles with obtaining cyber insurance policies. Fifteen years ago, the Homeland Security Department thought that insurers would make standards for cybersecurity, much like insurers informed building codes, Sager said, but “cyber risk and ransomware was the X factor. It’s almost uninsurable.”
It easier to predict the fallout from natural disasters than from ransomware or denial-of-service attacks, he added.
Still, he and Herath said the federal government should create a uniform standard for cybersecurity and let agencies such as DHS and its Cyber and Infrastructure Security Agency provide incentives to meet it through grant money.
“If flood insurance is a federal program, maybe there needs to be cyber insurance,” Herath said, adding that it’s unlikely to develop any time soon. “There isn’t enough capacity in the insurance market today and I don’t see it [happening] in my lifetime.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.
Gloss