Bridging the Cybersecurity Gap

Abstract

There is a massive disconnect between the academic/civilian government cybersecurity community and the industry/defense/law enforcement cybersecurity community. This paper explores the causes of this disconnect and attempts to find common ground on which to develop legislative and policy responses to the incredible cybersecurity concerns facing the country. It concludes with a specific legislative and policy proposal. The disconnect between these cybersecurity communities is in a sense unsurprising – particularly following post-Snowden understandings of US intelligence policy. The academic/civilian government community has long been concerned with information security and surveillance. This community has long advocated encryption as a critical component of any approach to cybersecurity – this view has redoubled since the Snowden revelations. On the other side, the industry, defense, and law-enforcement communities largely do not view encryption as a meaningful part of a cybersecurity solution. Importantly, this is not because encryption conflicts with government surveillance – or other information gathering (e.g., subpoena) – efforts. Rather, it is because encryption does little to improve security; rather mitigates the effects of security breaches. Moreover, encryption introduces substantial complexity which can introduce new attack vectors, increasing risk. This captures an essential part of the disconnect between these communities: the difference between information and system security. Importantly, these lead to very different, and at times conflicting, policy foci. From here, the paper considers various components to policies that may improve cybersecurity – considering both issues that make cybersecurity challenging and approaches to addressing those issues. Perhaps most important, it considers the role of insecure software, insecure implementation of software (i.e., bad security practices), the importance of threat and data breach disclosure, and the difficulty of assessing liability. Based on this analysis, this paper proposes a policy approach to improving the current state of cybersecurity in the US. This proposal is based around a two-part statutory damages regime for data breaches: generally, firms that experience data breaches would be subject to substantial statutory damages, on a per-record and per-record-type, basis. For instance, there may be a fine of $5 per lost username, $15 per lost password, and $20 per lost SSN. But these damages would only apply to firms that do not have cybersecurity insurance; damages for firms that do have such insurance would be capped at actual damages. This approach would address liability and damages concerns; give firms access to sophisticated cybersecurity guidance; facilitate sharing of breach information without raising collusion or government surveillance concerns; and create strong incentives for sophisticated and resource-rich entities (the insurance industry) to promote better software design. The ultimate goal of this paper is not to “solve” cybersecurity – while the proposed policy would hopefully bring about meaningful improvements, it certainly would not “solve” cybersecurity. Rather, the more substantial goal is to identify some of the key impediments to meaningfully addressing cybersecurity issues – largely the competing high-level perspectives of various stakeholders – and to prompt discussion of viable policy prescriptions. * Not for poster consideration.