Cyber-security regulation

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyberattacks. A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential information) and control system attacks. There are numerous measures available to prevent cyberattacks. Cybersecurity measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption, and login passwords. There have been attempts to improve cybersecurity through regulation and collaborative efforts between the government and the private sector to encourage voluntary improvements to cybersecurity. Industry regulators, including banking regulators, have taken notice of the risk from cybersecurity and have either begun or planned to begin to include cybersecurity as an aspect of regulatory examinations. In 2011 the DoD released a guidance called the Department of Defense Strategy for Operating in Cyberspace which articulated five goals: to treat cyberspace as an operational domain, to employ new defensive concepts to protect DoD networks and systems, to partner with other agencies and the private sector in pursuit of a 'whole-of-government cybersecurity Strategy', to work with international allies in support of collective cybersecurity and to support the development of a cyber workforce capable of rapid technological innovation. A March 2011 GAO report 'identified protecting the federal government's information systems and the nation's cyber critical infrastructure as a governmentwide high-risk area' noting that federal information security had been designated a high-risk area since 1997. As of 2003 systems protecting critical infrastructure, called cyber critical infrastructure protection of cyber CIP have also been included. In November 2013, the DoD put forward the new cybersecurity rule (78 Fed. Reg. 69373), which imposed certain requirements on contractors: compliance with certain NIST IT standards, mandatory reporting of cybersecurity incidents to the DoD, and a 'flow-down' clause that applies the same requirements to subcontractors. A June 2013 Congressional report found there were over 50 statutes relevant to cybersecurity compliance. The Federal Information Security Management Act of 2002 (FISMA) is one of the key statutes governing federal cybersecurity regulations. There are few federal cybersecurity regulations, and the ones that exist focus on specific industries. The three main cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). The three regulations mandate that healthcare organizations, financial institutions and federal agencies should protect their systems and information. For example, FISMA, which applies to every government agency, 'requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security.' However, the regulations do not address numerous computer related industries, such as Internet Service Providers (ISPs) and software companies. Furthermore, the regulations do not specify what cybersecurity measures must be implemented and require only a 'reasonable' level of security. The vague language of these regulations leaves much room for interpretation. Bruce Schneier, the founder of Cupertino's Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless government forces them to do so. He also states that successful cyberattacks on government systems still occur despite government efforts. It has been suggested that the Data Quality Act already provides the Office of Management and Budget the statutory authority to implement critical infrastructure protection regulations by the Administrative Procedure Act rulemaking process. The idea has not been fully vetted and would require additional legal analysis before a rulemaking could begin. State governments have attempted to improve cybersecurity by increasing public visibility of firms with weak security. In 2003, California passed the Notice of Security Breach Act, which requires that any company that maintains personal information of California citizens and has a security breach must disclose the details of the event. Personal information includes name, social security number, driver's license number, credit card number or financial information. Several other states have followed California's example and passed similar security breach notification regulations. Such security breach notification regulations punish firms for their cybersecurity failures while giving them the freedom to choose how to secure their systems. Also, the regulation creates an incentive for companies to voluntarily invest in cybersecurity to avoid the potential loss of reputation and the resulting economic loss that can come from a successful cyber attack. In 2004, the California State Legislature passed California Assembly Bill 1950, which also applies to businesses that own or maintain personal information for California residents. The regulation dictates for businesses to maintain a reasonable level of security and that they required security practices also extend to business partners. The regulation is an improvement on the federal standard because it expands the number of firms required to maintain an acceptable standard of cybersecurity. However, like the federal legislation, it requires a 'reasonable' level of cybersecurity, which leaves much room for interpretation until case law is established.