At the start of December, the Commission on Enhancing National Cybersecurity (established earlier this year by President Obama) released its final report. To secure the United States against cybersecurity threats, the Commission identified 6 “imperatives”, made 16 major recommendations, and suggested 53 discrete action items. But don’t worry—we won’t bore you with a one-by-one analysis of each of them.
Instead, in a series of blog posts to follow, my colleagues and I will walk you through the action items that we suspect will be most interesting for private companies. What are the recommendations? How will they be realized? What challenges will they entail? And what opportunities, if any, will they promise?
But before we start, a few broader observations:
First, I particularly like one line in the report: “As the world becomes more dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens.” It’s not a prominent point and I doubt that the authors gave it much thought. But to my mind, it encapsulates something very critical that lawyers often misunderstand: Cybersecurity isn’t just about data privacy!
Cybersecurity is also about ensuring the integrity of your data and systems—for example, preventing hackers from sending fraudulent wire transfer messages using your credentials. And it’s also about ensuring that your systems are resilient, so you don’t find your systems out of service after a malicious hacker launches a denial-of-service attack on your website. Again, that's just an example, but a very important example: The report singles out denial-of-service and similar attacks as a top threat and strongly emphasizes the need to achieve operational resilience. Yet it’s incredible how often lawyers get hung up on data privacy and neglect these other critical imperatives. So the bottom line is that I really like this sentence as a succinct summary of cybersecurity issues and their responses:
- Thefts... well, this goes back to privacy and integrity
Second, there’s a suggestion that the burden of cybersecurity needs to “move away from the end user—consumers, businesses, critical infrastructure, and others—to higher-level solutions that include greater threat deterrence, more secure products, and protocols, and a safer Internet ecosystem.” As I’ve discussed elsewhere (Who pays for SWIFT hacks?), it's absolutely correct that the law is struggling with the question of who should pay for cybersecurity, and that struggle often plays out along the “upstream-downstream” spectrum.
After the Target data breach, for example, costs initially borne by end consumers were passed to banks, who passed much of the costs to credit card providers, who then sought to pass the costs to Target. In a sense, the credit card providers might be thought to be “higher-level” than Target or otherwise “upstream,” since they largely are responsible for credit card system. On the other hand, it was Target that was closer to the security flaws that contributed to the hack. Similarly, after the SWIFT hacks, lawyers are fighting over whether the burden belongs to “higher-level” entities like the SWIFT organization, which controls the SWIFT system, or to the banks who use the protocols—and if the latter, whether the burden belongs on banks who are upstream from the hack (like Wells Fargo) or the downstream banks where the hack actually takes place (like Banco del Austro).
Third, and finally, the Commission seemed to appreciate that regulatory expectations around cybersecurity may need to vary depending on an enterprise’s scale. The report very consciously highlights that small- and medium-size businesses have often been left behind in the race for cybersecurity. It also highlights that small- and medium-size businesses may not have the same cybersecurity resources as a corporate giant. This is a consideration that I find particularly salient given that so much technology is developed by start-ups, which are by definition small- or medium-size businesses. For example, many commentators interpreted the US CFPB’s fine against the payment-tech company Dwolla to mean that the CFPB wasn’t giving start-ups a free pass when it comes to cybersecurity. Obviously, no one should get a complete free pass, but query whether the law needs to afford smaller enterprises some leeway. As the Commission noted upfront, “[i]t is important to keep a balanced perspective. We should be able to reconcile security with innovation.”
And with that, I’ll turn it over to my colleagues. Stay tuned.