State Of The Union: Trends In Cyber Security Law, Policies

Dan Gunderman

Comparatively, cyber security is a new and transforming field, much like the interconnected network that now makes the world go round, the Internet.

As most online shoppers, clients and web surfers know, the internet is like the Wild West, even in 2017. This is true of cyber security, too, which boasts an enormous platform with many flanks to protect. This protection extends to hardware, software, the IoT space, applications, databases, cross-channel passwords…you name it.

So how does a practicing cyber security professional handle this day-to-day? Is enterprise security far too extensive to be fully guarded against hacks?

This is where legislation comes into play. And much like the Internet as a whole, this is a maturing political arena ripe for discourse – as technology becomes more comprehensive, user-friendly and thus more accessible.

To elaborate, think about the Russian Carbanak group, or the recent Paradise Papers leak, the allegations of Russian hackers meddling in the U.S. presidential election, or even one of the numerous attacks siphoning hundreds of millions of dollars from global corporations. Outside of a single CISO, how does a federal government or agency, even, play watchdog over all of these burgeoning threats?

It’s a tall order. Yet still, there are some overarching policies set in place which attempt to govern cyber practices. This means enterprises are open to the Federal Trade Commission (FTC) treatment. The independent agency can impose an audit and oversight order on a vulnerable company. There is also the National Institute of Standards and Technology, a guiding framework for the tech space.

Enter Jamal Hartenstein, the senior program manager for California Public Employees Retirement System’s (CalPERS’) IT Security Roadmap Program. Hartenstein manages the IT security budget and liaises between cyber security divisions and legal departments. CalPERS is the largest public pension fund in the U.S., and thus Hartenstein must be able to navigate nascent cyber security law and be at the forefront of threat defense.

In an interview with Cyber Security Hub, Hartenstein weighed in on the larger state of cyber security and the many threats lawmakers and public servants are attempting to curb or mitigate.

Today, something enterprises must keep in mind as they deal with the most vicious threats is the possibility of being audited by the FTC in a 20-year oversight relationship called a “Consent Order.”

Hartenstein said these orders aren’t quite “imposed” on embattled companies as they are “agreed to,” as part of a settlement.

“Using a 100-year-old clause, the FTC has standing to sue companies who are involved in ‘deceptive privacy and data security claims,’” Hartenstein told Cyber Security Hub, “such as not living up to the company’s own privacy policy, misrepresenting access controls to PII (personally identifiable information), etc.”

Hartenstein said that although companies affected by lapses in security control measures could receive less “punishment” elsewhere if they agree to the order, it still poses a more underlying question.

“It can be argued that (the order) is not beneficial because government is taking oversight and audit control of a company that consumers may imagine to be (in the) private/commercial sector,” Hartenstein added.

He said the regulatory demands of the orders can be avoided, however, with law compliance in the first place. But is the current system, NIST, comprehensive enough for CISOs?

See related: What Is The 'Paradise Papers' Hack And What Does It Mean?

On a wider level, NIST is a measurement standards laboratory and a non-regulatory agency of the U.S. Department of Commerce, poised to promote innovation and industrial competitiveness. Its activities are divided into “laboratory” programs by industry, including information technology.

NIST regularly updates its written policies with regard to cyber security measures. Yet, Hartenstein says NIST remains just a “guiding framework,” not an “obligation,” unless it is ratified by law.

“Enterprises can choose to creatively ‘adhere’ to frameworks, but must ‘comply’ with regulation… (But) unless frameworks are ratified, I’d say they conclusively cannot be used in court as the standard of care in securing your enterprise,” Hartenstein said.

He added that while several federal acts have ratified NIST as the standard, it may not be comprehensive enough for CISOs. NIST dictates practices that would mitigate breach – but some might not relate to many organizations or become “cost prohibitive.” So, what is NIST’s overall standing?

“If our industry agrees that cyber security is an industry/profession with little/no room for creativity in addressing risks/threats, then maybe that is saying that CISOs require extensive, all-inclusive handbooks as to how to do their jobs,” Hartenstein said. “Frameworks as guidance help CISOs in their planning and strategy; frameworks as ratified legal standards are hurting CISOs as used in court to sue enterprises for negligent planning/strategy.”

This begs the question: is legislation and government oversight in cyber security lagging? Is it something that can be handled on the federal or state level? Or must it fall to the enterprise?

See related: Data Breaches Surge 164%, Cost Enterprises $52B In 2017

Hartenstein said that attorney generals in major U.S. states like California and New York have explained “vague and ambiguous” federal legislation. They are also becoming “more definitive” in state statutes regarding standards that companies will be held to. Hartenstein cited New York Attorney General Eric Schneiderman’s decision to make certain encryption measures the standard after the recent Uber breach. In it, the FTC leveled charges against the ride-sharing company for employee access to PII.

Still, there may not be a cohesive cyber policy as each state selectively chimes in, creating what Hartenstein called the “piecemeal effect.”

As a whole, the CalPERS senior program manager said that federal law “lags” more than state law with regard to cyber security.

“Federal courts have jurisdiction over transnational commerce, so it only makes sense that enterprises that do business internationally and transnationally require a unified governance,” Hartenstein said. “This issue will not likely remain.”

He said the previous administration began addressing the issue, while the current administration “is going along similar lines.”

Hartenstein also said government oversight is expanding and trying to catch up. This includes the judicial branch, seen in part because of its continued allowance of the FTC consent order.

"State of the Union" will be a monthly feature on Cyber Security Hub, deconstructing policy news as it relates to the enterprise. Sign up for the weekly Cyber Security Hub newsletter here.

Jamal Hartenstein

Jamal Hartenstein