We talk a lot about the importance of information security but let’s be honest it is not the most accessible topic for even experts at times. Day after day we find out new information which can be very overwhelming. So what would it look like to have a standardized system for understanding what makes something secure? Such a proposal might be able to help consumers and suppliers make better choices in purchasing and product development. Well we may have a new hope in the Cyber Shield proposal by Senator Edward Markey (D) of Massachusetts.
There is no formal document written yet, instead Markey has been working with the Institute for Critical Infrastructure Technology (ICIT), a cyber security think tank. With the ICIT Markey is finding a feasible foundation on which the legislation will be drafted. The Cyber Shield proposal is still in dialogue stage, however a very necessary dialogue that leading think tank ICIT approves of .
Cyber Shield is at once both a design policy and labeling system that is voluntary for businesses to participate in. No part of this legislation is necessarily new, we see preemptive design principles in other goods and services, we see labeling systems intended to inform purchasing decisions, and some of the strongest systems are voluntary. In this article you will find insights from James Scott the Senior Fellow at ICIT who did the initial analysis of the policy dialogue.
The design side of the proposal seems to be rooted in security-by-design principles that anticipate insider and outsider threats. This should be commonplace but among the private sector it is not. In fact, a study conducted by Dimensional Research has demonstrated that cyber security is an afterthought in product and service development. Product and systems development, right now, are a rush to get to market. This creates problems where many more preventable vulnerabilities are present to the public. This becomes even more of a social threat as reliance on cloud software, storage, and Internet of Things become more integrated into everyday life for individual and business consumers. Security, in the private sector has for the most part been reliant on security through obsolescence.
It is for this reason security-by-design is critical in the development process, because most security scenarios are preventable if they are accounted for in the initial design. The core principles of security-by-design are economy of mechanism, fail-safe defaults, complete mediation, open design, separation of privilege, least privilege, least common mechanism, and psychological acceptability. While these would seem standard practice they are not in reality. Security-by-design principles have been promoted by NASA, NSA, and NIST according to James Scott. It is an approach that policy makers have not been discussing, rather dialogue has been centered on reactionary measures. This has kept government behind best practices over the years when it comes to information security.
Example: The United States Air Force (USAF) is the primary division in the U.S. Military that is actively working on cyber security for the Armed Forces. In January the USAF made clear their efforts to reinforce cyber security in all weapons systems for the Armed Forces. It was made clear by the AF Cyber Technical Director that an analysis and re-development of systems would take place for weapons to ensure the security of the weapon systems. The principle concern for the Air Force is the reduction of risk, as is the case with almost any public sector organization. This focus on risk reduction has made cyber security one of the leading capital investment projects in the USAF.
The labeling system aspect of policy is intended to correct the traditional market failure of information asymmetry. This labeling system would need to go beyond a some of the weaker certification systems that have developed over the years. There are many strong examples of labeling systems intended to enhance public safety by providing them more information. Nowhere is this more present than the nutrition labeling system.
The Nutrition Labeling and Education Act came into effect on November 8, 1990 signed into law by President Bush. It required nutrition labeling on most foods controlled by the FDA. So the real question is what are the behavioral and social effects of such labeling? This question has been studied for years and research tends to conclude that there is a significant behaviour change in consumer behavior as a result of labeling. In most cases nutrient labeling had the impact people establishing a “fat budget” where they were tracking either calories or fat content they were consuming daily. So it did have the impact of getting people to pay attention to what they were consuming but did it get people to change their behaviours in the ways intended. Not necessarily, the study also indicates that the label had an impact where taste differences were small between healthy and unhealthy options. However when presented with great taste differences American consumers opted for the unhealthy choice, despite the label. This offers insights for what may happen with a labeling system developed for information security. In the security context consumers, both individual and business, may opt for convenience over security. This is likely to be the case if the security-by-design principle of psychological acceptability is ignored in the development process. This is the critical relationship in the proposed legislation that design and labeling need to have a synchronized relationship.
Current discussions about a label for information security have been very productive and grounded in strong analysis. When it comes to information security a star rating may be misleading according to James Scott. Scott’s reasoning was that it promotes the idea that a product is “certified” safe, which is an illusion because of ever-changing threats. One of the discussions between Scott and Markey’s office was instead rooting the label in a confidence rating between 0-99% and machine learning so that as inputs and conditions change, a machine network can quickly take those into consideration live. This approach by James Scott has support from recent usability research of nutrition labeling. According to studies, single attribute labeling schemes are far more effective than multiattribute ones. This study concluded that the current nutritional label is not as usable or effective as it could be as a result of the complexity of the label. Developing a label for information security would be a catalyst for behaviour change in consumers and producers, however this does rely on a good management of the policy development process to ensure that a strong regulatory solution is put forward.
Regulatory success depends on the rigor of analysis done to ensure it will not cause negative externalities to the stakeholders involved or generate an additional market failure. So far the approach that Edward Markey is taking seems to indicate his office is taking proper precaution to ensure a strong policy is developed for the security of the United States economy.