A Flexible Approach to Cybersecurity Regulation

Management-based regulatory delegation may create a more effective framework.

Cybersecurity is a “hot topic” in U.S. politics.  The White House issued an Executive Order earlier this year, the Department of Defense classified cyberspace as a war domain, Congress considered multiple pieces of legislation, and both the popular and trade press continue to report on numerous high profile incidents both in government and the private sector.  Some leading experts have called for comprehensive cybersecurity regulation.

Such “comprehensive” regulation is misleading, though, as it risks applying a one-size-fits-all solution to a problem that is anything but uniform.  The better way to approach cybersecurity is through the concept of Management-Based Regulatory Delegation (MBRD), a flexible approach to regulating that would employ aspects of delegation to private industry both on the front-end—in rulemaking—and on the back-end—in compliance and enforcement.

The MBRD approach to cybersecurity builds on the work of Ken Bamberger, Cary Coglianese, and David Lazer, and suggests a regulatory framework capable of harnessing private expertise to address complex and highly technical problems in heterogeneous industries.  Whether intentionally or by accident, Congress experimented with this method for cybersecurity regulation of the healthcare and finance industries. This experiment provides us with valuable insight into leveraging private expertise.

A particular challenge to cybersecurity arises because it calls for the protection or regulation of four categories of information systems: military and defense operations, non-military government information systems, private sector critical infrastructure, and non-critical private sector information systems.

The competencies required to address threats faced within each of these categories differ in several ways.  Military and defense operations, for example, must adopt a more stringent “risk prevention” approach, which they also are better suited to achieve because of the command-hierarchy backed by the threat of criminal punishment inherent in the military.

Private companies operating non-critical information systems, by contrast, have a fiduciary duty to their shareholders to apply the most efficient level of protection—which may differ widely from the “strongest” level of protection.  They also lack the ability to enforce as rigid a hierarchy as the military.

Private companies operating critical infrastructure, such as utilities, telecommunications, financial systems, and healthcare systems, bear many of the same characteristics of other private organizations, but they possess a heightened protection obligation stemming from the substantial negative externalities if their systems fail or are compromised.

So where does this leave us in figuring out how to regulate information systems?  How should government develop effective information security regulation in the context of private organizations?

Both healthcare entities—through HIPAA—and financial entities—through  the Gramm-Leach-Bliley Act (GLBA)—have been subject to information security regulation since the early 2000s.  With few exceptions besides critical infrastructure, however, most industrial sectors got their first taste of information security regulation with the spread of Security Breach Notification laws (SBNs) at the state level, much of which occurred in the latter half of the 2000s.

HIPAA and GLBA are both examples of Management-Based Regulatory Delegation, as their information security provisions employ hybrid rulemaking procedures requiring regulatory agencies to engage in pre-rulemaking consultation.  In implementing these laws, both healthcare and financial regulators used this front-end consultation requirement to develop regulations setting forth aspirational goals, ultimately requiring that individual regulated entities develop and adhere to their own compliance plans to meet these goals.  This form of regulation relies heavily on private expertise within regulated entities to determine the precise details of organizational regulatory compliance.

Engagement of private expertise is effective in addressing information security threats, which are heterogeneous across organizations.  Individual entities not only have better information about what are the most salient risks and threats, but they also have unique information necessary to determining the best defense and risk mitigation strategies.

Interviews I conducted with several CISOs at key large organizations in the healthcare, finance, telecommunications, energy, and information technology industries confirmed the benefits of this approach to regulation, but also suggested that organizational “buy-in” may be lacking in the absence of some additional “nudge” to make information security a priority.  That nudge could come in the form of external regulation (through SBNs) or it could come from the organization or one of its peers experiencing a high-profile security incident.  According to the CISOs, these types of nudges have been effective in encouraging compliance with very specific requirements.  However, that compliance may come at the expense of other security initiatives.  One CISO told me that when he was instructed to “encrypt all the laptops,” his staff had to do so without any additional resources being provided to implement the extensive, new security directive.

Both directive regulation and its more flexible cousin, MBRD, face challenges.  Directive regulation—demonstrated by SBNs—is effective at “nudging” specific practices, but fails to afford security experts discretion to address what they believe to be the most salient threats.  MBRD, by contrast, affords substantially greater flexibility, but results in a “race to the bottom,” as organizations fail to allocate sufficient resources to implement their security plans (or develop them at all) in the absence of specific—as opposed to general—enforcement.

I suggest the solution lies in a blend of the two types of regulation: flexibility for comprehensive requirements through MBRD, with specific directive regulation layered on to “nudge” organizations to allocate sufficient resources.  To test this hypothesis, I compare the efficacy of each of these modes of regulating individually to their combined efficacy.  SBNs became a reality for most organizations well after HIPAA and GLBA compliance became reality for the healthcare and finance sectors, thus making it possible to empirically compare them.  As I explain more fully elsewhere, blended regulation is more effective at preventing reportable breaches of sensitive data than is either directive regulation or MBRD regulation alone.

So where does this leave us?  Blended regulation seems to be a superior approach. Breach notification requirements may be one effective type of nudge.  Widening the scope of SBNs  to cover types of incidents beyond custodial consumer information could increase attention.  In fact, the SBN “nudge” and resulting notification is precisely how HIPAA regulators became aware of notable Security Rule compliance failures.  Costs of notification for this expanded regime could be mitigated by requiring centralized reporting rather than consumer reporting, a change that may have the added benefit of developing badly-needed empirical data on information security incidents.

As Congress and federal regulators consider “comprehensive cybersecurity regulation,” they would be well-advised to examine the MBRD model present in HIPAA as an effective means of engaging private industry expertise and achieving private sector “buy-in.”  At least in the case of HIPAA, the CISOs I have interviewed suggest that their participation in the rulemaking process gave agencies incentives to develop regulations more aligned with the public interest.

David Thaw

David Thaw is a Visiting Assistant Professor at the University of Connecticut School of Law and a Fellow of the Information Society Project at Yale Law School.  This post draws from the author’s upcoming article in the Georgia State University Law Review, “The Efficacy of Cybersecurity Regulation.”