Full Report
The McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University published a new policy brief addressing... The post McCrary policy brief outlines how federal policy changes can transform cybersecurity economics for critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: Policy Recommendations for Rebalancing Cybersecurity Economics
## Overview
This summary details policy recommendations from a McCrary Institute policy brief aimed at correcting the current cybersecurity economic dynamic, which heavily favors attackers (due to low attack cost and low apprehension rates), by shifting federal cyber policies to incentivize private sector security investments and impose greater costs and accountability on malicious actors.
## Key Details
- Issuing Authority: McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University (Policy Brief Recommendations)
- Effective Date: N/A (These are proposed policy shifts, not enacted regulations)
- Jurisdiction: United States Federal Policy and Private Sector
- Status: Proposed
## Requirements
### Mandatory Requirements (As suggested policy shifts toward mandated action)
These are not currently mandated regulations but strong policy proposals intended to become requirements or strong incentives:
1. **Establish a National Cybersecurity Certification and Labeling Authority (NCCLA):** To develop cybersecurity standards and accreditation, ideally in collaboration with experts, to equip consumers with information for informed purchasing decisions.
2. **Incentivize Security via Government Procurement:** Use federal purchasing power to incentivize software manufacturers to prioritize cybersecurity in their products.
3. **Harden Critical Infrastructure (CI):** Incentivize CI operators to invest in capabilities that demonstrably improve security performance.
4. **Impose Costs on Attackers:** Implement measures to increase the cost and reduce the impunity of cyber criminals.
### Recommended Practices
1. **Avoid Overly Burdensome Regulation:** When regulations are promulgated, they must be carefully developed to focus on **outcomes over process** and avoid imposing excessive compliance costs or stifling innovation.
2. **Address Information Asymmetries:** Leverage government purchasing power and certification programs (like the FCC's CyberTrust Mark, though noted as insufficient alone) to eliminate information gaps regarding product security.
3. **Aggressive Law Enforcement Focus:** Law enforcement should focus efforts on:
* Initial Access Brokers (IABs).
* Target ransomware service providers that add the most value.
* Increase dark web surveillance ('hot spot policing') where access to critical infrastructure is sold, aiming for arrests or system disruption ("bricking").
4. **Sanction State Sponsors of Cybercrime:** The State Department should create a list of state sponsors supporting or obstructing cybercrime investigations (similar to terrorist safe-haven strategies) to impose sanctions and diplomatic penalties.
## Affected Organizations
- Industries: All sectors, with a specific focus on **Critical Infrastructure Operators** and **Software Manufacturers**.
- Organization Size: Not explicitly limited, but concerns regarding the tech industry's dynamism suggest policies should balance security needs across sizes.
- Geographic Scope: Primarily the U.S. federal policy landscape and the U.S. private sector operating within it.
## Compliance Timeline
- N/A: Since these are policy recommendations, no official statutory deadlines exist. Implementation timelines would depend on Congressional or Executive Branch adoption.
## Implementation Guidance
### Assessment Phase
- Assess current product security posture against emerging or voluntary standards (like NIST standards leveraged by the FCC CyberTrust Mark).
- Analyze current costs associated with cyberattacks versus current security investments, recognizing the economic imbalance.
### Implementation Phase
- Advocate for the establishment of the NCCLA structure and standards harmonization.
- Review procurement requirements to align security features with federal purchasing incentives.
- For CI operators, prioritize measurable capability investments over procedural compliance checkboxes.
- Law enforcement/Intelligence bodies should begin mapping out IABs and high-value ransomware service providers.
### Validation Phase
- Validation will initially focus on the success of federal adoption of the policy levers proposed (e.g., successful use of procurement power, effectiveness of cyber sanctions).
- Market demand for certified/labeled products will serve as a validation point for product security initiatives.
## Technical Requirements
- The enforcement of technical requirements is currently indirect, relying on:
* **Adoption of NIST Cyber Standards:** FCC's CyberTrust Mark relies on voluntary NIST standards for IoT devices.
* **Incentivized Security Investment:** Encouraging investment in operational capabilities that improve security performance (rather than just checklist compliance).
* **Offensive Disruption:** Proposals include "bricking" the IT systems of non-apprehendable criminals through offensive operations.
## Penalties & Enforcement
- Fines: Not specified, but the policy aims to *increase* financial consequences for attackers through legal action and asset seizure of ill-gotten gains.
- Other Consequences:
* **Sanctions and Diplomatic Penalties:** Applied to nation-states sheltering cyber criminals.
* **Arrest and Prosecution:** Enhanced focus on arresting and charging cyber criminals.
* **System Disruption:** Using offensive cyber operations to incapacitate criminal infrastructure.
- Enforcement: Through enhanced Federal Law Enforcement (e.g., FBI/IC3 coordination), State Department diplomatic action, and leveraging federal purchasing power.
## Related Standards
- **NIST (National Institute of Standards and Technology) Standards:** Explicitly referenced as the basis for the voluntary CyberTrust Mark certification program for IoT devices.
- **CyberTrust Mark Certification Program (FCC):** A model cited as a positive, though insufficient, step toward labeling security.
- **Cyberspace Solarium Commission (CSC) 2.0 Proposals:** The proposed NCCLA aligns conceptually with prior CSC suggestions.
## Resources
- Official Documentation: Policy Brief: How the Economics of Cybersecurity Favor Attackers and What Defenders Can Do to Change the Dynamic (McCrary Institute)
- Guidance Documents: IC3 2023 Report findings on cybercrime losses.
- Tools: Conceptual framework for leveraging government purchasing power as a compliance driver.
## Practical Recommendations
- **For Industry:** Proactively engage with security certification/labeling initiatives, even if voluntary, to gain market advantage and align with prospective federal incentive structures.
- **For Defense Contractors/Software Vendors:** Prioritize security features that demonstrate measurable performance improvement, as procurement incentives may soon favor demonstrable security outcomes over standard process adherence.
- **For Critical Infrastructure Owners:** Lobby for incentives that support required capability investments and support aggressive federal action against criminal safe havens, as this reduces the baseline threat level.
- **For Policymakers:** Adopt a holistic policy view that pairs positive incentives (labeling, procurement leverage) with aggressive punitive measures (sanctions, targeted disruption) to address market failures.