Amid fears that a “cyber 9/11” is only a matter of time, cybersecurity experts and lawmakers are looking at a number of new ways to strengthen the nation’s cyber defenses including incentivizing market-driven solutions to enhance the resilience of critical infrastructure, including power grids, air traffic control and banking systems.
Earlier this week, the House Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing to examine the potential benefits of expanding the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act to include cybersecurity.
“Right now the SAFETY Act can only be triggered by an act of terrorism,” said subcommittee chairman John Ratcliffe (R-Texas). “However, for cyber attacks attribution is extremely difficult to determine. Regardless of whether the hacker was a terrorist, nation state, cyber criminal or hacktivist, the impact of a devastating cyber attack would be the same.”
Ratcliffe said the “SAFETY Act coverage for cybersecurity will not solve all our cybersecurity challenges but it has the potential to make a significant improvement in our Nation’s cyber defenses.”
As part of the Homeland Security Act of 2002, Congress enacted the SAFETY Act, a voluntary program that provides incentives for the development and deployment of anti-terrorism technologies. The purpose of the law is to ensure the threat of liability does not deter potential manufacturers or sellers of anti-terrorism technologies from developing and commercializing technologies that could save lives.
To qualify for the protections afforded by the SAFETY Act, companies must demonstrate on an on-going basis that they have a comprehensive risk management plan in place. Applicants must submit to a rigorous and thorough vetting process by the Department of Homeland Security (DHS) SAFETY Act Office. In return, the act limits the company’s liability in the event of an act of terrorism.
The panel convened to discuss the merits of expanding the SAFETY Act to protect companies that make cybersecurity technology as well as critical infrastructure providers like banks, electric utilities and transportation companies.
"Much of our nation’s critical infrastructure is privately owned, and in the 21st Century, there now exists an interconnectedness of physical security and cybersecurity,” Ratcliffe stated. “This means that someone sitting at a keyboard can now initiate a physical injury by issuing commands to an office building, air traffic control system, or someone’s automobile, resulting in loss of life — not just the theft of personal information from a database.”
“Many products and services weren’t built with cybersecurity in mind,” Ratcliffe said.
Clarifying the SAFETY ACT
Brian E. Finch, senior fellow at the George Washington University Center for Cyber and Homeland Security, told the panel the US desperately needs to promote and incentivize new cybersecurity technologies, policies and best practices.
According to Finch, not only can the SAFETY Act be used to improve cybersecurity, but it already has. With a few “statutory tweaks,” he said he believes the SAFETY Act would be exceptionally helpful in expanding its use in the private sector.
“These minor tweaks will permanently clarify that the SAFETY Act applies to cyber attacks committed by a variety of actors, as well as attacks where attribution is unclear or impossible,” Finch said.
As the SAFETY Act is currently drafted, the secretary of homeland security must declarean “act of terrorism” has occurred in order to trigger the protections of the act. Nothing in the SAFETY Act statute or Final Rule though requires that there bea finding of a “terrorist” intent in order for the secretary to declare an “act of terrorism” occurred.
In fact, the only discussion of “intent” is that the attack must have used a weapon or other instrument “intended” to cause some form of injury. Congress did not explicitly, or implicitly, limit qualifying "acts of terrorism" to politically, religiously or other ideologically motivated actions by specifically defined groups or persons.
For purposes of the SAFETY Act, an “act of terrorism” was simply an intentional unlawful act intended to cause harm to US persons, property or economic interests.
It follows, Finch explained, that, “The SAFETY Act statute can (and is) interpreted to include cyber attacks as an act that can be considered an “act of terrorism” and may serve as a trigger for the protections of the SAFETY Act.
Finch continued, saying, “This point is readily demonstrated by the fact that DHS, through its Office of SAFETY Act Implementation, has already approved a number of cybersecurity products and services. By that measure alone, we know that the SAFETY Act applies to a variety of cybersecurity products and services.”
Consequently, Finch said he believes there is no question that cyber attacks, as well as cyber products and services, are eligible to receive SAFETY Act protections under the plain language of the SAFETY Act statute and the Final Rule as originally drafted.
Hence, the SAFETY Act needs to be clarified, not amended.
“Clarifying – but not amending – the SAFETY Act so that it explicitly covers cyber incidents and cybersecurity technologies is not only appropriate given the seriousness of the cyber threat,” Finch said. “It is also appropriate given the general misunderstanding of how the SAFETY Act works and the need to provide flexibility to the Homeland Security Secretary when determining whether to let the protections of the SAFETY Act be applied.”
Opposition: incentivizing or stifling innovation?
Andrea M. Matwyshyn — Microsoft Visiting Professor at the Center for Information Technology Policy at Princeton University, a professor of law at Northeastern University and a faculty affiliate of the Center for Internet and Society at Stanford Law School — told the subcommittee that cybersecurity awareness has dramatically increased over the past decade as high-profile incidents have continued to dominate headlines. Unfortunately, the nation’s cybersecurity measures are failing to keep pace with the increasing number and sophistication of attacks.
Further complicating the situation is the reality that the field of information security is still in its infancy, which means there are no tried and tested practices on how best to respond to security failures and improve the data stewardship capablilities of both the private and public sectors.
This is the context framing the current discussion of extending the SAFETY Act to cybersecurity. Although the US must stimulate improved information security practices, Matwyshyn fears the SAFETY Act will stifle the very innovation it is trying to create.
Limited liability, Matwyshyn argued, could unintentionally create incentives for lower quality in information security products and services. Currently, the market for information technology products and services is booming and has matured significantly over the years with some estimates putting sales of digital security products and services at $80 billion worldwide in 2015. This number could rise to $93 billion in the next two years.
However, decision makers could be lured into choosing older, potentially more vulnerable, certified technologies simply because of a lower price point. This creates a huge problem, since technologies are continually being updated to meet the demands of the ever-evolving cybersecurity threat landscape.
“Because of the fast pace of innovation in information security, it is likely that the liability protection offered to certified products by the SAFETY Act will outlive the optimal technical efficacy of those certified products,” Matwyshyn explained. “Yet, any technology deployed during the period of designation is protected for the lifetime of designation.”
If companies begin to shift away from purchasing based primarily on technical efficacy toward purchasing information security products based on whether they are certified under the SAFETY Act—even if the products are not a good fit—the SAFETY ACT could end up hindering the adoption of new information security technologies in favor of older ones.
“Selectively granted limitations of liability through the SAFETY Act will hinder innovation in information security and negatively disrupt the information security marketplace,” Matwyshyn said. “They are also likely to indirectly damage national security and stifle consumer protection efforts of other agencies.”
In his Homeland Security Today cover report, System Shutdown, G. I. “Dutch” Forstater, CEO, COO and chief engineer of Professional Systems Engineering LLC nationally known for his expertise in design and engineering of integrated systems for complex critical infrastructure projects, warned that, "Obsolescence through time is proceeding to shut down existing security systems from further product or technical support right before our very eyes. By 2015, the computerization of electronics will have increased the capacity of integrated circuits one million fold in just 30 years’ time."
"Electronic chips are already more than three million times lighter and 10,000 times cheaper than an equivalent device 30 years ago. But even with this substantial increase in miniaturization, memory management, memory capacity, cloud services and virtualization of the legacy personal computer (PC), the basic X86 processor is still the same old device of 40 years ago," Forstater wrote.
And, "This will pose serious and fundamental problems for access control and other security systems by 2018 because of this simple reality of life cycle and the consequent costs to continue interim software development until the next X86 version processor is developed," he stated.
Matwyshyn argues instead for a tax incentive approach. SAFETY Act funding could be repurposed to provide tax benefits to enterprises that are operating on tight budgets to invest in information security education, hire security personnel and purchase information security goods and services.
On the flip side of the coin, Raymond B. Biagini, partner at Covington & Burling LLP and original author of the core liability protection provision of the SAFETY Act, argued that DHS’s continued requirement that a technology have a record of “proven effectiveness” will likely spur higher quality technology.
Biagini believes the real challenges will be for the DHS SAFETY Act Office to have sufficient qualified resources to conduct meaningful and timely reviews in an atmosphere of rapidly changing technology and threats.
“In the end, this amendment, like the original SAFETY Act, should be driven by a common spirit and intent: to take proactive legislative incentivizing steps now — to avoid a catastrophic debilitating incident involving a major critical infrastructure or economic sector of the US," Biagini concluded. "This proposed discriminate amendment of the SAFETY Act is a step in the right direction."