Published by The Lawfare Institute
in Cooperation With
In enforcing any regulatory system, whether it involves food safety, financial stability of banks, or cybersecurity of critical infrastructure, there are three different questions regulators need to answer: Does the regulated entity have a good risk mitigation plan meeting the regulatory requirements? Does the entity actually implement the plan consistently enterprise-wide? And, (the hardest of all to measure) is the plan as implemented effective in achieving the public policy goals that the regulatory system is intended to advance? For cybersecurity, the progression from the first question to the third is the difference between compliance and security. Over the past year, I’ve benefited greatly from discussions with cybersecurity professionals. Everyone on the ground I’ve talked to has stressed the difference between compliance and security. And the corollary to that is that while there are many paths to claiming compliance, it is very hard to get to ground truth on security.
In Parts 1 and 2 of this series, I explored the limited effectiveness of self-certification and third-party audit as tools of cybersecurity enforcement for critical infrastructure. While a regulated entity’s self-assessment is the starting point for a sound cybersecurity risk management program, and while the hiring of experts to bring an external perspective can identify gaps in such a program and keep it up to date, neither should be confused with enforcement. This places a huge burden on the Transportation Security Administration (TSA) and other sector-specific regulators taking on a cybersecurity mission, as called for under the Biden administration’s new National Cybersecurity Strategy. It will probably be necessary to turn to some form of inspections or supervision, drawing on the experience of state and federal regulators across many sectors and for many types of risks, similar to the systems of supervision or inspection of private-sector entities—such as financial institutions and food processors—that have long been relied on to enforce public goals.
Government monitoring need not be heavy handed. In fact, it is widely recognized that supervisory agencies have a wide range of tools at their disposal, including education, advice, persuasion, and negotiation. Indeed, a study published in 1992 found that, in their implementation of the Clean Water Act, personnel of the Environmental Protection Agency utilized over 60 different enforcement techniques, ranging from “such formal enforcement mechanisms as administrative orders, cease and desist orders, consent decrees, and penalties assessed, to such lower-level informal actions as comments, warning letters, phone calls, meetings with the permittee, enforcement conferences, and even a determination that no current action is warranted.”
Government Review and Approval of Cybersecurity Plans Would Have Value
Before getting to the practice of supervision or inspection, it is worth noting that there are interim steps regulators can take. In the management-based model that features prominently in the current administration’s cybersecurity approach, regulated entities are required to adopt plans assessing risks and articulating appropriate controls. The question, however, remains: What happens to those plans? Enforcement can begin with government review and approval. Indeed, this is one tool already used by the administration: The post-Colonial directives for both pipelines and railroads require regulated entities to submit their cybersecurity implementation plans for approval by the TSA. So too, it seems, does the recent directive to TSA-regulated airports and aircraft operators, according to the press release describing the unreleased measure. The pipeline and railroad directives (and presumably the one for aviation) also give the TSA full access to any documentation necessary to establish compliance.
This is not new. For years, the Department of Health and Human Services (HHS) has insisted on preapproving corrective action plans that hospital chains and others are required to enter into if found violating the health data security and privacy rules issued under the Health Insurance Portability and Accountability Act (HIPAA). For example, in its February 2023 settlement with Banner Health, as in other similar proceedings, HHS required Banner first to conduct a thorough, enterprise-wide analysis of security risks; then, based on this information, to draft an enterprise-wide risk management plan; and then to develop security policies and procedures. At each step of the process, Banner is required to submit its materials for HHS review and approval. At each step, HHS can send the document back for revision. As the settlement specifies, “[t]his submission and review process shall continue until HHS approves.”
In contrast, the Federal Trade Commission (FTC), when it enters into settlement agreements with companies over alleged cybersecurity failings, requires companies to adopt comprehensive cybersecurity plans that incorporate increasingly long lists of controls, but it does not review or approve the plans. Indeed, as far as I can tell, the FTC doesn’t even require companies to tell it what their plans contain.
With review and approval of cybersecurity plans written into the pipeline and railroad directives, the White House and congressional oversight committees should pay attention to how the TSA responds. Has it, for example, sent any plans back for revision? Has it sent them back because specific elements were lacking, or did it go one step further and assess the quality of the proposed plans?
Outside Cybersecurity, Inspections Are the Norm of Regulatory Enforcement
As I began researching privacy and cybersecurity enforcement several years ago, the work of Boston University law professor Rory Van Loo was eye-opening for me, since I had been mainly familiar with the FTC’s case-by-case, after-the-fact approach to enforcement. In contrast to the FTC, Van Loo has documented that monitoring or inspection is the most common means used by federal agencies to enforce regulatory systems. As he has written, “In the wake of major crises throughout history—bank failures that threatened the North’s ability to fund the Civil War, oil spills that contaminated American coastlines, or muckrakers’ exposés of vermin-infested meatpacking facilities—Congress has repeatedly responded by giving agencies monitoring authority, which is the power to subject businesses to routine on-site inspections or examination of private records.”
Inspection is not guaranteed to be effective. According to Van Loo, whether monitoring is better than its many regulatory alternatives has yet to be answered satisfactorily despite decades of study. There is, however, some episodic evidence of value. For example, researchers at the Federal Reserve Board found in an interesting natural experiment that as soon as bank supervisors stopped showing up to monitor activity, banks increased their risky investments and engaged in accounting gimmicks to inflate their reported capital ratios. Low supervisory attention also delayed the resolution of insolvent banks. That, combined with the additional risk taking, resulted in higher failure costs borne by taxpayers. In turn, there are multiple examples of the failure of supervision as well. As Van Loo notes, despite having federal examiners on-site year-round, Wells Fargo employees opened millions of unauthorized accounts in customers’ names for years.
The Inspections Model Is Already Deployed for Cybersecurity
Federal regulators are already engaged in cybersecurity inspections of some sectors. Most notable is financial services, where regulators routinely and persistently inspect the entities under their jurisdiction. The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau all include cybersecurity in their inspections. In its IT handbook, the Federal Financial Institutions Examination Council provides overall guidance, including detailed examination procedures on cybersecurity issues.
Take the OCC. Its fiscal year 2023 bank supervision operating plan identifies operational resilience and cybersecurity as a priority. The agency conducts full-scope examinations of each bank every 12 to 18 months depending on the bank’s characteristics, such as asset size and financial condition. In every supervisory cycle, the OCC conducts an IT assessment for each bank that includes an examination of cybersecurity risk management and controls, using the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool.
Likewise, the Securities and Exchange Commission conducts regular examinations of broker-dealers and investment firms and has made identification and assessment of cybersecurity risks one focus of those exams since at least its 2014 Risk Alert. At the state level, examples of regulatory oversight of cybersecurity include the “safety and soundness examinations” conducted by New York State Department of Financial Services. And the California Consumer Privacy Act calls for rules that require businesses to submit their risk assessments to the California Privacy Protection Agency and empowers the agency to conduct audits to ensure compliance with the act, which includes a requirement that businesses take reasonable measures to protect the security of personal data they collect.
The Federal Energy Regulatory Commission (FERC) conducts direct inspections of hydropower projects, including their cybersecurity: “During the Dam Safety Inspections, the FERC Engineer inquires about measures taken by the licensee regarding Industrial Control System (ICS) assets for dam operation, and remote operation of project facilities.” Other elements of the bulk electric power system are also subject to cybersecurity inspection, although under a unique framework. Cybersecurity standards are developed by an industry body, the North American Electric Reliability Corporation (NERC), and approved by FERC, giving them the force of law under section 215 of the Federal Power Act. Regional entities under NERC then conduct on-site audits of approximately 1,400 entities constituting the bulk electric power sector to measure compliance, with reports back to FERC on deficiencies found and corrective measures taken.
One lesson from all of this is that government inspection of the cybersecurity of critical infrastructure is not outlandish. As the government extends cybersecurity regulation to sectors previously operating only under voluntary guidelines, inspection would be consistent with the practice in other sectors.
As cybersecurity assumes the role in economic stability that integrity of the banking system or the reliability of the stock exchanges have long had, regulators will need to expand their inspections or examinations capability. The TSA and other sector-specific regulators will be hard pressed to find personnel capable of performing meaningful cybersecurity inspections. But that is no reason not to start. The financial services industry today is subject to extensive monitoring, but when the Office of the Comptroller of the Currency began bank inspections in 1864, there likely was a lack of trained bank examiners. There was also probably a lack of trained examiners in 1934 when the modern system of supervision of broker-dealers was created, and of airplane inspectors in 1932 when the precursor to the Federal Aviation Administration established an early version of its safety program. The cybersecurity issue is now where bank regulation was in 1864, where supervision of the stock exchanges and broker-dealers was in 1933 and 1934, and where air travel was in 1932. In all those sectors, the government has built up extensive inspections or monitoring capabilities, with undeniable benefits to reliability, safety, and economic development. So too it can—and must—for critical infrastructure cybersecurity.
In suggesting that a more effective approach to cybersecurity will likely have to entail more direct government inspection of critical infrastructures, I can already hear the cries of some in industry that inspections will be heavy handed, costly, and ineffective. First, this mischaracterizes the essence of the monitoring approach as practiced. As Van Loo points out, supervision-based enforcement is not merely—not even primarily—a matter of direct coercion. Much of the impact of inspectors relies on the “softer” techniques of education, advice, persuasion, and negotiation. So too can a system of cybersecurity enforcement.
Moreover, it’s not as if the current system is cost free. Post hoc case-by-case enforcement often involves highly contested and very costly enforcement actions. In contrast, as Van Loo wrote in arguing for FTC monitoring of the privacy practices of large internet platforms, “monitoring fits well with the modern emphasis on collaborative governance—that is, working with firms to solve problems rather than adopting a punitive approach at the first signs of wrongdoing.