About · Our Services · Contact Us · Contribute · Partners · Log In

Cybersecurity: An Issue for Both Tech Service Providers and Clients, especially for Cloud, Mobil and Social Computing and the Internet of Things

November 12, 2012 by Bierce & Kenerson, P.C.

The security of the Internet and privacy are key to all Cloud Computing, Mobile Computing, Social Computing and the Internet of Things (with sensors and computers in cars and anything else electrical).  Cybersecurity has profound implications for corporations, “critical infrastructure” and individuals that depend more on cybersecurity in the commercial, economic, social and personal.

According to cybersecurity experts, the vast majority of intrusions are not disclosed to authorities for “security reasons” or to avoid embarrassment and loss of brand value. Given the growing risks and dependencies, private companies will need to define their policies and potential goals and roles in participating, or not, in government cybersecurity programs.  This defining moment continues despite the rejection of the U.S. Senate of a bill on “voluntary” sharing of private sector cybersecurity information with the U.S. Department of Homeland Security.

On August 2, 2012, the U.S. Senate rejected a bill that would have allowed professionals in the private sector – whether internal or outsourced – to share cybersecurity information with the authorities. Referred to as Cyber Intellegence Sharing Protecting Act  (“CISPA”), the proposal would have allowed (without requiring) the private sector to share in “good faith” information on cybersecurity and cyber threats with the Department of Homeland Security.  Following the rejection, rumors circulated that President Obama would establish an  executive order  to allow a public-private partnership for such cooperation (“opt-in”), but this has not happened yet.

Notwithstanding the rejection of this bill in the U.S., the topic remains a matter of global news. This article explores some legal issues for projects of “public-private partnership” to cybersecurity risks: voluntary disclosures of “good faith,” the “limitation of liability” for such disclosure, the scope of the rights of government use any information disclosed (including incidental extraneous private data) and legal disputes with foreign legal systems.  Such issues continue worldwide, especially in Cloud Computing¹, inviting the private sector’s constant vigilance to prevent an Orwellian “cybervoracity” of government (or at least an accommodation) and to maintain confidence in the fundamental commitments of private security.

I. Possible American Approach: A Public-Private Partnership

Conflict of Interest between Governmental and Private Sector. Basically, the government has several fundamental interests in confronting cyberrisks from the private sector. Under CISPA, the  government’s role is to protect the national defense and the “defense industrial base” as well as private “critical infrastructure” (transportation, banking, electricity, water and other utilities). Effective cybersecurity by government supports the continuity of government, economic prosperity and quality of life in general.

In the European Community (“EC”), the same principle applies.   Within the EC, the Member States retain sovereign power to adopt legislative measures to restrict certain private rights to the extent that such restrictions are “necessary, appropriate and proportionate” in a democratic society to safeguard national security (i.e., the state security), defense, public security and the prevention, investigation, detection and prosecution of crime or use without prior permission required electronic systems of communication.

Whatever the place of its business, the private sector has interests that conflict with governmental roles.  This is especially relevant in the protection of privacy. In general, as a matter of B2B and B2C business, each company collects and stores confidential information to third parties who rely on the company for not distributing it without permission. Any “voluntary” transfer “B2G” of this private information to the government bears the risk of government abuses (whether through negligence or intentional).

Guided by its multinational territorial footprint and the context of its activity, every private company defines its own policies for data protection, security and disclosure in accordance with the classification of data. The data can be subject to different legal regimes. Thus data can be broadly categorized as (i) internal trade secrets, (ii) external trade secrets (third party information that is confidential, received under contractual non-disclosure), (iii) information on employees, which in turn can be divided into a file and use a file regulatory labor law and private data, (iv) information on ordinary activities as transactions with customers (including personally identifiable information [PII], the information of the credit card and Demography, and (v) information relating to corporate compliance with the law (e.g., documents, accounting, tax and regulatory).

These classes have additional overlays for legal purposes.  First, any information class may also be classified as “privileged” and therefore not disclosable in litigation.  Second, foreign laws may apply (such as in the EU) to PII and agreements between data controllers and processors.

Prerequisites to the Limitation of Liability for Voluntary Information Disclosures of Cybersecurity. The CISPA bill would have granted a general exemption against any claim by any person for the disclosure of confidential information in connection with a voluntary exchange of information with government cybersecurity. Private companies would have unlimited immunity against all civil and criminal court proceedings against any entity in the U.S. or its officers, employees or agents acting in “good faith” who disclose information on their use of computer systems and cyber threats. This limitation of liability had been designed as an incentive for private sector entities to do what the law seeks to encourage them to do: a robust control of their own systems and networks and those of their corporate clients and sharing information on cyber threats and vulnerabilities to better protect their systems.

The “Good Faith. To avoid potential abuse, the bill would have limited this exemption to cases of” good faith.  The proof of this “good faith” was an essential element to any legal exemption.

Any criterion of “good faith” would expose the private sector to uncertainty of costs and distractions. It would invite litigation in virtually all cases. This criterion was too vague, too vague and unpredictable subtleties charged in each case of “voluntary disclosure.”  The courts would have to decide on the legitimacy and scope of liability in special cases, such as cases of “mixed intent” covering both “good faith” and “impermissible” purposes.

Continued intentions of cybersecurity. To identify the limitation of liability, the bill would require that private enterprise have a specific intent to support cybersecurity, particularly to monitor its systems or networks to identify and obtain information on cyber threats. Any other end would not justify immunity from prosecution by third parties. As the “good faith”, this limitation also suffers from ambiguity. As in the proof of a crime, tort intentions of the actor would be called into question.

New Risks of Businesses, Individuals and Government.  The particular provisions of CISPA would have exposed all providers of information technology and information to costs, risk and confusion.

The Lack of Confidence Client. Such a law could undermine the trust between the corporation (or providers or managers of information systems (ISP’s, for example) and the client. In the absence of contractual waivers, a “voluntary” disclosure of confidential information to government would put suppliers, providers and managers in breach of their non-disclosure agreements. If the draft CISPA had been adopted as law, each provider and each licensee would have had to choose whether to obtain prior third party consents or rely upon governmental immunity for such disclosures. And outsourcers and other tech service providers would naturally want to be indemnified and compensated for any claim for such sharing with the government.

An Avalanche of Litigation. The legislative exemption from liability would have opened the floodgates to litigation against any company sharing of cybersecurity information with the government.  Impugning the volunteer’s “good faith,” a plaintiff’s lawyer might impose significant legal costs, and get significant settlements, to protect classes of victims of the same violation of rights.  Prior to dismissal, the volunteer would bear the costs of defense, preliminary hearings and pre-trial discovery.  In the case of CISPA bill, such legal costs of the defense would be the responsibility of the accused until dismissal.   In short, the private sector was always in danger of its first legal costs and distraction of management to defend against such lawsuits.

Class Action “Settlements.”   In a class action lawsuit against a volunteer, the plaintiff’s bar might seek to impose, or threaten, substantial legal fees and risks.   The defendant company’s “directors and officers’ liability” (and “errors and omissions”) insurance carrier might force the insured company to settle the claim.

Financial Claims against the Government. What would be the financial responsibility of the government to compensate for mistakes or abuse by the government according to a law allowing voluntary sharing and the government’s commitment not to misuse trade secrets or other confidential data? According to CISPA bill, if the government were abusing confidential  information received in the name of cybersecurity, the government would have been liable for actual damages plus attorney fees. The bill would open the doors to litigation against the government voluntarily waiving its sovereignty for limited purposes by amending the Federal Tort Claims Act. What a gift for litigators to defend the interests of individuals and companies whose confidential information is compromised by faulty or abusive governmental disclosures! What a burden for the taxpayer and the National Treasury!

Risks of Governmental Abuses. Two types of governmental abuse can be anticipated in any public-private cybersecurity. First, citizens could neither know nor prove any abuses or breaches by government, even if (as provided in CISPA)  the government were legally barred from using personal information for purposes other than cybersecurity.  Nobody could say whether the voluntary disclosure of self-incriminating could “accidentally” found its way to the enforcement. Given the inability to discover or rectify any such abuses, a “public-private partnership for cybersecurity” would devalue the trust and confidence of customers, individuals, employees, providers, assignors, licenses and other in an enterprise’s value chain.    An uncontrolled governmental surveillance would elicit fears of an omniscient “Big Brother.”   In general, government information would be sufficiently protected, but personally identifiable information (PII) would not.

Second, the bill would have allowed governmental abuses of personal data (private or otherwise) inadvertently captured in the net of “voluntary” disclosures on cybersecurity.  Under CISPA, the federal government could have used private information for other governmntal purposes, so long as, in receiving information, “at least one important goal” of the government’s use would have been cybersecurity or national security of the United States.  This exception was a factor in the defeat of this bill because it would open the door to a Pandora’s box of unintended consequences for private enterprise.

Risk of Private Abuse. The CISPA bill would have allowed the private sector to share unlimited information with the government. There would have been no restriction as to the nature, volume or order of the data, so long as the “good faith” test were met.  In the absence of such restrictions, any entity could freely disclose to the government a lot more information than needed, without “pruning” or segregation, without taking efforts to limit disclosures of “ancillary” information unnecessary to improve cybersecurity.

One can imagine scenarios of private companies “dumping” excess data onto governmental servers. For example, a hospital could transfer to the government certain sensitive data of the patient.  The archive might include personal health information (“PHI”), without any effort to clean or delete PHI data.  The government might use, or abuse, such PHI having an impact medical treatment, reimbursement of claims, hiring decisions, enforcement decisions unrelated to cybersecurity.   This data would be at risk of piracy and other unauthorized uses.

Such an approach is beyond the scope of the measures necessary for the protection of privacy by law of the European Community and Canada, for example. So, a strictly American legislative “solution” would clearly impede international trade in data processing services to European and Canadian customers, among others.

Limitations of Sovereignty: Conflicts of Law. In an integrated world, the legal implications of any “voluntary disclosure” of cybersecurity information transcend national boundaries.  The grant by one government (e.g., the U.S.) of immunity from liability does not grant the same immunity in all other jurisdictions. An American company would risk prosecution by foreign governments, its customers, suppliers and others in the supply chain.  Such limitation of liability would raise legal issues of reciprocity, recognition and retaliation by any other government.

II. The European Sustainable Approach: A Public

Alternatives less intrusive. The American debate on the voluntary sharing of private information on cybersecurity and its impact on privacy rights invites a search for alternative, less intrusive and more balanced.

Inter-governmental advice. In the European Community, an approach to counseling “independently-owned” intergovernmental exists to address these questions, but gives primary governmental emphasis on the protection of privacy, not on cybersecurity. The Working Committee # 29 on the protection of privacy, protection of personal data and cloud computing is based on a consultative approach.  It is an “independent body” whose secretariat is provided by the European Council.   Reviews and papers issued by the “Article 29 Working Party (Art. 29 WP) is independent of the European Commission. The Art. 29 WP was established under Article 30 of Directive 95/46/EC of the European Parliament and the European Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data. Members of the Art. 29 WP are the authorities for the protection of private information of each member state and European institutions and the Commission of the EC.  The Art. 29 WP has its own rules of internal procedure. Art. 29 WP has given its opinion to the Commission in February 2012 on Cloud Computing.

Trade Associations. In the United States, trade associations are empowered to organize a concerted action to advocate their common interests in the legislature. The “lobby” can therefore promote approaches fostering providers (the “processors”) or companies (the “data controllers”).  In India, Nasscom advocates for service providers, but in the U.S. there appear to be no trade association for the outsourcing industry.

Adoption of Standards. National and international standards are already looking for transparency, the free exchange of data and the security of exchanges, processing and data carrier.

Alternatives more stringent.

International Conventions. International conventions can adopt new standards on the law of the Internet. Given the limitations of any individual country’s sovereignty to exculpate the private sector civil liability for breaches of obligations to privacy, heads of state could think of a diplomatic strategy for an international convention.

The contours of such a solution exist between countries in terms of “adequate protection” for the data privacy of the European Community. According to an agreement between the U.S. and the EC, a U.S. company that breaches its obligations (voluntarily undertaken under the “safe harbor”) becomes subject to judicial and administrative procedures of the U.S. government for breach of contract. According to agreements under the “binding corporate rules” (or standard contracts between providers and controllers), commercial companies doing business in several countries may elect to commit to respecting international standards under the Directive on Data Protection.  Since the WTO has not tackled cybersecurity directly, it remains to be seen whether governments can mutually agree on substantive rights and obligations of citizens and commercial companies under such an international convention on cybersecurity. It might mean declaring a new Cold War between “blocks” of countries, targeting countries that lack basic standards or that support “rogue” operations or terrorist cells.

Internal Governmental Surveillance. Instead of an approach to public-private partnership, one can imagine an approach to internal espionage by each government, augmented by governmental “guidance” or “best practices.”  Such an approach exists in some countries, such as China and potentially in Canada (C-30), and would serve as an equivalent to generalized surveillance. As of early November 2012, the Canadian Parliament is currently considering a bill that would allow cyber espionage on Canadian internal communications, or sometimes requiring judicial authorization.   The Canadian government would be able to take action in cyber espionage without judicial authorization, subject to a prior assessment of several public policy considerations:

a) “the extent to which the exemption is likely to harm the national security or enforcement of laws;
b) the fact that telecommunications service providers have the ability or inability to perform the obligations;
c) the fact that the costs of compliance with the obligations in question or not have unreasonable adverse effect on the business of the telecommunications;
d) that the obligations involved do not seriously impede the provision of telecommunications services to Canadians or the competitiveness of the Canadian telecommunications industry.”

III. Strategy Management in IT and Telecommunications

Cybersecurity legal issues affect classic businesses: merchants,  SMEs and multinational service providers in the field of cybersecurity.  But they affect most the trustworthiness of outsourcing service providers who depend on the Internet for their livelihood.   The concept of “public-private” partnering for cybersecurity poses many challenging questions for the future of outsourcing and reliability of the global services supply chain, such as:

• What are the liabilities of outsourcing service providers for policies imposed by enterprise client?
• What terms would apply if the outsourcing service provider wished to engage in the voluntary sharing of confidential information with the government?
• Would it be more prudent to wait for a legal compulsion?
• Pending new legislation, how should data be configured and made accessible?

IV. An Inescapable Symbiosis.

In conclusion, the American legislative experience suggests that private-sector “voluntary” cooperation with police forces and national security would be a bad idea, either in the U.S. or elsewhere, for private companies and all private data providers.

In Europe, the mature age of the EU’s Directive on Data Protection (1995) and on Electronic Commerce (2002) demonstrates a balance that promotes freedom of privacy, which may yet protect government interests. Following this legislative experiment failure in the U.S., other countries will think long-term before embarking on a “partnership” with the private sector on cybersecurity.

Maybe the U.S. will rethink the structure of its multifarious and labyrinthine laws of privacy (with multiple enforcement agencies) to protect the consumer, the consumer finance, the sick, the employer or any other victim of unauthorized access to information systems, private individual European national defense or anyone. The rejection of this bill shows that they already travel a path for more privacy and the protection of trade secrets, but that balance is a dream of government services.

That said, the private sector would not exist in a case of full cyberwar.  Technically, both public and private sectors are symbiotic and interdependent. For example, the Stuxnet virus, according to the newspapers, had been developed by one or two governments as a tool of espionage against Iran, but also infected the computer network Chevron Corp. trading in 2010, and in response to other international companies are targeted by cyber attacks. This mutual interdependence evokes a need for more “best practices” and more non-statutory collaboration between public and private sectors to protect both sectors.  CISPA is dead, but not forever.

Cyber Security Threat Management in Outsourcing: The Coming National Security Regulation of ITO, BPO and KPO

January 29, 2010 by Bierce & Kenerson, P.C.

Imminent national regulation of Internet-based services will impact all companies that use the Internet for project management, collaboration, and remote transaction processing. Google and China have precipitated a showdown that may cause the extension of a web (!) of national of Internet regulations, with many consequences on the freedom and costs of running a global business or servicing customers remotely. The showdown highlights the fact that cybersecurity threats come from many sources, including foreign nation states, domestic criminals and hackers and disgruntled employees.

On January 12, 2010, Google Inc. announced by blog that it had been the target of concerted attacks from Chinese hackers, that its intellectual property had been compromised and that the attacks targeted the identities of its subscribers. See press release, http://www.sec.gov/Archives/edgar/data/1288776/000119312510005667/dex991.htm . Google’s blog revealed that “at least twenty other large companies from a wide range of businesses—including the Internet, finance, technology, media and chemical sectors” were affected. The Wall Street Journal reported that 34 U.S. companies were targets, including Adobe Systems Inc. and Juniper Networks Inc. Other companies such as Symantec acknowledged they are under constant siege of cyberattacks. Cyber warfare attacks have been reportedly used in Iran to ferret out political dissidents and in Georgia to overload telecommunications during military exercises. China filters Internet content through registration and regulation of Internet services.

Cybersecurity is a critical foundation for any country’s national security and economic security and, indirectly, global trade in IT-enabled services and in the global supply chain. Information networks support financial services, energy, telecommunications, transportation, health care, and emergency response systems, as well as ordinary commerce, employment, education, civil liberties and social and family cohesion. The security of private information networks, such as Google, Yahoo, Symantec and Juniper Networks and the underlying software such as Adobe Systems and Microsoft, are the foundation for today’s global economy.

In global sourcing, cyber security is an essential commitment by anyone business seeking to acquire and be a trusted custodian of personally identifiable information (“PII”). If enterprises (“data controllers” under the European Union Data Protection Directive) are going to gather PII and contract with service providers (“data processors”) to process it, the risk of cyber attacks frames the debate on risk allocation, roles, responsibilities, pricing and process integration.

For all participants in the outsourcing industry, it’s time to fresh look at legal structures and financial implications of cybersecurity.

Existing General U.S. Cybersecurity Laws. Current U.S. legislation and regulations already require cybersecurity compliance, audit, certification and compliance generally. Special cybersecurity mandates arise under the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, the Sarbanes-Oxley Act of 2002 (“Sox”), state security breach notification legislation and credit card rules applicable to banking transactions (the “PCI rules”). The Computer Fraud and Abuse Act, 18 USC 1030, protects against unauthorized disclosure of most computer data. In addition to securities regulations on insider trading, common law also imposes cybersecurity mandates on lawyers and others receiving confidential financial information. Other cybersecurity rules exist in other legislation:

(1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa);
(2) the Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510 note);
(3) the Computer Security Act of 1987 (15 U.S.C. 271 et seq.; 40 U.S.C. 759);
(4) the Federal Information Security Management Act of 2002 (44 U.S.C. 3531 et seq.);
(5) the E-Government Act of 2002 (44 U.S.C. 9501 et seq.);
(6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.);
(7) any other Federal law bearing upon cyber-related activities; and
(8) any applicable Executive Order or agency rule, regulation, guideline.

But there are no laws mandating that small business or individuals adopt cybersecurity standards (other than general rules).

Public and Private Assets: “Critical Infrastructure” and “Protected Systems.” Already, the cybersecurity jurisdiction of the Department of Homeland Security applies to both “critical infrastructure” and “protected systems.” The concept of “protected system” would extend the more restrictive concept of “critical infrastructure” to virtually any private computer network. A “protected system” would mean “any service, physical or computer-based system, process, or procedure that directly or indirectly affects the viability of a facility of critical infrastructure.” It would include “any physical or computer-based system, including a computer, computer system, computer or communications network, or any component hardware or element thereof, software program, processing instructions, or information or data in transmission or storage therein, irrespective of the medium of transmission or storage.” Homeland Security Act, Sec. 212. In short, national security and economic security mean that public and private assets will be managed as one suite of assets at risk.

Special Purpose Legislation: Electrical Grids. According to legislation proposed in April 2009, “According to current and former national security officials, cyber spies from China, Russia, and other countries have penetrated the United States electrical system in order to map the system, and have left behind software programs that could be used to disrupt and disable the system.” Proposed “Critical Electric Infrastructure Protection Act,” H.R. 2195, An Act to amend the Federal Power Act to provide additional authorities to adequately protect the critical electric infrastructure against cyber attack, and for other purposes, 111th Cong, 1st Sess. The proposed law would require the Secretary of Homeland Security, working with other national security and intelligence agencies, to “conduct research and determine if the security of federally owned programmable electronic devices and communication networks (including hardware, software, and data) essential to the reliable operation of critical electric infrastructure have been compromised,” including “the extent of compromise, identification of attackers, the method of penetration, ramifications of the compromise on future operations of critical electric infrastructure, secondary ramifications of the compromise on other critical infrastructure sectors and the functioning of civil society, ramifications of compromise on national security, including war fighting capability, and recommended mitigation activities.” Preamble. In short, the new law (if enacted) would amend the Homeland Security Act of 2002 (6 U.S.C. 133(i)) to require special studies to “ensure the security and resilience of electronic devices and communication networks essential to each of the critical infrastructure sectors.”

Pending General Cybersecurity Legislation: Cybersecurity Act of 2009. In April 2009, Sen. Jay Rockefeller (D., W. Va.) introduced a draft Cybersecurity Act of 2009, S 773, 111th Cong., 1st Sess. The bill’s long-form name is “An Act To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.” The draft focuses on the commercial impact of cyber espionage: “Since intellectual property is now often stored in digital form, industrial espionage that exploits weak cybersecurity dilutes our investment in innovation while subsidizing the research and development efforts of foreign competitors. In the new global competition, where economic strength and technological leadership are vital components of national power, failing to secure cyberspace puts us at a disadvantage.” S. 773, Sec. 2 (2). The drafters warned that the nation is unprepared for “a massive cyber disruption [that] could have a cascading, long-term impact without adequate co-ordination between government and the private sector.” S. 773, Sec. 2 (6).

Cybersecurity Advisory Panel. The draft law contemplates the appointment of a panel of advisors to include “representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns.” S. 773, Sec. 3(b)(i).

Cybersecurity Dashboard. The bill would also “implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce.” S. 773, Sec. 4.

Cybersecurity Institute. Under the bill, the Secretary of Commerce would provide assistance for the creation and support of “Regional Cybersecurity Centers” for the promotion and implementation of cybersecurity standards. Each Center would be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance. Such centers would seek to enhance the cybersecurity of small and medium sized businesses and industrial firms in United States through the dissemination and transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology (“NIST”). www.nist.gov. S. 773, Sec. 5(a). This approach reflects other draft legislation, such as the Cybersecurity Enhancement Act of 2009, HR 4061, 111th Cong., 1st Sess., for cybersecurity research, development, education and technical standards for identity management technologies, authentication and security protocols, expanding on the existing Cyber Security Research and Development Act (15 U.S.C. 7401).

Licensing of Cybersecurity Professionals. The draft law would require a national licensing, certification, and periodic recertification program, under the aegis of the Department of Commerce, for cybersecurity professionals (defined as “providers of cybersecurity services”). Such licensing would effectively submit all outsourcing service providers to U.S. federal jurisdiction and enforcement of cybersecurity compliance standards. S. 773, Sec. 7.

Federal Standards. Within a year after enactment, the NIST would be required to “establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks.” These would include standards for

(1) security controls that are known to block or mitigate known attacks;
(2) the software security, including a separate set of such standards for measuring security in embedded software such as that found in industrial control systems;
(3) standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks;
(4) standard configurations for security settings for operating system software and software utilities widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks; and
(5) sniffer standards to identify vulnerabilities in software to enable software vendors to communicate vulnerability data to software users in real time.

The NIST would establish a standard testing and accreditation protocol for all software built by or for the Federal Government, its contractors, and grantees, and privately owned critical infrastructure information systems and networks. The testing would occur during the software development process and on acceptance prior to deployment of software.

International Standards. The draft Cybersecurity Act of 2009 would require the U.S. to participate in setting international standards for cybersecurity. But it stops short of any hope for an international law on cybersecurity. It does not call for a convention on cybersecurity. Certainly any negotiations for such a convention could lead to a “least common denominator” of weak standards and political excuses. In light of the impact on trade in services, certainly cybersecurity would be a subject that might fall under the mission of the World Trade Organization, www.wto.org, or the Organization for Economic Development, www.oecd.org. As it is, the International Standards Organization, www.iso.org, would be the probable forum for any such discussions. Also, the bill would require the President to “work with representatives of foreign governments” to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity and to encourage international cooperation in improving cybersecurity on a global basis. S. 773, Sec. 21.

Further Legislation. The United States already has several laws governing cyber security. The draft Cybersecurity Act of 2009 would require the President to review and propose changes in existing cybersecurity laws.

“Pulling the Plug” on Impaired Cyber Infrastructure. The Cybersecurity Act would set up a framework for national regulation of the Internet, which currently is controlled by ICANN, a California-incorporated non-profit organization. www.icann.org. One of the most controversial provisions in the bill would allow the President to shut down the Internet during a time of crisis. The President would be authorized to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network. S. 773, Sec. 18(2). The President “may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security.” S. 773, Sec. 18(6). This police power would be generally without judicial review.

Insurance and Risk Disclosure and Mitigation. The bill invites Presidential reports to Congress on ways to manage commercial risks of cyber attacks. Such reports would seek to identify the feasibility of:

(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and

(2) requiring cybersecurity to be a factor in all bond ratings. Sec. 15.

Identity Management; Identity Theft; Civil Liberties. The bill requires the President to present a report on the “feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.” This provision creates a balance between national security and civil liberties guaranteed by the Constitution.

Investment in Security. The current appropriations bill for the Department of Homeland Security, for the fiscal year ending September 30, 2010, contemplates a small budget for infrastructure security on the scale contemplated in the draft Cybersecurity Act. See, Pub. L. 111-83, H.R.2892, Department Of Homeland Security Appropriations Act, 2010, 111th Cong., 1st Sess. (Oct. 28, 2009).

Implications for Outsourcing.

New Opportunities for Outsourcing of Cybersecurity. As cybersecurity becomes more complex, new opportunities will emerge for service providers that deliver protected processes complying with new regulatory standards.

Industry Sectors; “Verticals.” Outsourcing services (including shared service centers and captive processing centers) manage many “critical infrastructures” that are essential to national security and economic security. Certain sectors are generally included in the definition of “critical infrastructures”: banking, financial services and insurance (“BFSI”), public utilities (water, telecommunications, transportation, oil and gas and electricity supply), emergency services and government. See John Motoff and Paul Parfomak, “Critical Infrastructure and Key Assets: Definition and Identification,” Cong. Research Service (Oct. 1, 2004), http://www.fas.org/sgp/crs/RL32631.pdf. The current statutory definition (established in the USA PATRIOT Act of 2001, Sec. 1016(e) and referenced in the Homeland Security Act of 2002) states:

Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating effect on the security, national economic security, national public health or safety, or any combination of those matters.

Under this sweeping definition, virtually all of outsourcing and the economic supply chain of goods and services could be seen as a “critical infrastructure” for regulation, protection and ultimately potential control by the federal government for purposes of security of the government, economy, health and safety.

Covered ITO and BPO Service Providers. The Cybersecurity Act of 2009 would apply new standards to government contractors and grantees and private sector “critical infrastructure systems and networks.” However, in due course, such standards could be applied to all “protected computers” and private computers as well.

Vendor Selection. By adopting national cybersecurity standards, any new federal legislation would impact the selection of competing outsourcing vendors, based on compliance and risk assessments. Smaller vendors, that might comply today with ISO 27000 but not the PCI credit card security standards or any new federal cybersecurity standards, might not be competitive. Their market value might decline, and their selling prices in an acquisition might be lower on the basis of earnings multiples or other valuation metrics.

National Regulation of Cybersecurity. In short, all business and personal computers would be “protected systems” subject to national security protections, including registrations, licensing, compliance and verification. It is clear that the draft law would superimpose itself on all outsourcing contracts that involve the use of any computers. In short, it would apply to all sourcing contracts.

Allocation of Risk for Compliance with Applicable Law. Generally, outsourcing contracts require service providers (including software developers and IT infrastructure support providers) to comply with applicable U.S. law. The draft Cybersecurity Act of 2009 would be implicit in all applications development and maintenance contracts. It would apply to software developed outside the United States.

Extraterritorial Application of National Laws. Currently, the United States and other countries have laws intended to regulate conduct of persons outside their borders that have an impact inside their borders. Such extraterritorial laws include the Foreign Corrupt Practices Act, the Export Administration Act and the International Trade in Arms Regulations. Outsourcing service providers already are expected to comply with such legislation. Service providers should anticipate the extension of national cybersecurity regulation to their operations outside the United States (and other countries where outsourcing customers receive the services). Further, the U.S. Homeland Security department might conduct inspections on foreign territory, subject to local governmental authorization, similar to historical inspections conducted by the Federal Aviation Administration for maintenance and repairs done abroad to U.S. registered aircraft.

Reciprocity between Governments. Protecting outsourcing as an economic process will require governments to collaborate on cybersecurity management. One can easily foresee a new dialogue between the U.S. government and the Government of India, a key source of talent for software development, ITO and BPO, for the mutual adoption of cybersecurity standards, registration, licensing and compliance procedures. A similar dialogue may eventually arise with China, which hopes to promote its technology centers and “software technology parks” as centers of excellence and sources of employment for engineers servicing non-Chinese global enterprises. Similarly, cybersecurity “best practices” are likely to evolve under the aegis of the OECD for economic regulation and NATO for military use.

For related topics:

Privacy, Data Protection and Outsourcing in the United States

wbb

• Publisher’s Blog

  Visit our publisher's blog, Bierce on Business, for commentary on current events.
  
  Registered Users
  We are currently not accepting new registrations, but existing users can still log in.

Transforming the Extended Enterprise

Copyright © 2024 · Outsourcing Law Global, LLC or content contributor · All rights reserved. Editors: Bierce & Kenerson P.C.
ATTORNEY ADVERTISING | Site Map | Disclaimer | Privacy | Copyright | Terms of Use | Time Zone Converter | Web Design