chevron-down Created with Sketch Beta.
March 01, 2018

State & Local ICT Policy: A Framework for Cybersecurity

By Michael A. Aisenberg

When Alexis de Tocqueville visited the young United States preparing to author Democracy in America in 1836, he tempered his celebration of the constitutional tools of the American federal experiment with observations about the unique relationship between the individual states and the fledgling federal government. He specifically bemoaned the absence of effective executive functions at the state level, capable of carrying out common public purposes: “Certain undertakings are of importance to the whole State; but they cannot be put in execution, because there is no State administration to direct them.”

ICT in the States: The Problem Is One of Federalism

Over our history, even as the federal role in regulation of business and technology has advanced—some argue “exploded”—in the pursuit of the “public interest, convenience, and necessity,” so too have the states acquired new and diverse roles not envisioned by the framers or in their own original constitutional fabrics. The roles of Texas as national arbiter of public school textbook content, of California as a center for innovation in workplace policy, and of New York as a frontline cybersecurity regulator all mirror functions present to varying degrees in federal policy structures; yet each of these, as well as dozens of other state regulatory regimes, exhibit unique, distinct implementations reflective of local economic activity and public demands for policies tuned to the character of the individual jurisdiction.

The advent of pervasive reliance on information and communications technology (ICT) over the past four decades, accelerated by the Internet since the availability of the World Wide Web in the 1990s, has resulted in a state-centered level of activity that cumulatively exceeds the federal ICT infrastructure. Not only is a uniquely state-sponsored activity (public education) frequently the locus of individual citizen initiation of exposure and training on IT devices, but the myriad institutions of state government have become the most prevalent consumer of ICT equipment, software, and services. As documented by Gartner annual survey data, state-supported public and higher education, courts, law enforcement, corrections, taxation, benefits systems, and health care are all notoriously ICT dependent.

Examples of the public policy consequences of this emerging state and local ICT center of gravity abound. Among the most visible examples of state “squeaky wheel” policy responses are the proliferation of the California model of data breach response in the “data breach” statutes in over 40 states,1 and the 2017 adoption of a rigorous data security program for New York-present financial services and banking institutions, administered by the New York State Department of Financial Services (NYDFS).2

Contributing Cause: Congressional Policy Gridlock

The emergence of state and other subfederal regulation of technology activities is often attributed to a lack of progress at establishing federal consensus regulatory and response structures through legislation. The brutal debates and episodic inertia on “data breach notification” is a poster child case in point, as a series of federal response schemes has failed to achieve congressional consensus beginning in the mid-2000s, even as multiple, sometimes wildly divergent, approaches to data abuse proliferated in the states. While it is not the purpose of this article to argue that point, abundant evidence in simple statistical observation of the number of bills introduced in Congress with a cyber component compared to the number of measures actually passed since 2000 reveals a striking disparity, with observable consequences.

This absence of congressional policy action on many cyber issues has resulted in two demonstrable responses: (1) a body of executive orders (EOs) and presidential policy directives (PPDs) addressing aspects of cybersecurity, cybercrime, and information sharing across administrations from Clinton to Bush, Obama, and Trump;3 and (2) a body of state statutes addressing cybercrime, data breach notification, and other ICT niche topics.4

But one need not look very far back in our history to understand that, at least for issues which could—and arguably would—benefit from being addressed through comprehensive federal policy in the form of congressional legislative action, orders of the executive branch directing agency behavior and practice are at best limited and ultimately may be counterproductive, especially when promptly reversed by a successor administration.

Some federal ICT policy structures have worked well. The directives in the complex of the Clinger-Cohen Act, the Federal Information Security Management Act (FISMA), the Federal Information Security Modernization Act (FISMA II), and the Federal Information Technology Acquisition Reform Act (FITARA)5 designed to provide cybersecurity protection in the acquisition and deployment of federal agency ICT capabilities are well designed and reasonably well adapted across Department of Defense (DoD) and national security agencies. But the uneven results in federal civilian agency security are evidence that the scope of that structure is limited: It does not reach necessary private sector partners (notwithstanding recent efforts to “back door” private sector cyber responsibility using controlled unclassified information (CUI) (formerly “sensitive but unclassified”) rules).6 It also does not deal with the risks arising from abuses of counterfeiting and product impersonation in the commercial ICT supply chain; and it does not address the $65 billion in ICT hardware and software added annually by the states and 16,000 subfederal localities to the already trillion dollar ICT installed base in state, local, tribal, and territorial (SLTT) infrastructure.

The corpus of EOs and other PPDs that have proliferated in parallel with the asserted diminishing capacity of Congress to reach consensus and pass substantive legislation is well documented. It is not, however, as dramatic or pervasive as champions and critics claim. For example, during the Obama administration, the following major ICT/cyber legislation was passed by Congress: (1) the National Cybersecurity Protection Act of 2014, (2) FISMA II, and (3) FITARA. During the same eight-year period, 10 cyber-focused EOs and PPDs were issued (see tbl. 1).

In fairness, the intent and appetite of the last administration to engage in top-to-bottom ICT/cyber policy reinvigoration was substantial; in February 2016, 11 months before leaving office, the Obama administration released a broad multipronged Cybersecurity National Action Plan,7 a comprehensive agenda for action that should have been an omnibus cyber policy statute, but instead became a largely unfulfilled cyber shopping list. While some of the proposals were incorporated in EOs and agency initiatives, most of these recommendations failed to secure congressional action and remained aspirational at the end of the previous administration, and some that were adopted in 2016 were summarily reversed on January 20, 2017, and by EO 13800 later in 2017.

It is a well-recognized principle of policy under our federal regime that congressional action—adoption of legislation and its codification in federal public law—is preferable to presidential actions, whether through EOs or memoranda, which by their nature are limited in effect to the conduct of federal agencies under Article II authority and do not reach the conduct of states, localities, or individual citizens.

In ICT, the scope and scale of local interest is large, and growing. Studies in 2010–2015 report subfederal ICT investments in the $70–$75 billion range, expected to have reached at least $75 billion by 2017, and destined to pass $100 billion annually by 2020.8 Yet the “domains of interest” of state policy action, especially statutory action, to date have been limited to squeaky wheel responses, addressing notorious issues such as cybercrime and data breach notification.

In fact, the areas of concern, and of potentially harmful behavior resulting in injury to citizens and economic loss, reach far beyond these “tip of the iceberg” issues and include the entire scope of ICT reliance in personal and business activities of citizens, as well as the reliance of state and local institutions on ICT to assure their proper conduct. Failures of technology, abuses, frauds, and unremediated anomalous functioning all may contribute to economic and physical harm. In many instances, these harms occur without remedy, as slow or absent federal policy fails to keep pace with exploding presence of ICT in local critical infrastructures, local businesses, workplaces, highways, and homes.

Framework for Action

There are four areas of subfederal interest that are ripe for addressing through legislative and structural revisions of current practice, which from a cost-benefit perspective may reap enormous benefits to the state and local ICT infrastructure, that of dependent nongovernmental organizations (NGOs) and individual citizens.

  1. Undo federal preemption of civil suits for regulated connected (Internet of Things, or IoT) devices;
  2. Improve action against ICT vendor “sharp practices” and insider fraud by establishing local expert investigative bodies such as emerging state and local inspectors general (IGs);
  3. Modernize local government contracting for technology; and
  4. Use the 79 existing multijurisdictional state-operated fusion centers to share information regarding cyberattacks, system failures, and vulnerabilities across states.

Once a critical mass of consensus on these approaches is reached in the state and local community, the framework of authorities and organizational structures to implement them could be formalized and harmonized through a uniform state statute to be developed by the Uniform Law Commission/National Conference of Commissioners on Uniform State Laws (ULC/NCCUSL). Individual tailoring could readily be accomplished to respond to unique local environments or interests, such as the presence of significant industries (e.g., financial services in New York or media and technology in California).

Let’s briefly examine each of these four proposed areas for state ICT policy action.

Reverse Existing Federal Preemption of State Civil Jurisdiction for IoT Injuries

The first element of the proposed four-part framework for improving the state ICT environment deals with absence of clear federal guidance regarding the explosion of the IoT and the connectivity of every manner of device to the global IT network. A variety of connected devices—devices operating on global networks as part of the IoT—are subject to federal regulation; as a result, injured individuals who wish to seek a remedy from the vendor of a failed device—a manufacturer of an unmanned vehicle, a connected medical device, or an electrical appliance that malfunctions and causes harm—may find their path to a judgment is blocked by the federal regulatory scheme.

For example, under present federal law administered by the Food and Drug Administration (FDA), connected medical devices—particularly Class III medical devices whose operation might directly impact patient safety and the failure of which might result in serious injury or death—are regulated under the Food, Drug, and Cosmetic Act (FDCA) and its related Medical Device Amendments (MDA). Both the statutory framework and associated jurisprudence with regard to the issue of state tort liability of drug manufacturers and device manufacturers for claims of damage in state civil litigation are convoluted, evolving, and nearly silent on the specific issue of “technology” injuries. These are injuries resulting not from a failure of an FDA-regulated device to conform to its traditional FDCA “safety and efficacy” requirements, but from harm resulting from a software error, connectivity failure, or other “cyber” fault unique to the fact of the device’s connection to a network by which its functioning can be controlled, monitored, and impaired.

For much of the FDA regulatory landscape, including branded and generic drugs and many medical devices, the statutory schemes and jurisprudence have identifiable centers of gravity that can be summarized as three classes of federal preemption articulated in Supreme Court opinions in several cases since 2009 (express, implied, and obstruction preemption).9

Particularly for the many existing and emerging devices that can provide life-sustaining functionality of essential physiological systems, largely falling under Class III pre- and post-market agency reviews, the issue of regulatory compliance is based on the devices’ medical functionality and safety: does the infusion pump deliver the proper volume of medication at the proper intervals, does the oxygen concentrator resist contamination, will the defibrillator continue to deliver accurate voltage during a power failure?

FDA regulatory review of these thousands of different devices, deployed to millions of health providers and individual patients, have historically not been structured to determine if the devices have reliable networking software, are secure from external attacks and malicious tampering because of effective firewalls and encryption, or possess access controls that prevent unauthorized individuals from interacting with the device and the patient. The various state tort liability statutes indeed seem to permit an individual to commence a suit for injury against a device manufacturer; however, withstanding a motion to dismiss based on federal statutory direction of “regulatory preemption” is far less certain and has produced a line of cases across multiple jurisdictions, with multiple Supreme Court reviews leading to the conventional wisdom that such suits are “preempted by federal law.”

The resulting barrier to remedy for these thousands of injured individuals works an obvious unfairness, especially when the failure was related to an aspect of the device not subject to the federal regulatory agency review. Even those agencies that are beginning to address technology flaws such as bad software, counterfeit chips, and failed network security are doing so prospectively, meaning, for example in the case of connected medical devices, that millions of devices may be in use, connected to networks but never having been subject to expert review to identify flaws and failures of these network functions. The result is an environment where citizens injured by network-rooted failures of these devices may be left with no recourse other than a complaint to the regulatory agency, with unlikely prospects of being made whole, particularly where the harm was not simple economic loss but physical injury or death.

The solution to this uncertain, unfair, and potentially catastrophic limitation of jurisdiction is to counter it with a statutory grant of specific jurisdiction at the state level with particular reference to the federal regulatory regimes and focused specifically on devices where the software and network connectivity capabilities of the devices were never reviewed by the federal regulatory agency.

Improve Contracting for ICT Devices, Software, and Services

The second promising area for state action is one that recognizes the economic reality of the information economy. While we are quick to describe the “cyber” ecosystem as a creature of invisible bits and bytes moving virtually undetected across the almost mythical World Wide Web, the fact is that the devices and appliances which enable this traffic, and its associated trillions of dollars’ worth of commerce and other economic activity, themselves constitute an enormous economic force.

As discussed earlier, according to Gartner and other surveys since 2010, state and local government purchases of ICT devices (computer work stations, servers, laptops, routers, printers, smartphones, tablets, and associated software) grew from $50 billion past $70 billion to about $75 billion annually in 2017, to reach an anticipated $100 billion per year by 2020. This makes ICT procurement, along with real estate costs and vehicles, one of the top three acquisition areas of every jurisdiction in the nation; ICT is what citizens’ tax payments are being used for. At the federal level, the statutory scheme outlined earlier has produced a model of controls and reviews intended to allow most federal agencies to buy commercial, off-the-shelf ICT products at favorable terms and pricing. Nonetheless, over $100 billion a year is spent on ICT by the federal government; the recognized presence of costly mishaps, poor negotiation, faulty pricing, supply chain abuse, and counterfeiting, not to mention outright insider theft, fraud, and other misconduct, has resulted in an explosion in the ICT-related work of each agency’s IG, as well as the congressional spending watch-dog agency, the Government Accountability Office (GAO).

Statutes such as the Clinger-Cohen Act and FITARA provide direction to federal acquisition officers on how to negotiate and obtain desired devices at the best value. “Total life cycle cost” and “best value” negotiation have become commonplace in commercial contracting as a result of programs and practices evolved in federal agencies to assure the best use of tax dollars; yet much dissatisfaction remains in the agencies, the congressional funding committees, and the watch dogs. Due to its size, critical missions, and enormous IT budget, the DoD has evolved a variety of acquisition practices under the Defense Federal Acquisition Regulation Supplement (DFARS) intended to make program planners’ and acquisition officers’ tasks easier.

One of the invaluable tools that has evolved in the wake of various statutory directions has been the Program Protection Plan (PPP).10 The PPP is a planning and tracking tool consolidating all protection efforts associated with a sensitive ICT acquisition in the DoD, but over time it has evolved to be used across the breadth of the national security community, as well as by federal agencies seeking to exercise close control over their ICT investments. As such, it would find useful applicability in state courts, law enforcement, corrections, taxation, and other domains. It is designed to deny access to critical program information (CPI) to anyone not authorized, not having a need-to-know, and to prevent inadvertent disclosure of leading-edge technology to foreign interests, by tracking each engagement, document, and other transactional element during the planning, consummation, and deployment of an ICT procurement.

DoD guidance describes the process used to prepare a PPP when one is required:

  • Any program, product, technology demonstrator, or other item developed as part of a separate acquisition process, and used as a component, subsystem, or modification of another program, should publish a PPP.
  • Effectiveness of the PPP is highly dependent upon the quality and currency of information available to the program office.
  • Coordination between the program management office (PMO) and supporting law enforcement and security activities is critical to ensure that any changes in the system CPI, threat, or environmental conditions are communicated to the proper organizations.
  • Law enforcement activities supporting the program protection effort should provide timely notification to the PMO of any information on adverse interests targeting their CPI without waiting for a periodic production request.

Adoption of the PPP tool to support sensitive and large-volume/high-value acquisitions is only one of multiple tools and techniques available to revise the state acquisition model to add technology expertise/best practices throughout the ICT life cycle of system requirement definition, procurement planning, acquisition, deployment and operations, and retirement.

Institution of Inspector General Functions

In addition to protecting the interests of citizens through expanded civil jurisdiction and improving the potential return on investment of individual procurements, another tool to add to the subfederal ICT arsenal is an expert body to investigate, prosecute, and recover ill-gotten gains in the course of ICT acquisition and use. Technology acquisition is complex: it goes wrong even when well planned and managed. Along with the dramatic growth in total IT acquisition by local governments have come increased cost-draining complexities, vendor problems, and outright fraud and abuse in the acquisition and deployment of ICT systems to support local government operations. These reported problems threaten to obliterate the economic benefits of data automation and frequently result in distractions of governments’ core mission of public service, all at the expense of the taxpayer.

Local governments are challenged to adapt to the responsibility of this growing stewardship of complex IT infrastructure investments. One response to increasing ethical, financial, and criminal abuses in local government operations has been the establishment of local independent IG offices by a growing number of major urban municipalities and counties, including Chicago; Philadelphia; Yonkers; Jacksonville; Broward, Miami-Dade, and Palm Beach Counties in Florida; Albuquerque; New Orleans; and Montgomery County, Maryland.

The dominant “competing” approach to the role of an IG in local government is to do nothing. Other approaches in some jurisdictions include the use of local auditor’s offices or financial crimes sections of local prosecutors. These, however, only focus on criminal behavior or statutory violations of procurement procedures, not the broader abuses within the scope of IG investigations.

IG offices may be established by statute, local ordinance, the local executive, a public initiative, or even an NGO (for example, in Chicago, the IG effort has its roots in the independent “Better Government Association”). But the major competing approach today is inertia—the absence of any investment by local governments in rooting out fraud, waste, and abuse.

The skill sets for local IGs typically are focused on auditing and investigations, supported by law enforcement and regulatory/legal policy. Leadership and professional staff typically hold terms that transcend executive and legislative terms. In the case of ICT procurement fraud, operational, product, and technical expertise are clearly desirable.

The IG role itself may be selected by a blue-ribbon panel, as is the case in Miami-Dade County. In Montgomery County, a nominating committee of citizens appointed by the county executive makes recommendations of a slate of candidates to the county council, which selects the final choice.

While the principal area of conflict in roles arises with respect to criminal investigations and jurisdiction between prosecutors and the IG, these issues are typically addressable through a clear memorandum of understanding between the agencies describing the role of the IG in any investigation prior to and once a criminal charge has been filed. Criminal investigatory powers, including subpoena power and direct prosecution for noncooperation, are common.

The core capability of a successful IG function is the office’s ability to investigate and report on unacceptable practice; the metric of success is a record of changed behavior by acquiring agencies of government. The establishment of the function will eliminate the limitation engendered by its absence; IGs act to identify and investigate waste and inefficient expenditure of public funds, which while related to roles filled by ethics officers and prosecutors are not their responsibility. In the absence of IG roles, the investigation, auditing, and remediation of abuses of local government operations could continue undetected and unaddressed, resulting in continuing cost to taxpayers. Significant successes are being achieved by the jurisdictions that have established local IG offices.

Fusion Centers for IoT Flaw Information Sharing

The fourth capability in this suite of ICT enhancements is to repurpose—or more precisely expand—the jurisdiction of the 79 existing fusion centers that were established across the nation in the wake of the 9/11 attacks. While the principal purposes of these centers established by the Departments of Justice and Homeland Security were counterterrorism intelligence and drug interdiction, their structure and capabilities, coupled with multiagency state and local representation, make them an ideal additional “eyes and ears” function in support of improved state and local ICT environments.

Because they maintain both an intrastate and national cross-fusion centers communications capacity, these centers can provide relief for a chronic problem of the ICT environment: the failure to promptly share and communicate the details of systems and networks failures, attacks, and other anomalies. By sharing in real-time the existence of flaws in IT systems, software, and services, these centers can become a backbone element of a nationwide sharing environment long contemplated by the Information Sharing and Analysis Center (ISAC) community, the Sector Coordinating Councils (SCCs), and the Information Sharing and Analysis Organizations (ISAOs) developed under the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

There is nothing particularly magical or unprecedented by any of these proposals. Civil jurisdiction debates around federal preemption have swirled for years. The importation of federal best practices for ICT procurements that are relevant to the concerns of states and localities is neither unduly complex nor itself unprecedented. As discussed, the number of localities adopting local IG capabilities is now perhaps in the hundreds, and growing. Fusion centers are currently utilized to share information on a 24/7 basis; it simply would be novel for them to adapt their capabilities to the routine sharing of ICT/IoT flaw, error, anomaly, or attack information.

Path Forward

While it is certainly possible to draft and introduce individual pieces of legislation in state legislatures to establish these functions and address the jurisdictional concern, or to issue proclamations from the desks of governors and mayors, a broader and more comprehensive approach to achieving a fabric of improved ICT deployment in the states and localities could be utilized. All of the benefits of these improvements could be simultaneously achieved through the bundling of these proposals into legislative titles (e.g., jurisdiction, procurement reform and fraud investigation, and ICT anomaly information sharing), and then further combining them into a framework instrument to be discussed and improved under the aegis of the ULC/NCCUSL.

  • Whatever the vehicle for establishment of the mechanisms, the benefits to state and local government operations and the ultimate benefit to taxpayers suggest these are worthy goals, in a currently neglected environment. u

Endnotes

1. Variants of California’s 2002 breach notification bill, S. 1386 (codified as Civil Code §§ 1798.29, .82, .84), have been adopted in over 40 states. In the intervening period, 19 congressional subcommittee hearings on breach notification proposals have been held, with no passage in either House.

2. In March 2017, the New York Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. As of August 28, 2017, banks, insurance companies, and other financial services institutions regulated by NYDFS are required to have a cybersecurity program designed to protect consumers’ private data, a written policy approved by the board or a senior officer, a chief information security officer to help protect data and systems, and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.

3. See Executive Orders Disposition Tables Index, Nat’l Archives, https://www.archives.gov/federal-register/executive-orders/disposition (last reviewed Mar. 8, 2018).

4. See, e.g., Cybersecurity Legislation 2017, Nat’l Conf. St. Legislatures (Dec. 29, 2017), http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx.

5. See Office of Mgmt. & Budget, Exec. Office of the President, OMB Circular No. A-130, Managing Information as a Strategic Resource (2016).

6. See DFARS 252.204-7012.

7. Press Release, Obama White House, Fact Sheet: Cybersecurity National Action Plan (Feb. 9, 2016), https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.

8. See, e.g., Katell Thielemann & Rishi Sood, Gartner, Market Insight: State and Local Government IT Market Primer, United States, 2015 (2015), http://www.comproinc.com/wp-content/uploads/2015/06/CPI_Market-Insight_State-and-Local-Government-IT.pdf.

9. An excellent review of the case law on federal preemption of state tort jurisdiction for FDA-regulated products is found in Marcia Boumil, FDA Approval of Drugs and Devices: Preemption of State Laws for “Parallel” Tort Claims, 18 J. Health Care L. & Pol’y 1 (2015).

10. See U.S. Dep’t of Def., Instruction No. 5000.02 (Jan. 7, 2015).

By Michael A. Aisenberg

Michael A. Aisenberg ([email protected]) is principal cyber counsel at the MITRE Corporation. He is chair of the ABA SciTech Information Security Committee and an assistant editor of The SciTech Lawyer. The author’s affiliation with the MITRE Corporation is provided for identification purposes only and is not intended to convey or imply MITRE’s concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.