Recent events provide ample examples of the dramatic and serious damage done by failures associated with the current information security and privacy rulemaking system. Consider that the software VW developed to defeat smog emissions testing, arguably a computer crime of multinational proportions, went undetected for six years.1 On another note, a large region in the Ukraine with 230,000 affected people was plunged into an electrical blackout via a sophisticated power grid sabotage attack perpetrated by hackers, an attack that disabled not only the existing grid but also grid backup systems.2 Also consider that a nation-state (allegedly North Korea) attacked a major corporation (Sony Pictures); the attack was so devastating to information security and privacy systems that management at the victimized firm were left communicating only with traditional landline telephone systems and paper memos.3 While many other recent examples could be cited, it is clear that current information security and privacy losses are spiraling out of control, and the applicable laws and regulations and the supporting infrastructure (such as law enforcement) are collectively failing to control these mounting and often devastating losses.
This article explores nine reasons why the current legal and regulatory process cannot be used to bring about conditions where information security and privacy is reasonable, trusted, and reliable. The present process is too slow, too inflexible, and too nonresponsive (unable to evolve and adapt) to adequately meet the true needs that we face today. This article calls for a convention or similar multiparty harmonization effort to seriously investigate how we might design a new legal and regulatory process that has a grounded hope of being both effective and efficient.
Why the Existing Legal and Regulatory System Doesn’t Work
Jurisdictional Fragmentation Creates Confusion, Unnecessary Costs, and Lack of Action
The traditional jurisdiction-by-jurisdiction legislative and regulatory approach, even when partially unified as it is with the European Union in the domain of privacy, is not practical in a world interconnected by the Internet. The Internet erases national boundaries and connects both individuals and organizations much more tightly than was ever previously possible. At the same time, the complexity and multilayered nature of software provides new and powerful methods to conceal both the location and the identity of the parties involved in a certain process (encryption being one of the primary methods, but there are many others like bots and virtual reality avatars).
Furthermore, cloud service providers may store data in one jurisdiction or another, and the ability to move data from one location to another is an important attribute of load balancing, performance management, and contingency planning. If the location and the identity of the parties involved cannot clearly be determined, and if the data’s location also cannot clearly be determined, then a regime based on national (or regional) laws and regulations cannot realistically and successfully be applied. What is needed instead is a worldwide legal and regulatory system because the Internet is worldwide. Such a new system must include consistent legal and regulatory definitions, as well as consistent enforcement mechanisms such as extradition treaties, search warrants, courts, alternative dispute resolution forums, and electronic discovery processes.
Information Explosion Overwhelms Existing Decision-Making Systems
The volume of information created, processed, stored, and employed in decision-making is increasing at an exponential rate.4 In part, this explosion is brought about by ubiquitous, powerful, and low-cost new information technology. This explosion also results from increasing world population and the globalization of trade. The Internet further facilitates this explosion because it provides a new and increasing connectivity, as evidenced by the rapidly evolving Internet of Things (IoT).
A legal and regulatory system based on making decisions on a manual, case-by-case basis may have been sufficient to deal with relatively simple old-fashioned problems, but it is rapidly overwhelmed by the complexity and the sheer volume of new situations presented by this information explosion.5 New approaches that categorize events and situations according to certain predetermined criteria, and that make dispute resolution decisions uniformly and automatically, must instead be developed, and those approaches must be widely deployed using the latest tools such as artificial intelligence (AI).6
An impressive array of new high-tech tools can be used to deal with this information explosion by expediting and automating the application of laws and regulations in the information security and privacy domain. These new tools include smart contracts (automatically enforce a contract via software processes), digital signatures (validate that a certain party agreed to be bound by a contract), and blockchain encryption (creates a log of legally significant events that cannot be altered without detection).
Pace of Rule Changes Cannot Catch Up with Technological Change
The traditional rulemaking systems used for information security and privacy involve checks and balances, review procedures, and formal approval. For example, at the United States federal level, the legislative process is extremely time-consuming. Delay is an inherent part of the process, as bills are proposed by congressional committee, hearings are held, and then both the House and the Senate must deliberate, debate, and vote. Then the president must sign the bill—all of this unfolding only once in the most expedited of scenarios—but still no implementation of the new rule has occurred.
It may be months or even years later before actual changes in rules for enforcement are implemented (often following separate public hearings). All of this is far too slow in the modern age of high technology, and this glacial rulemaking process just further distances the relevance of existing laws and regulations from the new advances rapidly made in technology. We see this large gap between the legal regime now in place and the legal regime that is needed, for example, in the area of drones, small unmanned aircraft systems. Not only is a great deal of the law in the drone area unclear (for example, what constitutes a trespass), but the world’s leading drone maker is based in China (presenting a potential national defense issue).7
Waiting for Crisis to Prompt a New Rule No Longer Works
In addition to the inefficient legislative process mentioned above, United States legal and regulatory rulemaking often follows decisions by the courts. The latter is slow to evolve by the rule of stare decisis, as the courts gradually adjust the legal and regulatory approach to better fit the situations encountered by litigants. Both the legislative and adjudicatory approaches suffer from the grave fault that they wait for serious crises, like Fukushima (but even that ecological disaster doesn’t seem to have prompted much action), before legal and regulatory action is undertaken.
In the domain of information security and privacy, we must instead be proactive. We must anticipate what will happen, and we must take steps to prevent these adverse events from taking place, or at least prepare ourselves to best deal with the adverse effects when they occur. For example, we should not wait until critical components of our essential infrastructure are destroyed (such as the electrical grid) before we decide that we will undertake more serious protective measures.
Thus, the foundational philosophy of laws and regulations must in large measure shift from a reactive focus on recovery, correction, and damages awarded to harmed parties, to a proactive focus on prevention, detection, deterrence, and avoidance. The widespread utilization of zero-day exploits (unpublicized vulnerabilities for which there are no vendor patches) by both national government intelligence services and organized criminal syndicates further points to the need for this foundational philosophical shift supporting more rapidly evolving proactive laws and regulations.
Excessive Political and Special Interest Influence Prevents Adoption of New Rules
In too many governments, including the United States, the rulemaking process is unduly influenced by ideological political considerations and special interest lobbying groups.8 Fighting between these groups can, and often does, mean that important information security and privacy decisions are postponed needlessly, and resources are consumed in unproductive ways.9
While the authors are not advocating a dictatorial centralized approach, the new rulemaking process needs to be expedited and focused solely on important issues, not party politics, not power-grabbing diversions of the rulemaking process, and not other delaying side issues. These delaying mechanisms often sideline or stifle important changes, changes that are desperately needed in order to bring about an adequate level of information security and privacy.
A good example involves user-chosen fixed passwords, which should have been phased out decades ago but are still widely used today. The 2016 Verizon breach report indicates that 63 percent of breaches are attributable to antiquated fixed-password technology.10 Both vendors and users have resisted upgrading their systems to extended user authentication technologies, like multifactor user access control, which is more secure than user-chosen fixed passwords, because those adopting these new technologies would then be forced to incur large additional costs.
Significantly more emphasis needs to be placed on management due diligence and the immediate needs of technological improvements, and significantly less emphasis needs to be placed on political parties and other special interest considerations. Many of the steps now performed by legislatures and regulators could instead be delegated to a special purpose administrative organization devoted to information security and privacy rulemaking (with some sort of public comment used as a double-check). Even within such a special purpose organization, many tasks could be performed by AI, scripted in code, and built into automatically executing contingency plans.
Widespread Incompatibilities, Errors, and Gaps Present an Attractive Attack Surface
Research performed at SRI International (formerly Stanford Research Institute)11 indicates that attackers consistently exploit the gaps, errors, and inconsistencies associated with interfaces between information systems. Interfaces, and the differences between the involved systems found at those interfaces, introduce the most attractive opportunities for information security and privacy exploits.12
The country-by-country approach to information security and privacy (or worse, the state-within-country-by-state-within-country approach found in certain areas like U.S. breach notification) presents a very attractive attack surface to perpetrators because it is rife with gaps, errors, and inconsistencies. For example, digital copyright infringement gravitates to those jurisdictions that do not seriously enforce copyright laws.13
To overcome these problems, a consistent and unified approach must be established, and that standard of due care must be consistently observed and enforced worldwide. To fail to adopt such an approach is to invite exploitation by hackers, political activists, high-tech criminals, terrorists, and anarchists.
Economics of Information Security and Privacy Does Not Generate a Self-Healing Marketplace
Competition among vendors of high-tech systems encourages fragmentation of the marketplace (for example, via systems that are incompatible with those of other vendors) in order to achieve vendor-specific competitive advantage. This fragmentation further exacerbates the problem mentioned above involving an attractive attack surface. For instance, nearly a billion users have been left exposed when vendors refused to upgrade the operating systems in their smartphones.14
Furthermore, top management at corporations are currently incentivized by the prevailing accounting and financial system to minimize costs and maximize revenue in order to receive quarterly bonuses, promotions, increases in the price per share, etc. Top management are not sufficiently incentivized to invest in the development of the technological and organizational infrastructure necessary to provide adequate information security and privacy.
The fact that current economic incentives are working to the detriment of information security and privacy is illustrated by the massive new fines that can be imposed by the latest version of the European Union’s General Data Protection Regulation. That these regulators are able to fine organizations up to 4 percent of worldwide annual turnover speaks to a certain level of frustration, a certain level of having to make fines draconian in order to get top management’s attention.15
Current economic incentive systems associated with information security and privacy are in desperate need of alignment with management incentives,16 and this alignment can be achieved in part with a new worldwide rulemaking process. This article takes no political position regarding the best economic system that encourages appropriate decisions (capitalism, communism, socialism, etc.), asserting only that the current legal and regulatory regime is clearly not working and that we urgently need a new and better approach that can thrive under all economic systems.
Relative Investment Differential between Protectors and Attackers Will Widen
Consider the relative investment made by two competing groups. The first group, the problem creation and attacker group, has an investment that includes the research and development expenditures of high-tech firms, as well as the comparable research and development expenditures of attackers such as organized crime syndicates and government spy agencies. The sum of the investment made by the first group far outstrips the comparable investment being made by the second group of protectors, which includes new purchases of security and privacy systems, ongoing expenditures to maintain and enhance these systems, training and awareness efforts, research into new legislation and regulation, and efforts made by law enforcement including investigations, prosecutions, incarcerations, and rehabilitation efforts for the wrongdoers.
In the future, we can expect that the investment of this first collective group—those creating vulnerabilities by introducing new technological innovations and those discovering how to exploit those new vulnerabilities—will continue to dominate and further overshadow the investment made by the second group, which is involved in not just security and privacy but also making and enforcing the laws and regulations. This dominance is partly brought about by the first group being driven by existing financial, political, and military incentives, while existing political, moral, and humanitarian pressures only drive the second group. This dominance additionally results because the first group, year after year, is realistically projected to be expanding its investment in research and development at a percentage increase far in excess of the percentage increase of the second group.17
Think of it as an arms race of sorts. Without significant further investment in rulemaking and rule enforcement, the second group stands little chance of being able to catch up with the first group, let along bring some semblance of law and order to the increasingly chaotic domain of information security and privacy. This matter is still more serious when one considers that the battle is asymmetric in nature, that is to say that the defenders (second group) must outspend the attackers (first group) if there is to be a stable state of security and privacy equilibrium. The implications in terms of eroded information security and privacy in the years ahead are grave, because a much greater degree of anarchy and lawlessness is likely without a radically different new legal and regulatory regime, such as the regime that this article suggests would be the outcome of a special international convention.
Learning by Trial and Error Is Both Unduly Dangerous and Ill-Advised
According to traditional English common law, which is still partially subscribed to in the American legal and regulatory system, case law is made by trial and error. Likewise, the traditional approach used by high-tech companies building computer and communications systems was to build it first, get it into the marketplace, and figure out how to add security and privacy later. This learn by trial and error approach of high-tech companies has long been supported by governments that did not want to stifle innovation or impede the high profits of these same high-tech companies. All this is no longer appropriate in an Internet-connected, high-tech world because the trial and error approach is now unduly dangerous and expensive.18
In a world where hackers can bring and have brought down infrastructure components like reservoir dams and electric grids, the risks are simply too high to keep the old legal regime. The world desperately needs a new legal and regulatory process that brings foresight, insight, and a long-term perspective to information security and privacy matters. That same new approach must be coordinated and cooperative, rapidly learning, and rapidly upgrading. In a tightly interconnected high-tech world, it no longer works to leave such matters to independent rulemaking groups to upgrade laws and regulations when it suits them, to make mistakes as they please and then hopefully learn thereby, or to in their own time learn from the mistakes of others.
Why a New Harmonized Legal and Regulatory System Should Work
While the authors are not advocating the adoption of any particular organizational model for worldwide harmonization of information security and privacy laws and regulations, we do believe that such a system, to be successful, will need to have certain organizational and policy attributes. One such attribute is a core body of harmonized privacy and cybersecurity laws and principles distilled from the universe of existing global regulatory schemes. This body of law must create applicable standards of care that are uniform across data types and security classifications, and more easily understood for purposes of both compliance and enforcement. In addition, this new body of law should be grounded in principles of deterrence and accountability, with liability not only for organizations but also for individual decision makers in control positions within those organizations who have the power, authority, and obligation to act in the best interests of data privacy and security compliance consistent with applicable law.
There already are a significant number of other subject matter areas in which such worldwide harmonization of laws and regulations has been shown to be effective, or at least had a reasonable chance of becoming effective. These include:
- Internet Corporation for Assigned Names and Numbers (ICANN) Internet site-naming technical standards;
- International Organization for Standardization (ISO) toxic material hazard warning labels;
- Globally Harmonized System of Classification and Labeling of Chemicals (GHS) global hazard communication standards;
- Maritime laws;
- Antarctica nondevelopment treaty;
- Human rights laws such as the Geneva Conventions;
- UN Refugee Agency (UNHCR) refugee and displaced person conventions;
- International criminal laws;
- Laws regarding conflict of laws; and
- Treaty laws.
These examples show that effective international harmonized legal regimes are a reality. We can learn the lessons that these harmonized laws provide, rather than “reinventing the wheel” the hard way, by trial and error as we go along.
These examples reveal a number of desirable attributes for international harmonized legal systems, which should in turn be applied to the information security and privacy area. These attributes could for instance include:
- Promotion of cooperation between the authorities in all signatory nations;
- Facilitation of sharing information between signatory nations;
- Protection of shared resources and/or vulnerable populations worldwide;
- Protection of certain nations against the aggressive, confiscatory, or deceptive acts of other nations;
- Leveling of the playing field so that all nations can benefit from a worldwide legal and regulatory regime;
- Provision of an authoritative basis on which international legal proceedings could be based;
- Opportunity to simplify the internal laws and regulations of signatory states;
- A new model for international cooperation in the domain of law and regulation development/refinement via a multistakeholder participatory process; and
- Elimination of needlessly expensive competition between states, freeing up resources that could instead be used to improve the international legal and regulatory regime.
A new information security and privacy regime could thus be distilled from the universe of existing global legal regimes. This new regime could, for example, include a standard of due care that is uniform across all vendors’ equipment and systems, thus explicitly clarifying what must be incorporated into those information systems that are sold, rented, leased, or otherwise provided. This new body of law could additionally incorporate incentives that would help to compel information security and privacy decision-making such that it would rightly be protecting all those parties that are expected to be materially affected.
Even more potentially useful in the context of information security and privacy rulemaking are a number of nontraditional organizational structures that, with the aid of information systems technology, have been shown to be exceedingly low-cost, rapidly evolving, and incredibly accurate. Consider the Dabbawala, a network of lunch box delivery services in India. Through a sophisticated system of box marking and sorting, this network delivers between 175,000 and 200,000 lunch boxes every day, and makes less than one mistake in six million deliveries.19
Similar Internet-supported nonhierarchical networks could facilitate a rapidly evolving new process for information security and privacy rules. While we do not yet know what form this new process should take, we advocate a new international organizational design that dynamically supports accelerated law and regulation needs identification, rules formulation, rules adoption, rules implementation, rules enforcement, and rules auditing.
Finally, the administration, enforcement, and adjudication of disputes arising under the harmonized body of privacy and cybersecurity laws governed by the new global organizational structure must be independent, and function beside existing judicial systems, so that rulemaking and decisional law can keep pace with rapid changes in technology. These tribunal bodies must be sufficiently unhinged from traditional principles of stare decisis, and must be free to consider new and novel approaches tailored to address any new issues as they arise, without trying to adapt or analogize existing unrelated precedents that were never intended to apply to or address the immediate issues to be confronted in the rapidly changing cyber world. A new body of decisional law must be developed, published, and globally disseminated electronically in real time. The tribunals themselves must be staffed by duly qualified and trained cybersecurity and privacy experts, as well as related AI software. The notion of generalist judicial hearing officers and/or trial by lay jury are much too inefficient to guarantee uniformity and quality of justice given the complexity of cybersecurity and privacy issues.
Suggested Next Steps
To identify the best organizational form for such a new multinational rulemaking process, we advocate the holding of an international convention where the attendees would:
- Review existing international law and regulation harmonization efforts to discern what has been working and what has not been working so that the best of those prior efforts can be carried forward into a new proposed regime.
- Further identify the problems associated with the current information security and privacy rulemaking process—a conversation furthered by this article.
- Define a new and preferable harmonized rulemaking process, a process that would be for the benefit of the entire world and not dependent on approval from existing national governments, supra-national entities like the United Nations, major corporations, or major tech firms.
- Define attributes of this new streamlined process, including an appropriate organizational structure as well as checks and balances, a high degree of transparency and continuous auditing, mechanisms to prevent conflicts of interest, alerts to flag the fact that the process may be compromised, alerts indicating that attempts are being made at compromise, etc.
- Articulate a way to make decisions via experts who know what the actual risks are, rather than via politicians, corporation top managers, or tech firm vendors.
- Reconcile the perceived (and largely illusory) loss of jurisdictional sovereignty with the need for a more effective worldwide legal and regulatory regime.
- Determine how this process will tie in with the definition of the legal and regulatory standard of due care and a related liability safe harbor.
If you endorse the holding of such a convention, would be interested in attending the convention, or would like to be notified about developments related to the convention and/or reporting on the results of this convention, please sign the petition at http://goo.gl/HS7XXb. This petition website also has an online discussion board if you wish to post a comment to this article. This list of those signing the petition will be used for only two purposes: (1) showing legislators and other rulemaking bodies that there is a significant level of support for the development of a new rulemaking process, and (2) contacting the signers about an upcoming convention and related developments.
When we step back and objectively examine the current legal and regulatory regime for information security and privacy, we note there are many problems, including: (1) jurisdictional fragmentation that creates confusion, unnecessary costs, and lack of meaningful action; (2) an information explosion that overwhelms existing legal decision-making systems; (3) a slow pace of legal rule changes that cannot hope to catch up with the pace of technological change; (4) a tradition of waiting for crisis to prompt rule changes that creates undue risks; (5) excessive political and special interest influence that prevents the adoption of suitable new rules; (6) widespread incompatibilities, errors, gaps, and occasionally even contradictions in the law that present attackers with an attractive attack surface; (7) a background of economic incentives that does not cause the marketplace to naturally evolve toward a secure, private, and self-healing state; (8) a situation where attackers invest considerably more resources than protectors, and the gap between those groups is widening; and (9) a reliance on trial and error to discover the best legal rules, which is dangerous and ill-advised.
- Now is the time for us to let go of our unjustified hope that if only we throw more resources at our antiquated legal and regulatory regime, it’s going to work in the area of information security and privacy. The current regime cannot work, and cannot be made to work, and we urgently need a new regime. Just what that new regime should look like is beyond the scope of this article, but those of us working in the field should now have a serious multistakeholder conversation about the form that this new regime should take. u
1. Bruce Schneier, VW Scandal Could Just Be the Beginning, CNN (Sept. 28, 2015), http://www.cnn.com/2015/09/28/opinions/schneier-vw-cheating-software/.
2. L. Todd Wood, Ukraine: Russia Hacks Power Plants, Highlights U.S. Weakness, Wash. Times, Dec. 30, 2015, http://www.washingtontimes.com/news/2015/dec/30/l-todd-wood-ukraine-russia-hacking-power-plants-hi/.
3. Lori Grisham, Timeline: North Korea and the Sony Pictures Hack, USA Today, Jan. 5, 2015, http://www.usatoday.com/story/news/nation-now/2014/12/18/sony-hack-timeline-interview-north-korea/20601645.
4. Gil Press, A Very Short History of Big Data, Forbes (May 9, 2013), https://www.forbes.com/sites/gilpress/2013/05/09/a-very-short-history-of-big-data/.
5. See Warren K. Mabley Jr., Deconstructing the Patent Application Backlog, 92 J. Pat. & Trademark Off. Soc’y 208 (2010).
6. New AI System Beats Legal Practitioners at Predicting Court Decisions, DNA (May 8, 2017), http://www.dnaindia.com/scitech/report-new-ai-system-beats-humans-at-predicting-court-outcomes-2430855.
7. Heather Kelly, Your Guide to Obeying the New Drone Laws, CNN Tech (Dec. 25, 2015), http://money.cnn.com/2015/12/24/technology/drone-faa-laws-registration/index.html.
8. Mike Lofgren, The Deep State: The Fall of the Constitution and the Rise of a Shadow Government (2016).
9. Consider the way that the Obama administration reversed the established government information disclosure policies of the Bush administration and then went on to reverse its own policies. See Maura Reynolds, Open Government or “Transparency Theater”?, CQ Pol. (July 24, 2009), http://www.nbcnews.com/id/32128642/ns/politics-cq_politics/t/open-government-or-transparency-theater/.
10. Mor Ahuvia, Verizon DBIR Report: 63% of Breaches Exploit Static Passwords, Gemalto (May 10, 2016), https://blog.gemalto.com/security/2016/05/10/verizon-dbir-report-63-breaches-exploit-static-passwords/.
11. This research was managed by Donn B. Parker, funded by the National Science Foundation, and involved evaluation of reported computer crime and abuse cases.
12. Consider the disastrous oil spill that took place in 1967 off the coast of Cornwall, England. An oil tanker ran into a reef because there was confusion about whether the automatic or manual steering system was enabled. Today’s systems, for both oil exploration and transportation as well as computer and networking systems, are much more complex, and this complexity introduces many more incompatibilities, errors, and gaps that may be exploited. See Joseph A. Tainter & Tadeusz W. Patzek, Drilling Down: The Gulf Oil Debate and Our Energy Dilemma 209–10 (2012).
13. Marc D. Goodman & Susan W. Brenner, The Emerging Consensus on Criminal Conduct in Cyberspace, 10 Int’l J.L. & Info. Tech. 139 (2002).
14. Joel Hruska, Google Throws Nearly a Billion Android Users under the Bus, Refuses to Patch OS Vulnerability, ExtremeTech (Jan. 12, 2015), https://www.extremetech.com/mobile/197346-google-throws-nearly-a-billion-android-users-under-the-bus-refuses-to-patch-os-vulnerability.
15. GDPR: Potential Fines for Data Security Breaches More Severe for Data Controllers Than Processors, Reg. (May 12, 2016), https://www.theregister.co.uk/2016/05/12/gdpr_potential_fines_for_data_security_breaches_more_severe_for_data_controllers_than_processors_says_expert/.
16. Charles Cresson Wood, Solving the Information Security & Privacy Crisis by Expanding the Scope of Top Management Personal Liability, 43 J. Legis. 65 (2016).
17. Consider that the successful and stable use of a traditional jail/prison to restrict the movements of a prisoner and protect the public requires that there be a large power asymmetry between the jailer and the prisoner, where the jailer holds the clear advantage. But the lawbreaker (usually not a current prisoner because the system doesn’t work very well) has the clear power advantage. In the latter case, the application of traditional legal and regulatory models, such as the regime now used in information security and privacy, is never going to work.
18. Even large company board members acknowledge that cyber threats aren’t being adequately dealt with. Consider that in a survey of 5,000 directors, board members ranked cybersecurity preparedness last on a list of 23 responsibilities of the board. See J. Yo-Jud Cheng & Boris Groysberg, Why Boards Aren’t Dealing with Cyberthreats, Harv. Bus. Rev. (Feb. 22, 2017), https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats.
19. Perry Garfinkel, Delivering Lunch in Mumbai, Across Generations, N.Y. Times, Feb. 2, 2017, https://www.nytimes.com/2017/02/02/jobs/dabbawalas-india-lunch.html.