Regulating in Cyber Space Cyber Security & the Electrical Grid

Transcription

1 Regulating in Cyber Space Cyber Security & the Electrical Grid Patrick N. Holman, PhD, 2012 Western Energy Policy Research Conference August 30, 2012

2 Focus of Paper Cyber security has been identified edas a high priority for public and private stakeholders Broad consensus among regulatory stakeholders that cyber security threats to the US electrical grid and other critical infrastructure exist Attempts to legislate substantive changes to cyber security regulation have failed Why?

3 Approach of Paper Steps Sepsback from rhetoric eo that has driven the legislative debate over the past several months Examines the issue from a strictly regulatory perspective to explain current legislative failure Hypothesizes that cyber space favors a decentralized regulatory approach that emphasizes open, consensus based decision making processes Argues that the failure of current proposals is tied to their misalignment with the basic precepts of the cyber space regulatory environment.

4 Regulatory Framework Shift toward dstudying non traditional o a regulatory regimes with complex stakeholder relationships Key questions in assessing regulatory frameworks What counts as regulation? What constitutes good regulation? How is risk calculated where information is incomplete? In environments where regulatory authority is dispersed among stakeholders, the perceived legitimacy of the development process is a key success factor

5 Regulating in Cyber Space Cyber space was designed ed as an open, decentralized ed architecture that permitted the free exchange of information across networks Co regulatory model reflects public and private regulatory actors engaged in voluntary, consensusbased rule making, primarily focused on technological standards Challenges of regulating content & conduct in cyber space are functions of its libertarian underpinnings andglobal presence

6 Protecting Critical Infrastructure Current regulatory approach for protecting poec gcritical ca infrastructure from cyber attack follows a coregulatory model Public role focused primarily on information collection and dissemination regarding threats and vulnerabilities Private role focused primarily on implementing provisions to minimize i i cyber security vulnerabilities Post 9/11 saw increased emphasis on the national security implications of protecting ti critical infrastructure, especially the U.S. electrical grid

7 Protecting the US Electrical Grid Regulatory provisions po so sfor poec protecting the US electrical eec ca grid from cyber attack are more robust than other critical infrastructure protocols Unique regulatory relationship between FERC and NERC results in mandated and enforceable standards for cyber security protection Reflects a co regulatory approach with strong private sector involvement in standards development, with oversight by public actors

8 Proposed Regulatory Changes Current regulatory regime e considered ed inadequate e to address perceived threat and vulnerabilities Proposed legislative changesare are generally based on executive branch cyber security initiatives Proposals represent two approaches to regulating cyber security Retaining and improving current co regulatory model with enhancements to information sharing Changing co regulatory model by extending federal authority over protection of critical infrastructure

9 Challenges for Cyber Security Regulatory proposals s to extend e federal authority for cyber security face several key challenges The perceived lack of reliable information on threats and vulnerabilities, compounded by the absence ofrecognized, legitimate experts, create uncertainties in risk calculations The closed consideration of cyber security does not align with the open deliberative approach that has driven the development of regulations within cyber space Excluding software and hardware from regulatory consideration does not reflect their significance in addressing cyber security These challenges have significant implications when considered within theregulatory context of cyber space, making consensus unlikely

10 Conclusions and Further Inquiry Proposals seeking to extend federal regulatory authority are inconsistent with the fundamental nature of cyber space, which favors a decentralized approach that is open andconsensus based Resolution of the current impasse must recognize this inconsistency or seek to alter theopen nature of cyber space In the absence of reliable information, a resiliencebased regulatory approach may be preferable Understanding the institutional bias of regulatory actors may also yield greater insights