CyberSecurity Risk Management Requires Infrastructure Protection Policy Conformance

John W. BagbyProfessor of ISTPenn State Univ.

Problem Statement: the CyberSecurity Conundrum

• The Problem: Infrastructure Resilience Remains Daunting

• 3 Infrastructures Most Cross-Cutting– 1) Energy, 2) Financial Services, 3) IT

• The Risk:– “incapacity or destruction of such systems and assets

would have a debilitating impact on security, national economic security, national public health or safety...”

• The Solution:– Standardize CyberSecurity Risk Management

• The Lens: I/O• This Paper:

http://faculty.ist.psu.edu/bagby/Pubs/CyberSecurityInfrastructurePolicyConformance.pdf

The I/O Lens• (I/O) lens and its progeny provide unique perspective

– structural design, contracting counter-party relationships, prices, competitive vs. collusive (ltd/sole source)

• Focus on relationships, independence & freedom of contract – captures incentives & deception in fluid organizational

designs • Generally absent from hierarchical perspectives

– EX: Public Administration modeling historically failed to capture nuance in the burgeoning “outsourcing” movement

– Hierarchy was preferred to create stable & formalistically predictable designs, See

• Simon, Herbert A., The Architecture of Complexity, 106 Proc.Am.Phil.Soc. 467–482 (Dec.1962). &

• Pattee, H.H. (ed.) Hierarchy Theory. The Challenge of Complex Systems (1973, New York, NY: Georges Braziller)

Focus the I/O Lens on CyberSecurity• Inherent Conflicts of Hierarchial vs. I/O Dichotomy

– The main difficulty in deepening understanding of complex private & public-sector relations of contemporary, emerging government designs

• I/O is economics’ predominate reductionist approach provides an analytical lens to disaggregate complex contractual relations

• A branch of the “theory of the firm,” – Coase, Ronald H. The Nature of the Firm, 4 Economica 386–405, 1937 – Key constraints to hierarchical approaches would appear to make the I/O

approach a perfect application into predictions based on big data analytics. Indeed

– I/O adds realism to the artificiality of the perfect competition model by focusing on transactions costs, Williamson, Oliver E. The Economics of Organization: The Transaction Cost Approach, 87 Am.J.Soc. 548-577 (1981).

– adverse selection resulting from asymmetries of imperfect information, Arrow, Kenneth J. The Economics of Information: An Exposition, 23 Empirica 120–21 (1996).

– Also the rise and fall of barriers to entry • I advocated macro-economic I/O approach is ideal to see the whole forest

as perhaps best exemplified by Leontif’s input-output analysis at FISC’09

Security Law & Economics

• L&E Suggests Regulatory Objective– Controls, Checks & Balances Suggest

Regulatory Tool Selection & Deployment

• Security Investment Market Failure– Information Asymmetries – Complex, Layered Supply Chain

• Externalities, Free Riders, Weak Discipline

– Direct Costs, Uncertain Benefits – Incentives to Exploit Vulnerability

CyberSecurity: Omnibus vs. Sectoral• Omnibus: Security Applied Broadly

– Permits Standardization • Vulnerabilities Broadly Reduced

– Socializes Compliance Costs • The “Cyber-Security Tax?”

• Sectoral: Security Applied Narrowly– Customize to Particular Industry/Sector Risks

• Experimentation breeds experience useful elsewhere• EXs: PCI; Financial Services; NIST-Fed.Agencies;

HIPAA; DoD– Isolates Social Costs as Appropriate

• Most vulnerable Infrastructures 1st

– EX: Financial Services, Power Grid, Nat’l Defense– Slows Multi-Sectoral Deployment

• Some Vulnerabilities Persist– Cyber is Broadly Cross-Cutting; others not so much

I/O Lens-Industrial Organization Analysis• Starting Point: Theory of Firm

– boundaries/behaviors between firms & markets – structure of entities, competitive environment,

transactions costs, barriers to entry, information asymmetries

• Political Reactions: Industrial Policy– What Role for Government Intervention Policy

• Dare we call this Industrial Policy? • When is it Legitimate to Correct Market Imperfections? • Incentivize Policy Conforming Behavior

– Antitrust: structural, conduct, performance models • How Might CyberSecurity Policy Proposals

Alter Traditional I/O?

Security Law & Economics

• Private Sector Owns/Operates/Maintains 85% of Critical Infrastructure (9.11 Commission Rpt)

• NPV: Direct & Immediate Costs-Uncertain Remote Benefits– Incentives Appear Insufficient to Anticipate/Inhibit

Black Swans– Chronic Underestimation of Reputational

Degradation– How to Prove Savings of Security Loss?

• Free rider: Weakest Link – Industry-Wide Irrationalization– First-Mover Disadvantage – Revelations Signal

Vulnerabilit(ies)

Security Law & Economics• Coordination problem

– Incentives limited to provide positive externalities, societal benefits

– Fragmented IT Assets Defy Coordination & Efficient Control

• Locations, control, monitoring, portability, cloud transient, duties

• Should Cyber-Security be a Public Good – Currently Under-Produced because …

• Non-Rival – marginal costs low as others benefit• Non-Excludable – positive externalities invite free riders,

investor cannot capture all benefits

Proposed Solutions: Information Sharing

• The Currently Perceived Panacea? • Consider (most) Longstanding Public Disclosure • Does SEC Financial Disclosure Invite?

– Liability Litigation (SH, investor, customer/client)– Copycat Intrusion to Further Exploit Signaled

Vulnerability– Signal Vulnerabilities Exploitable by Competitors

• ISACs Success Varies Wildly “iSows”– High:

• CDC (Ebola) • NERC (N.Am.Electric Reliability Corp.

– Low: Almost Everybody Else?

Proposed Solutions: Information Sharing

• Info Sharing Incentivizes Industry Collusion – Will Trade Assns/Whole Indus Seek Antitrust Immunity ?

• Antitrust Policy Statement on Sharing of CyberSecurity Information (4.10.14) http://www.justice.gov/atr/public/guidelines/305027.pdf – Start with DoJ EPRI Review Letter (Oct.2000)– “Agencies [DoJ, FTC] do not believe that antitrust is – or should be – a

roadblock to legitimate cybersecurity information sharing.”– “the sharing of competitively sensitive information – such as recent,

current, and future prices, cost data, or output levels – may facilitate price competitive coordination among competitors.”

– “rule of reason analysis”– “shared information is less competitively sensitive and unlikely to lead

to a lessening of competition”– “cyber threat information can improve efficiency”– “nature of the information being shared” – “cyber threat information can improve efficiency… cyber threat

information typically is very technical in nature”– “consider whether the exchange is likely to harm competition”

Some Proposed Solutions: Command & Control Regs• Mandatory Rules-Based/Design Standards • Impose High Compliance Costs

– EX: encryption is bandwidth hog, degrades performance

• Appropriate Equally for All Industries? • Proposed: NCCIP-National Cybersecurity and

Critical Infrastructure Protection Act of 2013 (H.R. 3696)

• Enacted: PDD-21; E.O.13636; H.R.2952 (Cybersecurity Workforce Assessment Act)

• Dis-incentivizes Innovation? – Locks-In Old Tech?

Critically Examine Proposed Solutions• Laissez Faire - Rely on Market Discipline

– So How is that Working For You?

• Standardization– Best Practice, Guidelines, Voluntary Consensus, Industry-

Specific, NIST models, Regulatory Imposition – PCI: encryption, firewalls, IDs & p/w’s (rules-based stds)

• Direct Reg by DHS or Sector-Specific Regulator – G/L/B: PII “Safeguards Rule” (principles-only stds) – HIPPA: PHI “Security Rule” (principles-based stds)

• Expand Direct Regulation thru DoD & IC – Long History of Successful Imperialism

• Militias & Army on US’ Frontier 17th – 19th Century

• Colonialism: Various Navies protect trade routes – Cpt.Phillips

Want These Proposed Solutions?

• Regulatory Liability ex post– Permits resolution thru deference to regulatory

expertise (Chevron v. NRDC)

• Civil Liability ex post– Maximizes freedom ex ante until uncertain limit

reached – C/L more efficient than market discipline or ex ante

regulation (R.Posner) – Statutory, Case-law Exemptions well rationalized

• Regulation ex ante?

Least Cost Provider • Liability generally most justifiable for:

– Party with greatest responsibility for safety or quality (or security)

– Party w/ lowest cost of services– Party financially able to burden risk

• Economics seeks to incentivize least cost provider

• Who is security’s least cost provider?– Individuals, ISP, s/w licensor, h/w supplier

Additional Economic Considerations

• Who Bears Costs of Security Failures• Who Bears Costs of Security Remediation• What does the Game Theoretic Framework

offer to Security & Privacy Analysis• What are the Network Economics Applications

to Security & Privacy• What are the Security Enhancing Roles of

Standardization• What are the Security Risks of Standardization

Growth in What is Critical• Will Critical Infrastructures Assume the

Whole Economy?– Entertainment (Music, Movies) - Sony– Department Stores - Target– Home Improvement - Home Depot

• Now incl. Critical Manufacturing Sector – Expands Well Beyond Defense

Industrial Base

Must Decompose “Critical Infrastructure”

• Object: “systems and assets”

• Tangibility: “physical or virtual”

• Significance: “so vital to the U.S.”

• Risk: “incapacity or destruction”

• Impact: “debilitating”– … on …“security, national economic

security, national public health or safety, or any combination”

Policy Analytic Methods

• What is Policy Analysis?• Public Policy Assessment Model – a

Recursive Analytic• Identify Interests, Influences & Potential

Results• Analyze Drivers• Predict Influence of Drivers on Results• Intervene as Satisfies Constraints

– feasibility, $ & opportunity cost, side effects• The NIST Cybersecurity Framework

Policy Evaluation: NIST Comments• NISTs ’13 & ‘14 Requests for Information NfI

• The Preliminary Framework http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm https://www.federalregister.gov/articles/2014/08/26/2014-20315/experience-with-the-framework-for-improving-critical-infrastructure-cybersecurity

• NIST Analysis Informs Rulemakinghttp://csrc.nist.gov/cyberframework/rfi_comments_2013.html

http://csrc.nist.gov/cyberframework/rfi_initial_responses.html

• Predictable Results?– CyberSecurity Consulting Communities vs.

U.S. Chamber Well-Granulated Opposition

Is Security Innovation THE Key to Power us Out?

• Maybe? Mostly has been!

• DoJ & FTC Technology Markets-I/O lens– Product Markets– Technology Markets– Innovation Markets

• What Role for Intellectual Property (IP) – Best? Copyright, T/S or Patentable?

“Go Ask Alice”

Alice v. CLS Bank (6.19.14 No.13-298)

S/W & BMP Ran Amuck met their Waterloo

Abstract Ideas Implemented on General Use Computer now Passé

SCotUS on S/W & BMP

Alice v. CLS Bank (6.19.14 No.13-298) • Alice Corp. claimed a system & method for

reducing risk that a party to a deal won’t pay.• SCotUS opinion:

– This is a “computer-implemented scheme for mitigating ‘settlement risk’ . . . by using a third-party intermediary.”

– Claims are drawn (written) to “the abstract idea of intermediated settlement”

– “merely requiring generic computer implementation fails to transform that abstract idea into a patent-eligible invention.”

Alice v. CLS Bank (6.19.14)

• 1st determine if claims directed to one patent-ineligible concepts

• 2nd examine claim elements – Does it contain an inventive concept sufficient to transform

an abstract idea into patent-eligibility – “The relevant question is whether the claims here do more

than simply instruct the practitioner to implement the abstract idea of intermediated settlement on a generic computer. They do not.”

• “The method claims recite the abstract idea implemented on a generic computer; the system claims recite a handful of generic computer components configured to implement the same idea.”

PTO Response: Post Alice Examination Analysis

• 1st Determine if claims cover statutory category: – process, machine, manufacture, composition of

matter

• 2nd Engage two-step Abstract Idea Test from SCotUS opinion:– Determine if claim falls into a judicial exception: Law

of nature, natural phenomenon, abstract idea– Determine whether claim is patent eligible

Step 1: Statutory Category?

• Monopolize “the basic tools of science and technological work?”

• “Impede innovation more than it would promote it?”

• “Integrate the building blocks of human ingenuity into something more by applying the abstract idea in a meaningful way?”

• “Fundamental to economic practices?”• Is it “an idea itself”

– EX “a principle, an original cause, a motive?”• Is it a Mathematical Formula/Algorithm?

Step 2: Is the Claim Patent Eligible?

• Does the claim recite “significantly more” than the abstract idea itself?– Are there “other limitations in the claim

that show patent-eligible application of the abstract idea?”

– Does it contain only a “mere instruction to apply the abstract idea?

• How much more is “significantly more”?

Step 2: Examples of “more” that may be “significant” enough

• Does the claim recite an “improvement” to “another technology or technical field?”

• Does it recite “improvements in the function of the computer itself?”

• Does it recite “meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment.”

Step 2: Examples of “more” that may not be “significant” enough

• Does the claim simply add “apply it” or equivalent language to the abstract idea?

• Does the claim simply recite “implementing” the idea on a computer?

• Does the claim require no more than a generic computer to perform “generic computer functions that are well-understood, routine, and conventional activities previously known to the industry?”

Arguments Favoring S/W Patentability

• Software has been patentable since 1965• Tech industry is VERY different today than before

software patents – VERY different compared to before software

patents were common• Companies largely built on software patents

– Apple, Facebook, Twitter, Google, Priceline etc• Why should Society Want Largely Trivial Patents?

– Plugins that don’t work, or software created and then not updated, or Apps that do trivial things may not need patents

– Empowers Patent Trolls!• Patented to achieve portfolio negotiating power

S/W–BMP Patents NOT Quite Dead Yet!• Advice to Successfully Patent S/W &/or BMP• Claim software controls a machine or device

– But Can’t merely control a computer or data processor.

• Claim the software controls the transformation of matter such a molding synthetic rubber (food transformation)

• Claim invention as a system comprising multiple devices (limitations) including a controlling software or program code

• Claim computer readable storage medium containing software described in method steps

How to Patent Software• Software must DO something

– EX: control a machine or process.• Make S/W part of a multi-component system• State real limitations on purpose/use of S/W

– Claim less than broad abstraction-law of nature

– Don’t have the software merely indicate a condition but have it control something.

• Don’t limit S/W claim to algorithm– Integral application of algorithm to method.

Post-Alice S/W Patenting• July 8: A U.S. court in New York invalidated a

patent for an online dieting tool.• July 17: A federal appeals court struck down a

patent on the idea of keeping the look of digital photos consistent when moved across devices.

• Aug. 26: A federal appeals court in Washington nixed a computer-bingo game patent.

• Sept. 3: A federal court in Texas invalidated a patent on the idea of using a computer to convert one retailer's reward points to another's.

• Software and BMP were the darlings of both the troll (non-practicing entity) and bad patent communities, although usually on polar opposite sides.

Post-Alice S/W Patenting• Financial patents, apparently particularly hedging methods, are

highly vulnerable to invalidation– Abstract idea focused claims are highly vulnerable to invalidation;

• Distinguish patents that claim the “ ‘building block[s]’ ” of human ingenuity, which are ineligible for patent protection, from those that integrate the building blocks into something more

• Court must first determine whether the claims at issue are directed to a patent-ineligible concept, Gottschalkintermediated settlement, like hedging, is an “abstract idea”

• Second step of the Mayo framework: The method claims, which merely require generic computer implementation, fail to transform that abstract idea into a patent-eligible invention

• “Simply appending conventional steps, specified at a high level of generality,” to a method already “well known in the art” is not “enough ” to supply the “ ‘inventive concept’

Post-Alice S/W Patenting• "This is only the beginning of the fallout," said Mark Lemley, a

patent lawyer and law professor at Stanford University.• the CLS Bank ruling, and its aftermath, might prompt some

inventors and "endlessly creative lawyers" to rely on trademark or trade-secrets law, rather than patent law, to protect their ideas.

• Some patent lawyers think the reckoning is long overdue.– "Many of these patents are just taxes and impediments to those

companies that are doing the hard work of building products and putting them in the hands of customers," said Suzanne Michel, senior patent counsel at Internet giant Google.

• EFF: In a concise 17-page opinion, the Supreme Court recognized that Alice claimed the abstract concept of “intermediated settlement,” something the Supreme Court recognized was “a fundamental economic practice long prevalent in our system of commerce.”

Post-Alice S/W Patenting

• Trolls’ Weapon — the business-method software patent — is likely dead. Why? Because these patents generally relate to the use of known computer methods to implement known ways of doing business — the hallmark of invalidity under the Supreme Court’s new decision. Also at risk are software patents directed to concepts that occurred in real life, before being implemented in software.

• Alice for some niches still left in software patents, dedicated purpose built computing vs. general purpose computer, not known in application domain before (hedging is old practice), etc.