States Unclear About What Constitutes ‘Reasonable’ Cybersecurity

Although most organizations have taken steps toward preventing cyber incidents, considerably fewer have incident response plans in place, according to a recent report.

“I think it was good news/bad news,” said Scott Shackelford, one of three report authors and an assistant professor of business law and ethics at Indiana University. “On the good news side of the ledger, a super majority—approaching 95% for both the public and private sector leaders that responded to this survey—said they were either somewhat or very concerned about cyber risk.”

More good news: About 80% of public-sector respondents said their organization had taken proactive steps to manage that risk. A common step involves the purchase of cyber insurance, which Shackelford said may not be the best option. Insurance policy costs are rising, according to studies such as a Government Accountability Office report, while coverage decreases.

“The extent to which we can rely on cyber insurance as a useful tool to manage these risks, I think that’s really being called into question and that’s going to be challenging,” Shackelford said. “I’m wondering if we’ve already reached an inflection and [policies] are on the downturn because they’re just getting so expensive, even when you can get them to begin with.”

Also concerning is the fact that almost half of all respondents—about 40% in the public sector—said they have no incident response plan. Although medium and large organizations are likelier to have them, the percentage drops sharply for smaller county and local governments. “It underscores the point that the norm is not to have those plans,” Shackelford said, even in places like Carmel, Ind., which fell victim to a ransomware attack in 2020.

Survey results indicate that confusion is largely to blame for the gap. “It gets to that core question of what the heck is reasonable cybersecurity, how does it vary by organization type—even public and private sector,” Shackelford said.

The report states that “there is a movement … toward a standards-based approach to defining ‘reasonability’ in the cybersecurity context” that would go a long way in helping both sectors shore up defenses. It “should be thought of as a sliding scale but with certain universal precautions that all [organizations], regardless of their size or sophistication, should arguably be taking into account.” Those include the sensitivity of the information and cost/benefit analysis.

In 2021, at least 45 states introduced or considered more than 250 bills or resolutions related to cybersecurity and 25 enacted bills, according to the National Conference of State Legislatures. Shackelford points to California and Ohio as examples of two main approaches.

“The big bifurcation that really struck me was the two approaches being tried either defining reasonable cybersecurity quite specifically, as California and a few other states do, vs. the safe harbor approach of Ohio, where they give a menu of options and they allow businesses to select which makes the most sense in return for a liability shield,” he said.

Most states seem to agree on using a combination of the National Institute of Standards and Technology’s Cybersecurity Framework and the Center for Internet Security Top 20 security controls, according to the report.

“There would be a big benefit to having a single federal standard” on reasonableness, Shackelford said, adding that he doesn’t think one will come anytime soon. But “even if the federal government doesn’t act, just by dent of what’s happening around the world and at the state level, I think a lot of local businesses, a lot of governments are going to be converging by default. I think the question is when the federal government does act, is it going to be a ceiling or a floor?”

Federal efforts are afoot, however. For instance, President Biden signed a law March 15 requiring critical infrastructure entities to report cyberattacks within 72 hours and ransomware payments within 24.

“There are so many types of cyber risks that agencies are facing these days, so clearly there’s not one definition of reasonableness out there,” Shackelford said. “It does have to depend a lot on circumstance and context. But to the extent that we can start to just better educate the local governments … where we can all agree, ‘Well, at least this,’ all the better. I think that will help avoid some of this confusion.”

The survey, which the researchers distributed in 2021 with the Indiana Executive Cybersecurity Council and the Indiana Business Research Center, had an overall response rate of about 6%, so Shackelford said the findings should be taken with a grain of salt, but the working paper is only the first step in the research. The next version of the survey will look at how cybersecurity practices change after an infusion of funding from the Bipartisan Infrastructure Law.