No state has more at stake on cybersecurity than California. From Hollywood’s intellectual property to the Central Valley’s water reserves to Silicon Valley’s cloud services, the Golden State is at singular risk. But, as the world’s innovation capital, California also has a unique opportunity to advance cybersecurity.
At last week’s State of the Union address, President Barack Obama announced a new federal cybersecurity agenda. Except … it wasn’t so new. It was a portfolio of unpopular old proposals, dusted off and relabeled. The odds of clearing Congress: low. The odds of materially improving security: even lower.
That’s a shame. Events over the past year – most prominently, the breach at Sony Pictures in Culver City – have highlighted the growing importance of cybersecurity. Attacks are more frequent, better organized and increasingly sophisticated. And intruders are driven by a diverse range of motives – greed, malice, national security or even national pride. America’s consumers, businesses and government agencies are undeniably under threat.
While the federal government is stalled, however, the states have an opportunity to lead. California could blaze a trail for effective cybersecurity policy.
The Golden State is, in fact, already an innovator on technology security and privacy. In 2002, California passed the nation’s first data breach notification law. If a company leaks personal data, it has to fess up and provide warning. Forty-six other states now have similar laws on the books. In 2003, California mandated that online services make commitments about how they handle consumer data. That farsighted policy has contributed to numerous law enforcement actions, both federal and state, where a business has bungled security or privacy.
Demonstrated successes aside, there are other reasons for California to step up. One of the greatest concerns in cybersecurity policy is critical infrastructure, such as power and water. Even brief disruptions in service could have extraordinary economic and human costs. Remember the Northeast blackout of 2003? It may have claimed dozens of lives and cost the economy billions of dollars. And it was caused, in part, by a software bug. California should not tolerate a fraction of that risk from cybersecurity threats.
Utilities are already subject to extensive state legal requirements, and they already answer to a powerful state regulatory commission. Addressing security and privacy would be a sensible application of existing authority.
Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable – they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state’s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive – especially relative to the enormous risks.
Areas of sensitive data are also low-hanging cyber fruit. In health care, education and finance, California already imposes security and privacy requirements that go beyond federal law. Those legal mandates, though, are mostly enforced through after-the-fact penalties. Much like critical infrastructure, sectors that rely upon sensitive data would benefit from periodic outside auditing.
California’s own agencies are yet another worthwhile focus. Many government systems are outdated, including some that contain sensitive data. According to the California Department of Justice, there were at least 20 leaks from state and local agencies in just the past year. In addition to regular audits, uniform security training and standards would be no-brainer policies.
What’s more, California could benefit the private sector through its own improvements. It could improve services on the market by leveraging its massive acquisition outlays, presently over $4.5 billion on information technology projects. The state could also lead by example in deploying security technology. Migrating state and local websites to https, the secure Web protocol, would be a good first step.
There are, to be sure, valid concerns about the Golden State taking action on cybersecurity. For starters, not all of California’s agencies have the requisite technical chops for making and enforcing cyberpolicies. In our view, the skills gap is manageable – outside experts are willing and able to lend a hand.
That’s no hypothetical. When former Secretary of State Debra Bowen had concerns about electronic voting systems in 2007, she brought in a cadre of computer security researchers. They quickly produced a comprehensive set of reports, demonstrating severe vulnerabilities. Similarly, when Attorney General Kamala Harris made consumer privacy a focus of her administration, her staff turned to experts in the field.
We know these models work because we collaborated on them. To this day, the secretary of state’s “top to bottom” review is considered an authoritative study of electronic voting machine security. As for the attorney general’s consumer privacy initiative, it now reaches every major app store. California is home to some of the nation’s greatest technical minds; it should use them.
Another foreseeable worry is that California might mandate specific security technologies. We share this concern. Governments have a spotty track record at picking technical winners and losers, and technology is developing too rapidly for rigid rules. What we suggest is a middle ground: The state could establish review processes and high-level standards, informed by outside experts. Businesses would then have substantial flexibility in meeting those obligations.
An adaptable approach would also facilitate cybersecurity reform in other states. A national patchwork of nit-picky requirements serves no one. Harmonized high-level standards, by contrast, would make multistate compliance straightforward. Best practices could percolate among jurisdictions, channeled through auditors, consultants and large businesses.
As the federal government gets serious about cybersecurity, it too could draw upon California’s template. This is already happening. Versions of the state’s data breach notification law have already won bipartisan support in Congress, and the White House has dubbed it a “landmark” statute.
Even before Congress acts, California does not need to shoulder the cybersecurity burden alone. There are some areas where the federal government has been effective, such as when businesses misrepresent their practices to consumers. The state can complement federal policy in those spaces by cooperating on investigations and policymaking. It can also bring parallel enforcement actions, enhancing incentives for legal compliance.
California also need not tackle cybersecurity all at once. The problem is complex, to be sure, but it is also divisible. cybersecurity policy could be comfortably enacted in bits and pieces as the state’s priorities evolve. Each of the proposals we suggest here, or reforms like them, could be implemented in an evolutionary and exploratory fashion.
Supreme Court Justice Louis Brandeis famously observed that the states are “laboratories of democracy.” They can experiment, and lead, when the federal government has failed to act. California is already the nation’s laboratory for information technology. It’s time for the state to become a laboratory for cybersecurity policy.
Jonathan Mayer is a doctoral candidate in computer science at Stanford University, where he received his law degree in 2013. He is a cybersecurity fellow at the Center for International Security and Cooperation at Stanford. Edward W. Felten is a professor of computer science and public affairs at Princeton University and the director of Princeton’s Center for Information Technology Policy. He served as chief technologist of the Federal Trade Commission from 2011-12.