POLICY ANALYSIS EXERCISE Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability Kevin Mott Master in Public Policy Candidate, Harvard Kennedy School Olivia Volkoff Master in Public Policy Candidate, Harvard Kennedy School PAPER MAY 2018 Belfer Center for Science and International Affairs Harvard Kennedy School 79 JFK Street Cambridge, MA 02138 www.belfercenter.org Statements and views expressed in this report are solely those of the author and do not imply endorsement by Harvard University, the Harvard Kennedy School, or the Belfer Center for Science and International Affairs. This paper was completed as a Harvard Kennedy School Policy Analysis Exercise, a yearlong project for second-year Master in Public Policy candidates to work with real-world clients in crafting and presenting timely policy recommendations. Design & layout by Andrew Facini Cover photo: Adobe Stock Copyright 2018, President and Fellows of Harvard College Printed in the United States of America POLICY ANALYSIS EXERCISE Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability Kevin Mott Master in Public Policy Candidate, Harvard Kennedy School Olivia Volkoff Master in Public Policy Candidate, Harvard Kennedy School PAPER MAY 2018 About the Authors Olivia Volkoff is a recent graduate of the Master in Public Policy program at the Harvard Kennedy School and the Master in Business Administration program at Harvard Business School. During this period, she served as both a George and Rubenstein Fellow at the Center for Public Leadership as well as a Belfer International and Global Affairs Fellow. Prior to her graduate studies, Olivia graduated from Harvard College and served as a U.S. Naval officer and engineer at Naval Reactors Headquarters. Kevin Mott is a recent graduate of the Master in Public Policy program at the Harvard Kennedy School and the Master in Business Administration at the Harvard Business School. During this period, he served as both a George and Rubenstein Fellow at the Center for Public Leadership as well as a Tillman Military Scholar. A graduate of the United States Naval Academy, Kevin previously served as a Marine infantry officer. Acknowledgments Although any errors or omissions in this paper are ours alone, many people contributed directly or indirectly to it. Many thanks to Michael Sulmeyer, Matt Bunn and Lena G. Goldberg for your advice, support and patience. You have each been endless fountains of new ideas and able guides to us throughout this process. Belfer Center for Science and International Affairs | Harvard Kennedy School iii Table of Contents Executive Summary ............................................................................................. 1 PART I: SCOPING THE CYBERSECURITY CHALLENGE 1. Introduction .....................................................................................................4 1.1 Case Selection ...............................................................................................................5 1.2 Methodology ..................................................................................................................7 1.3 Lessons Learned ............................................................................................................8 1.4 Setting the Context .....................................................................................................10 1.5 Major Trends Shaping Cybersecurity ..........................................................................11 1.6 Addressing Risk ........................................................................................................... 14 2. Responsibility, Accountability and Liability in Cybersecurity .................. 15 2.1 Establishing Liability .................................................................................................... 15 2.2 Liability in the Cyber Context .................................................................................... 17 PART II: CONTEMPORARY CASE STUDIES 3. Case Study: Sony Pictures Entertainment ............................................... 20 3.1 Situation ...................................................................................................................... 20 3.2 Timeline ........................................................................................................................ 21 3.3 Analysis of the Event ...................................................................................................23 3.4 Network Analysis .........................................................................................................25 3.5 Lessons Learned ..........................................................................................................28 3.6 Who is Accountable? .................................................................................................. 29 4. Case Study: Target ........................................................................................ 31 4.1 Situation ....................................................................................................................... 31 4.2 Timeline ........................................................................................................................32 4.3 Analysis of the Event .................................................................................................. 34 iv Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability 4.4 Network Analysis ........................................................................................................ 36 4.5 Lessons Learned ......................................................................................................... 38 4.6 Who is Accountable? ................................................................................................... 41 5. Case Study: U.K. National Health Service ................................................. 42 5.1 Situation ...................................................................................................................... 42 5.2 Timeline ....................................................................................................................... 44 5.3 Analysis of the Event .................................................................................................. 45 5.4 Network Analysis .........................................................................................................47 5.5 Lessons Learned .......................................................................................................... 51 PART III: INCENTIVIZING A BRIGHTER CYBERSECURITY FUTURE 6. Directly Reducing Risk: Regulations, Requirements and Rules ...............59 6.1 Government-Led Options ............................................................................................59 6.2 Industry-Led Recommendations ............................................................................... 68 6.3 Technology-Based Options .........................................................................................72 6.4 Bridging Government-Led and Industry-Led Options to Address Risk ................... 81 7. Spreading Risk: Cyber-Related Insurance ..................................................82 7.1 Introduction to Cyber-Related Insurance ................................................................ 83 7.2 Key Challenges ............................................................................................................ 86 7.3 Making Cyber-Related Insurance an Effective Risk-Spreading Mechanism .......... 95 7.4 Can Cyber-Related Insurance Incentivize Good Security Practices? .....................97 8. Preventing Risk: Product Liability Law .................................................... 100 8.1 Evolution of Modern Product Liability Law ............................................................ 100 8.2 Product Liability Law in the Cyber Context ............................................................. 101 8.3 Cybersecurity Product Liability Law: What Should It Include? ..............................102 8.4 Implication of Product Liability Law for Sony, Target and NHS Cases ..................102 8.5 Shortcomings: Why Cybersecurity Product Liability Law Might Not Work ..........104 8.6 Equifax: Future Impact of Class-Action Lawsuits? ..................................................106 Belfer Center for Science and International Affairs | Harvard Kennedy School v 9. Tactical Options: Cyber Hygiene, Red Teaming and Penetration Testing .....................................................................................108 9.1 Cyber Hygiene ............................................................................................................108 9.2 Penetration Testing and Red Teaming ...................................................................... 110 9.3 Implementation Challenges: Why Isn’t This Happening Already? ..........................112 9.4 Implications for Sony, Target and NHS Case Studies ..............................................113 9.5 Should Cyber Hygiene, Red Teaming and Penetration Testing Be Mandated? .....115 10. Incentivizing Cybersecurity Without Stifling Innovation .........................117 10.1 Turning to History: The Seatbelt Debate ..................................................................117 10.2 Academic Research: Learning from Other Highly-Regulated Industries .............. 119 10.3 Lessons