(Georgia Institute of Technology, 2021-12-14)
Farhat, Karim
This research uses the Policy Regime Framework to analyze which of two policy problems, US-China rivalry or IT/OT convergence, better explain degrees of coherence and integration in the US cybersecurity regime. It explains how regime actors address and negotiate these problems across the ICT and energy sectors. A process-tracing methodology was used to track outcomes and explanatory factors, linking causal mechanisms through an analysis of the Congressional record and in-depth stakeholder interviews. The results indicate how the idea of Chinese ICTs as a Trojan horse for the Chinese Community Party’s strategy was more effective than IT/OT convergence at mobilizing interests and advancing coherent cybersecurity policy. Trade and ICT policies were successfully integrated to achieve cybersecurity goals as regime interests bargained to 'weaponize' critical trade interdependencies through the US competitive advantage in the semiconductor industry. This research lends further validity to the Policy Regime Framework in researching cross-sector-spanning policy problems in the ICT space especially given recent calls for whole-of-government approaches to address emerging strategic technologies.
(Georgia Institute of Technology, 2021-07-30)
Grindal, Karl T.
Given the significance policymakers place on cybersecurity, how effective has a decade of policy interventions been at reducing social costs? This paper uses the limited regulations implemented by State and United States government agencies as quasi-experiments. This work measures regulatory efficacy by compiling mandatory state-level data breach reports to create novel breach incident data sets. A reduction in breach frequency serves as the kind of measurable outcome that regulators would intend cybersecurity policy interventions to address. To this end, I evaluate four cybersecurity regulations: the Massachusetts Data Security Law, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Federal Trade Commission (FTC) Section 5 enforcements against Wyndham Hotels, and the New York Department of Financial Services (NY DFS) cybersecurity regulations.
I assessed each regulatory intervention as a quasi-experiment, employing segmented time-series regressions to evaluate the relative change in reported data breaches. These quasi-experiments controlled for policy implementation phases and reporting requirements. As these policies have overlapping aims (creating information security programs), we can infer whether this meta-regulatory approach, the encouragement of self-regulation by industry with corresponding civil penalties, has been an effective regulatory strategy. An effectively regulatory system would sufficiently motivate the targeted population to improve their cyber posture, such that there was a reduction in breach reporting. Ultimately, three of the cases discussed did not show an impact. However, analysis of the NY DFS regulation suggests a meaningful decrease of approximately 27 breaches in the following year.
Comparing these regulations shows differences in scope, content, and penalties that may explain this disparate level of impact. Next, the efficacy of NY DFS regulations is placed in context with a discussion of potential savings and the duration of the effect. While demonstrating that cybersecurity regulations can meaningfully reduce breaches, this work suggests that this effect is neither generalizable across diverse contexts nor a satisfactory solution to the complex and pervasive issues associated with identity theft, fraud, and cybercrime.
Overall, these findings suggest potential promise in this methodology for the policy evaluation of data security laws and regulations. Policymakers could improve these assessments by standardizing the reporting of mandatory breach notification data so that policy efficacy can be better measured. Because of its similarity to the NY DFS regulations, this finding may also provide preliminary empirical evidence for the Insurance Data Security Model Law propagated by the National Association of Insurance Commissioners. Drawing on this methodology, this model legislation and other data security and privacy regulatory interventions should now be the subject for future research. The first step for policymakers seeking to design rules to protect citizen's privacy and security is knowing what works?