During his 2013 State of the Union address, President Obama highlighted the importance of defending our nation from the many cyber threats that are continuing to dominate the news cycles. Just days prior to the President’s speech, eighteen people were charged in a massive credit card fraud ring. The Associated Press (2013) described it as a “sprawling international scam that duped credit-rating agencies” by using stolen identities of individual victims to steal $200 million. We hear more and more of these stories all the time and the level and sophistication of the attacks continue to grow, causing more damage to those affected.
In the last year, congress failed to enact measures to put in place legislation that would affect private businesses and protect individuals. Some see the intervention of the government in such matters as counter-productive, while others argue that changes imposed at the federal level must be made in order to protect our core infrastructures from attack. In the last decade, several newer laws have been created in order to defend against cyber-attacks, however in many occasions these have been insufficient to deal with the real international threats facing both individuals and corporations. The President Obama concluded that “we cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” Time (2013).
This article examines the arguments for and against government intervention in terms of more cyber security legislation. It looks at some of the current laws and focuses on some of the newer legislation enacted for compliance at federal agencies. It also explores the responsibility of private corporations to protect themselves for the greater public good, the dangers involved at the national security level, and barriers to providing comprehensive cyber security policies and practices.
Responsibility of the Federal Government
In July of 2012, President Obama wrote an opinion editorial for the Wall Street Journal outlining the very real and serious threats that face our nation. In the article, the President described a simulation whereby “trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.” He confirmed the simulation was put in place to demonstrate the very real consequences of a malicious cyber-attack and underlined the fact that “cyber threat to our nation is one of the most serious economic and national security challenges we face.” Obama (2012). The president made a strong case that the Congress must pass comprehensive cybersecurity legislation. A bill that would have addressed security concerns with critical infrastructure went before the Congress in 2012, however it failed to pass. Those who opposed the bill were concerned that too much government regulation of the private industry was proposed. Now that the election is behind us, the President has once again put the issue of cybersecurity back on the table by signing an executive order, using a standard-setting approach to improve cybersecurity.
This brings us to the question of whether or not it is up to the government to ‘tell’ private industry how to set up or improve their cybersecurity. After the Senate bill failed last year, NPR broadcasted a program that attempted to answer this very question. Ken Dilanian, who is the National Security Correspondent for the LA times described three types of threats. The first is cybercrime, which includes those attacks defined as identity theft, stealing of credit card numbers, organized by individuals as well as transnational criminal groups. The second category described was cyber espionage. The nature of this type of attack is more concerned with stealing intellectual property for profit. Keith Alexander, NSA Chief described the loss of industrial information and intellectual property through cyber espionage as the “greatest transfer of wealth in history.” Rogin (2012). The last category described, which can be argued as the most worrying, is that of cyber acts of war. These include attacks against critical infrastructure and physical destruction leading to casualties. This is the type of attack the President described in the 2013 State of the Union address.
Not everyone however is concerned that cyber acts of war are as big of a threat as they have been made out to be, which may be part of the reason that the Cybersecurity Act of 2012 failed to pass. The Senate bill, which included certain regulations for standards, received much criticism from the Chamber of Commerce and the Republican Party. Even the House bill, which only included voluntary measures failed to get the support it needed, however there were information sharing pieces which raised privacy concerns. The basis behind the argument against these pieces of legislation overall was that technology standards are changing so fast that regulation would not be able to keep up. There is also the stigma of ‘big government’ dictating more rules to the private sector.
Later in the NPR program, Larry Clinton, President of Internet Security Alliance joined the conversation asserting that “mandatory standards set by the government don’t work in the “dynamic and fast moving space of cybersecurity.” He was of the opinion that a more incentive based approach would lead to more effective cybersecurity policies at the private sector. The Senate needs to address the cost issue behind beefing up defenses within the private sector. The point he made was that everyone agrees that our critical infrastructure should be protected, but whether it is government regulation or an incentive based seems to be where the disagreements occur. He also asserted that those working in the private industry are the so-called “Generals” in cyber warfare. They are fighting attacks every day and they also have the most knowledge about them. While there was some consultation with the private sector, ultimately the bill turned over the decision of what the standards and practices would be to a group of political appointees, “who had no real knowledge of cybersecurity.”
On the flip side of the argument was Jim Lewis, Director of the Technology and Public Policy Program at the Center for Strategic and International Studies. His argument was that there needs to be performance standard outcomes, the government doesn’t care how it’s done so long as it is implemented. He argued that standards wouldn’t be difficult to implement and that there are already frameworks of standards that they could be derived from such as the National Institute of Standards and Technology (NIST), which currently focuses on government agencies. Jim continued to argue that no company is doing anything wrong, however since there are no baseline standards, nothing is getting done. NPR (2012).
Arguments on both sides are compelling and could be discussed in more depth, however the main points brought away from the examining the differences of opinion on what role the government should play in order to protect our vital infrastructure, highlight the complexity of the issue. There are certainly cases made where the general public is beginning to take notice of weaknesses in our nation’s cybersecurity protective measures. Just last year in South Carolina, a stolen state employee password allowed a hacker to breach the South Carolina tax system gaining information on nearly 4 million individual and 800,000 business tax filers. Chabrow (2013). Governor Nikki Haley is devoted to improving current legislation at a time when she is up for reelection next year. Due to public demand, she “can’t afford not to keep address cybersecurity head-on.” Whether it is our financial infrastructure, energy grid, or other critical area, the Government must act to at minimum put in place base standards that everyone can agree upon and provide the right level of incentives to ensure that the private sector complies, ensuring greater protection within our country.
Current Methods of Government Intervention
Over the years the United States government has been involved with enacting laws and regulations concerning security of information systems and compliance laws. One of the most comprehensive laws, the Federal Information Security Act (FISMA) was put in place to require “all government agencies to develop security management systems.” Vacca (2010). In order to comply with FISMA, the agency must perform a risk assessment to determine what controls will be needed and then implementation of these controls must be carried out. FISMA provides a comprehensive framework which is mandated by government agencies and their contractors. The Office of Management and Budget (OMB) must approve each agencies plan for FISMA implementation. While FISMA has been mandated for the government it can however provide an effective set of guidelines for the private sector with regards to securing information systems.
FISMA has not been free of criticism since it was introduced in 2002. Allan Paller, who is the director of research at the SANS Institute, wrote an article sharing his concern that the scores or grades agencies have receive on FISMA implementation in the past have not necessarily measure security effectively. Paller (2008) notes that newer FISMA legislation would improve on the current Act. FISMA requires a large commitment from the agencies that must adapt to meet the standards in the law. Ongoing auditing and reporting are part of the process which require more resources and time for successful implementation. FISMA will continue to evolve and while it requires much from the organizations who are bound to the legislation, it is an essential tool in the federal agencies to ensure that security will continue to be a high priority while information systems continue to expand in both size and complexity.
The U.S. Government sponsored the publication of the National Institute of Standards and Technology (NIST), which provides a comprehensive list of security controls based on different security classifications. These controls not only provide a comprehensive framework for government agencies to follow in order to become FISMA compliant, but other organizations outside the government can use this in order to develop own cyber security programs and controls. While it can be used, FISMA does not mandate requirements on private entities. Other state laws have been enacted over the years which mandate organizations to release information on specific kinds of security breaches, however this differs in various parts of the country.
In his Handbook of Information Security (Bidgoli, 2006) points out two United States federal laws that directly address I.T. security. These are the Financial Services Modernization Act of 1999 and HIPAA 1996. Both of these laws focus on privacy of certain personal information and also address the security of the data. The Financial Services Modernization Act, commonly referred to as the Gramm–Leach–Bliley Act (GBL) is limited to “nonpublic personal information” collected by financial institutions. The Health Insurance Portability and Accountability (HIPAA) Act established national standards for the privacy and security of health information. Bidglio also discusses other laws enacted at the federal level which include consumer protection laws, Electronic Communications Privacy Act, Sarbanes-Oxley Act, Uniform Computer Information Transactions Act and the Computer Fraud and Abuse Act. Some of these laws “directly and indirectly affect the impact of I.T. security by imposing obligations to maintain the privacy of personal information.” (Bidgoli, 2006).
Impact of Cyber Regulations and Responsibility of the Private Industry
Times are continuing to change and in the cybersecurity space there is a clear need to for more protections to be put in place than what has been described above. The question however remains, how much more involvement should take place at the Federal Government level? Many on the side of a more incentivized approach and less on regulation argue that the costs of implementing effective controls to keep up with regulations would be too costly, moving focus on meeting government standards and away from addressing new and sophisticated threats. The CEO of Global Cyber Risk, Jody Westby was against the failed Cybersecurity Act of 2012 and stated that it “actually would put a federal agent inside most of these businesses’ data centers and require assessments and reporting that could make Sarbanes-Oxley seem inexpensive.” Free Enterprise (2012).
At the same time we have to consider the importance our protecting our nation’s vital infrastructures. An article in CNN recently discussed the various vulnerabilities and attacks in all areas of our energy infrastructure, including nuclear targets, Goldman (2012). The author pointed out the alarming rate at which hacker attacks had spiked in 2012. If we analyze hypothetical scenarios, such as the one the President alluded to, we have to consider the cost of failing to comply with regulations, meeting only the minimum requirements, or exceeding the minimum requirements.
In 2012, the Ulster Bank in Northern Ireland, part of the Royal Bank of Scotland, had a massive computer breakdown when a software upgrade went wrong. While there is no evidence to conclude this was the cause of a cyber-attack, it underlines our dependence on reliable and secure systems within this industry. The breakdown caused “upheaval in the lives of customers in Britain and Ireland, but most spectacularly for well in excess of 100,000 customers at Ulster Bank who have struggled to access their own cash and have been unable to make everyday payments.” The Irish Times (2012). Now take this scenario and imagine that instead of the Royal Bank of Scotland, Capital One or Wells Fargo encountered a similar situation, however caused by a deliberate perpetrator. Couple this with another attack on our energy infrastructure and this leads to dramatic problems throughout the country. These are hypotheticals; however they also are based on real events, such as the blackout the east coast saw last summer, the storm that effected New York and New Jersey just a few months back, and a very real computer glitch in the UK, all within the last year. By not meeting minimum standards or by just meeting them and no more, will not be enough to protect us from the increasing cybersecurity threats facing this nation.
While both federal and state laws exist to mandate information security for different types of corporate entities, more is needed to be done in order to properly protect information assets. The government reach can only go so far. Even if all of the current laws are followed and organizations are compliant, it doesn’t mean that their cyber security programs are comprehensive enough to defend against attacks. Each organization is different, and each will need to carefully review their own vulnerabilities, as well as external and internal treats facing their systems.
Private corporations need to invest more heavily in their security programs in order to protect their consumers. Since most of the online services in the United States are controlled by the private sector the responsibility to protect the public good lies directly in their control. The U.S. Government needs to continue to improve and enact new laws in order to protect individuals, however ultimately the most comprehensive security policies are going to have to be devised by the corporations themselves.
Ethical considerations of extensive security practices also need to be considered at the private sector. Many individuals rely on the use of information systems online and put their trust into the organizations providing them. In the Computer Security (Bosworth, Kaybay, & Whyne, 2009) discuss ethics in terms of the stakeholder. In most organizations the stakeholders are generally considered to customers, suppliers, employees and sometimes competitors. Bowsorth et al goes on to discuss the stakeholders as an ethical principle and how decisions may harm or benefit them. This of course ties into the dilemma that many organizations have regarding how much of their resources should be spent on providing a comprehensive security approach. Unfortunately security is considered by many in a way that “the perceived cost of comprehensive information system security is seen as too high compared to the risks – especially financial consequences – of not doing it.” (Pfleeger, 2007). In light of recent security breaches that have been publicized on a national and international level, perhaps we are at a turning point where these attitudes will change.
Conclusion
This article explored the challenges facing both the United States Government and the private sector with regard to cyber-crime. Some believe that the government must play a greater role to ensure that corporate organizations take action in securing information system. Others believe in a more incentivized approach, letting those in the private industry come up with the standards and addressing the economic need to support their efforts. Another position that must be considered is that the United States Government can lead by example through such programs as FISMA using the NIST framework for its agencies. Already many organizations in the private sector have started implementing the various security controls documented by the government sponsored publication and many more will no doubt follow as they refine their security programs. Furthermore the United States Government will need to continue enhancing and enacting new laws to cope with newer technologies and threats. They will need to work on an international level with other countries to devise programs that will provide protections on a global scale.
Much responsibility still lies directly within the private sector taking a lead in developing comprehensive security controls to protect their assets as well as their stakeholder’s interests. It has been difficult for many to justify the expense associated with security as it does not always provide a tangible product or clear benefit. Quite often the challenge remains that it is difficult to demonstrate a Return On Investment (ROI) in terms of beefing up defenses and preventing attacks. With the recent news coverage of huge financial losses of organizations where attacks were successful, this may bring a realization that the vulnerabilities of corporate systems need to be examined closely. In the long run, organizations who do not invest in their cyber security programs for their good and the good of the nation overall, may someday find themselves losing the respect of their stakeholders through an unexpected cyber-attack that not only devastates them financially but also their reputation, where the costs may be immeasurable.
References:
- Bidgoli, H. (2003). Handbook of Information Security. Bakersfield, CA:John Wiley & Sons Inc.
- Flaherty, A. (2013). State of the Uniion: Obama’s Cybersecurity Plan. Time Tech. Retrieved from: http://techland.time.com/2013/02/13/state-of-the-union-obamas-cybersecurity-plan
- Free Enterprise (2012). Cybersecurity: More Government Regulation? Retrieved from: http://www.freeenterprise.com/regulations/cybersecurity-more-government-regulation
- IT-Networks. (2011). Sony Pictures Hacked, As Attackers Reveal One Million Passwords Were Unencrypted And Stored In Plain Text. Retrieved from: http://www.it-networks.org/2011/06/06/sony-pictures-hacked-attackers-reveal-million-passwords-unencrypted-stored-plain-text/
- National Institute of Standards and Technology. (2011). Retrieved from: http://www.nist.org
- NPR. (2012). Is there a Role for Government in Cybersecurity. Retrieved from: http://www.npr.org/2012/08/07/158370063/the-role-of-government-in-cybersecurity
- Paller, A. (2008). FISMA 2008: A better solution. Retrieved from: http://fcw.com/articles/2008/09/26/paller-fisma-2008-a-better-solution.aspx
- Pfleeger, C. (2007). Security in Computing Fourth Edition. Boston, MA: Pearson Education Inc.
- Rogin, J. (2012). NSA Chief: Cybercrime constitutes the “greatest transfer of wealth in history”. Foreign Policy. Retrieved from: http://thecable.foreignpolicy.com/posts/2012/07/09/nsa_chief_cybercrime_constitutes_the_greatest_transfer_of_wealth_in_history
- Smith, A., D., & Rupp, W., T. (2002). Issues in cybersecurity: Understanding the potential risks associated with hackers/crackers. Information Management & Computer Security, 10(4), 178-183. Retrieved June 11, 2011, from ABI/INFORM Global. (Document ID: 208754531).
- Sinrod, E., J., & Reilly, W., P. (2000). Cyber-Crimes: A Practical Approach to the Application of Federal Computer Crime Laws, 16 SANTA CLARA COMPUTER & HIGH TECH. L.J. 177, 194
- Speer, D. (2000). Redefining Borders: The Challenges of Cybercrime. The challenges of cybercrime. Crime, Law and Social Change, 34(3), 259-273. Retrieved June 12, 2011, from ABI/INFORM Global. (Document ID: 403872181).
- Vacca, J. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann Publications.