Over the last decade, the boom of the Internet has had a major impact on the way we interact with other individuals and business entities. Products and services have become available at the touch of a button and access to vast amounts of information has become available to anyone with a direct connection to the web. Much correspondence, which was traditionally mailed through the postal service now takes place online through e-mail communications. Management of bank and other financial services accounts can all be administered through online tools where the customer seldom needs to enter a physical branch location anymore.
There are clearly many advantages to this new connected world and services that are still evolving at the current time will provide even more convenience to users over the next number of years. Unfortunately many of the conveniences of online services come at a price. As software systems have become more advanced so too have the criminals who seek to breach these systems to their own end. Computers have evolved to the point where the information stored now “contain wedding videos, scanned family photos, music libraries, movie collections, and financial and medical records.” (Vacca, 2009) Vast amounts of information is being stored online in newer cloud based services which is creating even larger targets for cybercriminals. Consumers have put their trust in many corporate organizations who handle their sensitive data to protect it adequately from those who would seek to steal or destroy it.
In recent years the United States Government has enacted different laws in response to the cyber threats facing the nation, however many are insufficient due to the international scope of such attacks. This article explores some of these laws and focus on some of the newer legislation enacted to ensure proper compliance at federal agencies. It further explores the responsibility of private corporations to protect themselves for the greater public good. Along with this the challenges will be discussed as well as the barriers to providing comprehensive cybersecurity policies and practices.
Cybersecurity and Cybercriminals
Over the last decade the term cybersecurity has received a lot of attention and has become the forefront focus of many organizations. The term is synonymous with online computer defense, protection against hackers and tightening up system vulnerabilities. In order to understand cybersecurity and its importance it is vital to gain some understanding of who these ‘hackers’ are and what their agendas are. Traditionally in the late 20th century, the term hacker was generally associated with high school pranksters who would seek a thrill from breaking code in archaic systems of the day. This has unfortunately evolved into much greater threats as information systems have evolved over the years. The Landreth study was one of the first attempts to categorize hackers into different groups. The study grouped hackers into 5 classifications; novice, student, tourist, crasher and thief. The novice would have tied closely to the high school prankster example demonstrated above while the crasher and thief categorizations would more closely align with a career criminal hacker. It has been these latter categories that have been the cause for most concern in recent years.
Nowadays the term cracker is often used to describe cybercriminals, which the term hacker can often be used to describe a someone who takes something apart in order to improve or add to a software system. The open source community involves many hackers or programmers who are willing to volunteer their time to contribute to projects that provide benefits to many. (Smith & Rupp, 2002) describe hackers as having a positive purpose “hackers build things, while crackers break them.” The scope of this goes outside this paper and for the purpose of this research, the term hacker will be used where appropriate to describe crackers or cybercriminals.
While the Landreth study gives a nice baseline for categorizing the typical groups of hackers, these categories have been expanded upon and modified over the years. There are also types of individuals who may not even fall into any hacker category but hold responsibility to some system breach. According to Vacca (2009), the disgruntled insider, working from within an organization, is the principle source of computer crimes.
Traditionally we think of hackers outside the organization attempting to ‘break in’, however recent incidents and research point to internal vulnerabilities. These internal incidents generally involve a mix of deliberate and non-deliberate incidents. The typical computer user who has little knowledge of information systems and security may open an e-mail attachment containing malicious code, which could potentially result in a system-wide infection. Deliberate incidents could involve internal users who have a specific agenda and use methods of social engineering to accomplish their goal. Social engineering according to (Winkler & Dealy, 1995), “is the term the hacker community associates with the process of using social interactions to obtain information about a “victim’s” computer system.” An example of social engineering could involve as simple an incident as phone call to from someone impersonating a person with authority, with the goal of retrieving a password from the victim.
Challenges of Cybercrime and the Current Legal System
A solid understanding of the various types of hackers is important in order to combat the various types of cybercrimes. Cybercrime itself is very different from traditional criminal activity. Pfleeger (2007) tells us that modern cybercriminals can often be individuals that are difficult to detect. They “wear business suits, have university degrees, and appear to be pillars of their communities.” In addition to this, because of the wide spread accessibility to the internet and communications, it makes it easier for these criminals to operate in groups spread across the globe. The criminal justice system has limited power when perpetrators outside of the country are involved in these types of criminal activities.
The complexities in catching these cybercriminals has meant that many get away with their crimes and do not face the same punishment as traditional criminals, which leads to the attraction of committing the crime in the first place. The international issue is a major cause for concern because there is no single authoritative group that has the power to prosecute individuals committing these crimes within various countries. In his article titled “Redefining Borders: The Challenges of Cybercrime” (Speer, 2000) discusses some of these challenges and how the legal system is slowly adapting to provide various solutions. Multi-lateral agreements and the Mutual Legal Assistance Treaty (MLAT) are tools which can enable countries to assist each other and process extradition, however this is often a long and costly process which yields disappointing results in apprehending the offender. International organizations like the G8, Interpol and the Council of Europe’s Convention on Cybercrime have been working to combat the threats of cybercrime on a global level, however many challenges remain. What can be interpreted as a crime in one country may be a grey area in another. Furthermore, those nations who do not have the financial resources available to build proper cyber defenses and lack the technological know-how are left vulnerable to attacks. Speer concluded in his article that most necessary modifications and additions to the cybercrime security system will not occur until after a major attack takes place. In their article on Cybercrimes, (Sinrod & Reilly, 2000), claim that “law enforcement officials have been frustrated by the inability of legislators to keep cybercrime legislation ahead of the fast-moving technological curve.” They go on to inform us that competing interests of individual rights such as free speech and privacy need to be looked at when protecting the integrity of public and private networks. This leads us to consider how much of an intervention will be needed by laws and regulations set forth by the United States government in order to tackle these problems.
Government Intervention
Over the years the United States government has been involved with enacting laws and regulations concerning security of information systems and compliance laws. One of the most comprehensive laws, the Federal Information Security Act (FISMA) was put in place to require “all government agencies to develop security management systems.” Vacca (2010). In order to comply with FISMA, the agency must perform a risk assessment to determine what controls will be needed and then implementation of these controls must be carried out. FISMA provides a comprehensive framework which is mandated by government agencies and their contractors. The Office of Management and Budget (OMB) must approve each agencies plan for FISMA implementation. While FISMA has been mandated for the government it can however provide an effective set of guidelines for the private sector with regards to securing information systems.
FISMA has not been free of criticism since it was introduced in 2002. Allan Paller, who is the director of research at the SANS Institute, wrote an article sharing his concern that the scores or grades agencies have receive on FISMA implementation in the past have not necessarily measure security effectively. Paller (2008) notes that newer FISMA legislation would improve on the current Act. FISMA requires a large commitment from the agencies that must adapt to meet the standards in the law. Ongoing auditing and reporting are part of the process which require more resources and time for successful implementation. FISMA will continue to evolve and while it requires much from the organizations who are bound to the legislation, it is an essential tool in the federal agencies to ensure that security will continue to be a high priority while information systems continue to expand in both size and complexity.
The U.S. Government sponsored the publication of the National Institute of Standards and Technology (NIST), which provides a comprehensive list of security controls based on different security classifications. These controls not only provide a comprehensive framework for government agencies to follow in order to become FISMA compliant, but other organizations outside the government can use this in order to develop own cybersecurity programs and controls. While it can be used, FISMA does not mandate requirements on private entities. Other state laws have been enacted over the years which mandate organizations to release information on specific kinds of security breaches, however this differs in various parts of the country.
In his Handbook of Information Security (Bidgoli, 2006) points out two United States federal laws that directly address I.T. security. These are the Financial Services Modernization Act of 1999 and HIPAA 1996. Both of these laws focus on privacy of certain personal information and also address the security of the data. The Financial Services Modernization Act, commonly referred to as the Gramm–Leach–Bliley Act (GBL) is limited to “nonpublic personal information” collected by financial institutions. The Health Insurance Portability and Accountability (HIPAA) Act established national standards for the privacy and security of health information. Bidglio also discusses other laws enacted at the federal level which include consumer protection laws, Electronic Communications Privacy Act, Sarbanes-Oxley Act, Uniform Computer Information Teansactions Act and the Computer Fraud and Abuse Act. Some of these laws “directly and indirectly affect the impact of I.T. security by imposing obligations to maintain the privacy of personal information.” (Bidgoli, 2006).
Corporate Responsibility and Ethical Considerations
While both federal and state laws exist to mandate information security for different types of corporate entities, much more is needed to be done in order to properly protect information assets. The government reach can only go so far. Even if all of the current laws are followed and organizations are compliant, it doesn’t mean that their cybersecurity programs are comprehensive enough to defend against attacks. Each organization is different and each will need to carefully review their own vulnerabilities as well as external and internal treats facing their systems.
Last January, Apple released the iPad, a new tablet device that could connect directly to AT&T’s cellular service and wi-fi networks. The iPad was designed to provide a means of accessing electronic content on the web as well as storing personal files. A major confidentiality security breach took place last summer, which was reported in the Washington Post. As reported by Cha (2010), a vulnerability in the iPads connection to AT&Ts website led to the exposure of over 114,000 personal e-mail addresses and iPad identification numbers belonging to users. While the information exposed did not contain any other personal details, it did in addition provide a possible way for hackers to gain access to iPad devices through the e-mail / ID combination. This story was reported on a national level and tarnished Apple’s reputation.
The report went on to disclose that several other security vulnerabilities have been discovered in Apple’s devices including its popular iPhone. As Vacca (2010) points out, events like this can have a long lasting impact on an organization’s bottom line because of loss of trust damage to reputation. Even the larger organizations such as Apple, which have invested large amounts of capital in security infrastructure are not immune from malicious threats. Many other examples can be found at an alarming rate over the last few years.
Recent events with Sony first of all with their Playstation Network breach and later with their Sony Pictures system being hacked demonstrates that these attacks are a very real threat even to massive corporations. In the case of Sony it was reported by several sources including IT-Networks (2011) that the passwords stored in their Sony Pictures database were not encrypted. To store plain text passwords in any form of commercial application in today’s online environment is simply inexcusable.Private corporations need to invest more heavily in their security programs in order to protect their consumers. Since most of the online services in the United States are controlled by the private sector the responsibility to protect the public good lies directly in their control. The U.S. Government needs to continue to improve and enact new laws in order to protect individuals, however ultimately the most comprehensive security policies are going to have to be devised by the corporations themselves.
Ethical considerations of extensive security practices also need to be considered at the private sector. Many individuals rely on the use of information systems online and put their trust into the organizations providing them. In the Computer Security (Bosworth, Kaybay, & Whyne, 2009) discuss ethics in terms of the stakeholder. In most organizations the stakeholders are generally considered to customers, suppliers, employees and sometimes competitors. Bowsorth et al goes on to discuss the stakeholders as an ethical principle and how decisions may harm or benefit them. This of course ties into the dilemma that many organizations have regarding how much of their resources should be spent on providing a comprehensive security approach.
Unfortunately security is considered by many in a way that “the perceived cost of comprehensive information system security is seen as too high compared to the risks – especially financial consequences – of not doing it.” (Pfleeger, 2007). In light of recent security breaches that have been publicized on a national and international level including Sony, Apple and many other examples, perhaps we are at a turning point where these attitudes will change.
Concluding thoughts
This article explored the challenges facing both the United States Government and the private sector with regard to cybercrime. While the government cannot control and dictate how corporate organizations run their information system security programs, it can lead by example through such programs as FISMA using the NIST framework for its agencies. Already many organizations in the private sector have started implementing the various security controls documented by the government sponsored publication and many more will no doubt follow as they refine their security programs. Furthermore the United States Government will need to continue enhancing and enacting new laws to cope with newer technologies and threats. They will need to work on an international level with other countries to devise programs that will provide protections on a global scale.
Much responsibility still lies directly within the private sector taking a lead in developing comprehensive security controls to protect their assets as well as their stakeholders interests. It has been difficult for many to justify the expense associated with security as it does not always provide a tangible product or clear benefit. With the recent news coverage of huge financial losses of organizations where attacks were successful, this may bring a realization to others that the vulnerabilities of their systems need to be examined closely. In the long run, organizations who do not invest in their cybersecurity programs for their good and the good of the nation overall, may someday find themselves losing the respect of their stakeholders through an unexpected cyberattack that not only devastates them financially but also their reputation, where the costs may be immeasurable.
References
Bidgoli, H. (2003). Handbook of Information Security. Bakersfield, CA:John Wiley & Sons Inc.
IT-Networks. (2011). Sony Pictures Hacked, As Attackers Reveal One Million Passwords Were Unencrypted And Stored In Plain Text. Retrieved from: http://www.it-networks.org/2011/06/06/sony-pictures-hacked-attackers-reveal-million-passwords-unencrypted-stored-plain-text/
National Institute of Standards and Technology. (2011). Retrieved from: http://www.nist.org
Paller, A. (2008). FISMA 2008: A better solution. Retrieved from: http://fcw.com/articles/2008/09/26/paller-fisma-2008-a-better-solution.aspx
Pfleeger, C. (2007). Security in Computing Fourth Edition. Boston, MA: Pearson Education Inc.
Smith, A., D., & Rupp, W., T. (2002). Issues in cybersecurity: Understanding the potential risks associated with hackers/crackers. Information Management & Computer Security, 10(4), 178-183. Retrieved June 11, 2011, from ABI/INFORM Global. (Document ID: 208754531).
Sinrod, E., J., & Reilly, W., P. (2000). Cyber-Crimes: A Practical Approach to the Application of Federal Computer Crime Laws, 16 SANTA CLARA COMPUTER & HIGH TECH. L.J. 177, 194
Speer, D. (2000). Redefining Borders: The Challenges of Cybercrime. The challenges of cybercrime. Crime, Law and Social Change, 34(3), 259-273. Retrieved June 12, 2011, from ABI/INFORM Global. (Document ID: 403872181).
Vacca, J. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann Publications.