UMUC
Introduction
The
continuous advancement of information technology remains one of the most
important driving forces of globalization in the modern era. From computers to the Internet, these tools
have provided the ability to increase the ease, speed and distance at which
governments and corporations conduct business.
As a result of this advantage, organizations have grown more reliant on
information-related technologies to stay competitive (Rishikof & Lunday,
2011). While these advancements provide
important tools for both the public and private sectors, they have also created
a serious vulnerability. From identity
theft to attacks on national infrastructure; criminals, terrorists and
countries alike have taken advantage of the Internet for a variety of nefarious
purposes. Although not alone in
defending against this emerging threat, the United States is unique not only
for its leadership role in the world but also for its extensive reliance on
networked technologies. As a result of
these factors, the U.S. has continuously sought to implement a comprehensive
cybersecurity initiative; something the
executive and legislative branches have failed to adequately address throughout
most of the 21st century.
With much of America’s data infrastructure owned by
the private sector, the U.S. government has been forced to walk a fine line
between dictating policy and seeking cooperation with corporations and
citizens. Given the national security
risk that exists from inadequate cybersecurity within the private sector, it
would seem the defense against cyber-related threats requires a collective
effort. Although there are already a
number of laws and executive actions on the books and many corporations proactively
institute cybersecurity initiatives, there has been no clearly defined national
mandate to address this concern. While
prior legislative efforts have failed for a number of reasons, it would seem
public consensus is still on the side of comprehensive reform. This was made evident during the 2013 State
of the Union address when President Obama made it a point to recognize that "America must face the rapidly growing threat from
cyber-attacks” (Sternstein, 2013). This
announcement was preceded by his signing of a presidential directive outlining
a cooperative effort for the U.S. government and corporations; a sign that
comprehensive cybersecurity reform remains a national priority.
Arguments
for Government Intervention
As
Harknett and Stever (2009) are quick to establish, the first step in addressing
the issue of cybersecurity is recognizing the risk to national defense this
area represents. From water and power to
the financial sector, networked technology has been allowed to permeate
virtually every part of the United States’ critical infrastructure. This migration to a more networked nation has
not escaped the crosshairs of various groups of cyber-attackers. From the 2007 intrusion into servers
maintained by the Defense and Homeland Security Cabinet Departments to the 2010
Stuxnet virus, cybersecurity has evolved from being a nuisance in the early
1990’s to a modern day national security threat (Newmeyer, 2012). Moreover, the majority of America’s critical
infrastructure components are in private sector hands with no clear guidance on
how to implement safeguards. Not only
does this situation represent a serious vulnerability to the nation but it also
necessitates some level of federal involvement.
The degree to which the government is involved however has been one of
the most serious stumbling blocks to instituting an effective national
cybersecurity defense.
Many
critics view the current assortment of laws, executive actions, and private
initiatives as inadequate protection for America’s critical assets. As more industries move increasing amounts of
information online, the need to establish consumer safeguards becomes
crucial. Identified as one of the vital
areas of America’s infrastructure, the banking and financial industry is a key
component of U.S. security. As a result,
three major statutes were created to address some form of cybersecurity: the
Sarbanes-Oxley Act (SOX) of 2002, the Health Insurance Portability and
Accountability Act (HIPAA) of 1996, and the Gramm-Leach-Bliley Act (GLBA) of
1999. These three laws establish
criminal and civil penalties for corporations that fail to safeguard consumer
information in the respective areas of public companies, personal health
information, and financial services (Rishikof & Lunday, 2011). Unfortunately, they fall short of
establishing specific safeguards instead allowing private companies to
determine what is appropriate.
Arguments
against Government Intervention
Arguments
against government involvement in cybersecurity have taken a number of
approaches. These include everything
from privacy issues to regulations that would saddle corporations with costly
and burdensome safeguards (Rizzo, 2012).
The one main theme with many of these arguments however is the theory that
the U.S. government is simply unable to keep pace with rapid advancements in
information technology. The rate at
which computers and networking technologies advance continues at a rapid
pace. Equally, this fact also holds true
for both safeguards and methods of attack.
The moment new technologies are introduced to the public, flaws are
quickly identified and the tools are used for unintended and illicit
purposes.
As
an almost direct contrast to this rapid advancement is the rate at which the
U.S. government has been able to draft and pass legislation to protect this
infrastructure. While several bills have
been presented to the U.S. Congress over the last few years, no comprehensive
legislation has made it into law. This
was evident when the Cybersecurity Act of 2012, Congress’ last major initiative
addressing this issue, was voted down by the U.S. Senate in August (Newmeyer,
2012). To date, it would seem the U.S.
government is either unwilling or unable to take the lead on safeguarding
America’s cybersecurity.
Methods
of Government Intervention
The
Congressional Research Office recently reported that no single congressional
committee or federal agency has primary responsibility over cybersecurity. Historically, this has resulted in the
introduction of a variety of competing bills and executive orders with no
unifying policy. The 112th
Congress alone introduced 30 separate pieces of disparate and sometimes
competing legislation (Newmeyer, 2012).
As a result of this inaction, the U.S. executive branch has offered
their alternative to Congressional action in the form of presidential
directives. Although more unifying and complete
than legislation, executive decrees lack the capacity to pay for any
initiatives. Executive Orders and
Congressional Legislation have been the traditional roles of government
intervention in the realm of cybersecurity.
Legislative
Although
there have been many iterations of cybersecurity legislation, the most
comprehensive of these bills was the Cybersecurity Act of 2012. Proponents of the bill argue the statute
would have created a framework for information sharing between the public and
private sectors, increased safeguards for critical infrastructure, and
establishing the Department of Homeland Security as the head of the federal
government’s cybersecurity (Rizzo, 2012).
Although the bill was supported by the president, it was ultimately
defeated in the U.S. Senate. Critics
argued that it provided inadequate privacy protection for American citizens as
well as it required costly safeguards for the private sector (Cybersecurity
bills advance, 2012). Although the
Cybersecurity Act of 2012 represented the latest and by far most comprehensive
bill brought before the U.S. Legislature, it was not the only statute
introduced by Congress in 2012.
Some
of the other major forms of legislation included the Cyber Intelligence Sharing
and Protection Act (CISPA), which streamlined information exchanges between the
public and private sectors. Although the
bill passed the House of Representatives, President Obama promised to veto it
due to privacy concerns. Another piece
of legislation proposed by Congress was the Strengthening and Enhancing
Cybersecurity by Using Research, Education, Information, and Technology Act of
2012 (SECURE IT). Intended to foster
voluntary information sharing, it also increased penalties for
cybercrimes. Lastly, the Federal
Information Security Amendments Act of 2012 increased the federal government’s
responsibility to update cybersecurity defenses (Cybersecurity bills advance,
2012). Although there have been a
multitude of bills presented in 2012, none of them represented a broad approach
to combating cyberattacks. As a result,
led by President Obama, the executive office has taken the initiative to offer
executive action to address the threat.
Executive
Although
Congress is the governmental body tasked with drafting legislation, the
Executive Office also has the ability to effect legislative change. It is under the purview of the Office of the
President of the United States to issue executive orders on a number of
issues. The latest of these directives
was signed by the President just prior to his 2013 State of the Union
address. In the executive order,
President Obama outlined a foundation that begins by designating the Department
of Homeland Security as the federal government’s primary agency for
cybersecurity initiatives and standards.
The directive went on to outline a voluntary approach to information
sharing and network defense between the public and private sectors. The policy would
provide private companies maintaining critical infrastructure components the
ability to view classified data on emerging cybersecurity threats (Sternstein,
2013). Even if this policy is a step in
the right direction however, the administration fully admits the order lacks
the same authority of Congressional legislation. Although executive orders provide the
President with a tool to act unilaterally on matters of national importance,
there has historically been a debate over the strength of these directives
(Relyea, 2008). Executive
orders cannot authorize federal moneys to be spent on cyber defenses nor can
they force corporations to spend private funds.
Moreover, critics and advocates alike are quick to point out that any
cooperation with this new presidential directive is voluntary on the part of
the private sector.
Ultimately, no one knows how many companies will elect to take
part in the program. To address this
issue, the executive order directs federal agencies to research incentives and
penalties under current laws that can help force compliance in the private
sector (Sternstein, 2013). The executive
office, like the legislative branch, understands the precarious position of
dictating to corporations.
Many members of Congress have already expressed their reservations over
supporting even voluntary safeguards fearing they could eventually be converted
to mandatory actions. President Obama hopes that issuing clear guidance on the
issue of cybersecurity will provide time for Congress to act and for the private
sector to realize the need for comprehensive reform. Unlike many of the bills passed in Congress
however, this new direction from the executive branch already has support from
the American Civil Liberties Union; indicating that at least privacy concerns
have been addressed on some level (Sternstein, 2013).
Government Regulation
of the Private Sector
Loosely
defined, “cybersecurity” represents the collective measures taken to protect
information technology from attack (Rishikof & Lunday, 2011). This encompasses a wide array of hardware,
software and personnel defenses. From
access controls and cryptography to background investigations, defending
against cyber-related threats often involves a multi-layered approach involving
overlapping controls. As with most
organizations, the key to an effective security posture is balancing security
with convenience. Unfortunately, all too
often accessibility and expediency override an effective defense. As a result of no clear national
cybersecurity policy, corporations have instituted varying degrees of security
when it comes to the protection of their networks and computer systems. As Fred Cate, director of the Center for
Applied Cybersecurity Research at Indiana University points out, there are
simply too many variables when it comes to network security to allow individual
action (Etzioni, 2011). Allowing the
private sector, especially corporations of national importance to decide what
level of cybersecurity they should enact is not the most secure option.
Should
the U.S. government finally come to a consensus on a list of “best practices”
for corporations, one option for the private sector is always
noncompliance. Whether purposeful or
accidental, failure to comply holds the potential for catastrophic consequences
for the United States. The Cox
Commission report issued by the U.S. House of Representatives detailed the
extent of military espionage conducted by the Chinese government alone. From the exfiltration of information on
American’s nuclear arsenal to a more recent theft of top secret plans for the
F-35 Joint Strike Fighter, nearly all major U.S. defense contractors have been
hacked in recent history (Etzioni, 2011).
The bottom line is, failure to comply with at least a minimum level of
cybersecurity safeguards continues to place our nation’s security at risk.
Meeting the Minimum Standards
Previous attempts at instituting cybersecurity legislation have
been met with significant opposition in the private sector. Among the rationale for this resistance
include everything from a fear of restrictive safeguards to expensive and
unfunded mandates for security reform (Etzioni, 2011). Corporations view
cybersecurity as a national security issue and therefore should be funded by
the U.S. government. As a result, many
companies institute minimal or even inadequate protections for their
networks. The fact remains that
networked computers are only as strong as their weakest link. Numerous incidents of distributed
denial-of-service (DDoS) attacks have shown just how powerful individual
computers have become. Hackers and
hacktivists alike have turned to this technique to wage a costly and effective
war against everyone from banks to governments.
Without an enforceable minimum set of security standards, the entire
national cyber infrastructure remains vulnerable.
According
to security experts, the current incentives for the private sector to
voluntarily safeguard their networks are not sufficient. Credit card reform in the 1970's is often
cited as an example where mandatory
government regulations for fraudulent
charges brought about sufficient consumer protections (Etzioni,
2011). Although effective in instituting
a minimum level of safeguards, laws do not traditionally foster an environment
where the private sector is motivated to go above and beyond the bare
minimum. To truly get the private sector
invested as a cybersecurity partner, the legislative and executive branches have argued that a higher level of data
exchange is required. This was most
evident in the latest executive order which outlined the ability to allow
corporations to view classified information on relevant cybersecurity
threats. The rationale being, if
industries could see the true threat before it happens, they would be both
motivated and in a better position to defend their infrastructure.
Private Industry’s Responsibility
On
the surface it would seem that corporations should feel a vested interest in
ensuring their networks are sufficiently protected from cyber threats. Cybercrimes have cost the private sector a
significant amount of revenue in immediate damages, investment in research and design, and losses from
damaged reputations. Unfortunately this
has not led to a strong commitment in cybersecurity. Economists would argue that corporations have
an immediate loyalty to their shareholders, not national security. Many companies in capitalist societies
believe in a laissez-faire approach to business that runs contrary to
government regulations. The fact remains
though that the U.S. private sector maintains a large portion of the nation's
critical infrastructure and national security apparatuses. According to Etzioni, "corporations
manufacture most of the nation's arms, produce most of the software and
hardware for the computers the government uses, and under contract with the
government carry out many critical security functions including the collection
and processing of intelligence..." (2011, p. 58).
In
the absence of a core cybersecurity effort by the private sector, it would seem
a government led partnership is the most realistic answer. Regrettably, history continues to demonstrate
that the U.S. government has simply been unable to keep pace with the rapid advancement
of technology. This lends more credence
to the theory that active corporate involvement in the implementation of
network security is critical to an effective policy. As public and private organizations alike
rely more heavily on information technology, corporations must move the role of
cybersecurity from a supporting function to a core business operation (Rishikof
& Lunday, 2011). It is difficult to
imagine a secure United States without corporate responsibility in the cyber
realm.
Conclusion
Instituting a national cybersecurity program
continues to be a long and arduous journey for the United States. Although simply acknowledging the threats,
vulnerabilities, and risks to the U.S. is a beginning, it is a long way from
any lasting proposal. Information
sharing must become a priority for all sides of the issue. Corporations and individuals must be given
adequate incentives to motivate a sufficient level of activity. Additional consensus must be reached between
the public and private sectors if any effective policy is to be
considered. Cybersecurity should
leverage the strength of government legislation combined with the flexibility
of corporate initiatives. This can be
done in incremental stages, but it must first begin with a comprehensive and
agreed upon cybersecurity framework.
References
Cybersecurity
bills advance in House, Senate. (2012). Issues in Science & Technology, 28(4), 23-24.
Retrieved from http://www.issues.org/
Etzioni,
A. (2011). Cybersecurity in the private sector. Issues in Science &
Technology, Fall, 58-62.
Retrieved from http://icps.gwu.edu/files/2011/10/cyber.pdf
Harknett,
R. J., & Stever, J. A. (2009). The cybersecurity triad: Government, private
sector partners, and the engaged cybersecurity citizen. Journal Of Homeland Security
& Emergency Management, 6(1), 1-14.
Retrieved from http://www.degruyter.com/view/j/jhsem
Kitten.
T. (2013). Hacktivists threaten more DDoS attacks. Bank Info Security. Retrieved from
Newmeyer,
K. P. (2012). Who should lead U.S. cybersecurity efforts? PRISM Security Studies
Journal, 3(2), 115-126.
Retrieved from http://www.ndu.edu/press/prism.html
Relyea,
H. C. (2008). Presidential directives: Background and overview. CRS Report for
Rishikof,
H., & Lunda, K. E. (2011). Corporate responsibility in cybersecurity. Georgetown Journal Of
International Affairs, 12(1), 17-24. Retrieved from http://journal.georgetown.edu/
Rizzo,
J. (2012). Cybersecurity bill fails in Senate. CNN. Retrieved from http://www.cnn.com/2012/08/02/politics/cybersecurity-act
Sternstein,
A. (2013). Obama’s cyber executive order lays foundation for mandatory
regulations.
Nextgov. Retrieved from
http://www.nextgov.com/cybersecurity/2013/02/obamas-cyber-executive-order-lays-foundation-mandatory-regulations/61267/?oref=nextgov_today_nl
Zhen,
Z. (2011). Cyberwarfare implications for critical infrastructure sectors. Homeland Security
Review, 5(3), 281-295.
Retrieved from http://www.calu.edu.
No comments:
Post a Comment