The future of US cyber security legislation is not without obstacles, as private industry resents increased government intervention, and the government assesses the private sector fails to provide the level of security commiserate with the potential damage caused by compromise to national critical nfrastructure. Current legislation often focuses on milestones rather than the end-state and offers little in the way of incentives for increased private industry cost and effort to employ better Cybersecurity.
Government Regulation of Private Industry Cybersecurity Standards Introduction The line between the public and the private sector is not as finite as it once was. The September 1 1 2001 terrorist attacks in New York City and Washington DC solidified the need for emphasis on national security, and globalization has effected the way the government and commerce interact in egulatory, financial and security matters. There are numerous examples of the confluence of government and private industry; defense contractors, financial institutions, and equipment and service providers (arms, computers, internet and telecommunications).
None are of greater national security significance than critical infrastructure. United States critical infrastructure is defined as electrical, hydrological, nuclear, and chemical. In the last three years attacks against US infrastructure have increased exponentially, and there have been 82 of attacks on the electrical grid in the last year alone Goldman, 2013). Private industry resents increased government intervention in the form of regulations, laws and rules, and the United States government assesses the private sector is not providing the level of security commiserate with the potential damage caused by system compromise.
As in all things, ideally the public and private sector should come together and conduct a national vulnerability assessment, discuss subsidies for critical infrastructure cyber-security upgrades, and provide incentives for businesses to invest the time and money in protecting those items deemed significant to national security. Unfortunately, it is more likely the issue of government intervention into private industry will continue to be a contentious one, and failure to take proactive steps secure critical infrastructure and information may have disastrous effects.
Globalization Globalization has affected nearly every major discipline: sociology, psychology, economics and politics to name a few. No matter the area affected, the impetus remains the same: exponential growth in technology, greater ability for international travel and increased availability of information via mediums such as telephones, media, and the Internet. Globalization, accelerated by the world- wide proliferation of the internet, has had a profound effect upon United States politics and commerce, and has resulted in a imprecise distinction between the public and private domain.
Like traditional commerce before it, e-commerce has expanded beyond US borders, and as such is subject to both national and international regulations and laws. It is illogical to think companies would be allowed to operate with complete autonomy, without some level of federal oversight, and primarily they do not. One exception is E-commerce, which is essentially in its infancy and evolves so rapidly, that US egislation has not been able to keep pace.
Only over the last 20 years or so, beginning with the Computer Fraud and Abuse Act of 1 986 has the executive and legislative branch attempted to address cybersecurity regulations. No organization, public or private, is impervious to threats during this digital age. Neither government nor private industry can hope to mitigate the numerous and rapidly evolving threats solely through regulation or innovation alone. The US strategy must be a balanced one, of “economic innovation, networked sovereignty, and integrated security” (Hart, 201 2, p. l). Government
Involvement and Private Industry Opposition Cybercriminals, hackers, and state-sponsored “cyber warriors” target United States infrastructure and information in both the public and private sectors. The defense of these targets cannot fall to only one or the other, as they reside within both. Considerable portions of the private sector refuse to employ cyber defenses, stating they should not be required to absorb the costs of doing so. There is a fine line between US government over-regulation that may stifle creativity and the provision of a necessary regulatory framework for national cyber security standards.
According to Etzioni (201 1 a 2009 Lieberman’s Software survey of information technology executives found business employed limited cyber-security measures, and even then only incorporated those that provided cost savings with little to no regard to protecting information. The Center for Strategic & International Studies (CSIS) indicated bet”/een 1 999 and 2009, the private sector operated with little government oversight, and during that time period the “market failed to secure cyber space” (Etzioni, 201 1).
The government believes, were private industry left to their own devices, businesses would primarily be focused on the bottom line, and leasing their shareholders rather than on protecting information and infrastructure. Although the ability and freedom to prosper is a key tenant of the American system, solely focusing on the profit margin is often achieved at the expense of consumer privacy and information security.
Without standards, regulations, laws and the organizations that enforce them, there is nothing to deter businesses from selling consumer data to third parties, or failing to secure the information altogether due to lax cybersecurity controls. The counterpoint to the government’s argument is that forcing businesses nto cybersecurity compliance impedes their ability to innovate. Rahn (2011) lists a number of examples of how over-zealous government regulation stifles private sector growth.
For example, nuclear power was touted as the future of cost effective electricity, however government restrictions on types of power production have increased energy prices (Rahn, 2011). Businesses consider it inappropriate for the government to place such demands upon private industry cyber standards – such as securing national critical infrastructure – a task traditionally viewed as a public sector responsibility (Etzioni, 2011). Etzioni (2011) also found many in private industry feel federal regulation of their cybersecurity standards are a form of unfunded mandates, and demand the government cover the cost to bring them into compliance.
A separate, but related issue is the actual nature of the threat, which many businesses assert is exaggerated by the government. Morozov (2009) cites a Central Intelligence Agency statement indicating cyber-attacks have occurred against infrastructure in other countries. Critics of the cyber-scare tactics declare the threats cited by the CIA and the Department of Homeland Security are extremely vague. Organizations such as these likely have classified information to suggest cyber threats such as attacks on the electrical grid are real, but state there is little in the unclassified realm to support these statements (Morozov, 2009).
Private industry claims of government exaggeration were silenced after the discovery of the 2010 Stuxnet virus attack on the Natanz, Iran nuclear reactor. A Symantec Corporation report released in February 201 3 found early versions of the Stuxnet virus were in development as early as 2005 and deployed against Iran in 2007, three years earlier than previously thought (Finkle, 2013). Applicable Federal Regulations The United States, unlike other countries such as China, Egypt, and Saudi Arabia, has a clearly delineated public and private sector.
Even so, many of the resources and services used by the IJS federal government are provided by private industry. This makes the application of federal regulations to both the public and private sector more difficult than it would be in say, China, but also imperative. The are a number of US federal regulations and statutes that govern public sector information security, such as the Federal Information Security Management Act (FISMA), which provides tandards for government organizations to use to ensure effective information security controls (Waleski, 2006).
To date, many of these regulations are not applicable to private industry, but there are those (most within the public sector) who believe they should be adopted by US businesses. Regulations such as FISMA, make government agencies accountable for their cyber defenses, and require the agencies report regularly on their cyber security activities (Waleski, 2006). Private Industrys Role in National Security The basic premise of federal cyber security regulations should be used as a foundation to draft legislation pplica ble to private industry security standards.
This is of even greater importance when applied to national security. The Federal Bureau of Investigation (FBI) stressed that the protection of US critical infrastructure (Cl), most of which reside within the private sector, is paramount to the United States’ national security. A breach or disruption of Cl, such as power generation, telecommunications, transportation, and financial institutions could cause devastating national consequences, affecting the government, business and the American people as a whole (Broadhurst, 2006).
Cyber ttacks against critical infrastructure rose considerably between 2010 and 201 1, and rose 52% between 201 1 and 2012. These numbers are likely much higher, as many attacks either go undetected or even unreported by private corporations (Goldman, 2013). Businesses often assess it is in their best interest to avoid reporting cyber attacks, as it may adversely affect the public and shareholders faith in the company. Should private industry remain adverse to federal government involvement in their Cybersecurity practices, public security will continue to pay the price.
According to Etzioni (2011 ), yber raids also took place on defense contractors such as General Dyamics, Boeing, Raytheon and Northrup Grummon, and hackers, presumably backed by the Chinese Government, stole plans for military aircraft. As cited in Etzioni (2011 ) The Select Committee on US National Security and Military/ Commercial Concerns with China, also known as the Cox Commission, states China has also “stolen classified information on all of the United States’ most advanced thermonuclear warheads”.
Malicious code, such as Stuxnet, Flame, Duqu, and Gauss, enable sabotage and espionage not against government nstitutions, per Se, but against the software and hardware systems created by private industry, that the institutions use (Ankle, 2013). In their 201 3 report, Symantec Corp found later versions of the Stuxnet virus, which manipulates industrial control software created by Siemens AG. Additionally, the defense sector has suffered a number of high-profile cases of cyber espionage. In 2008, secure computers at US Central Command, the Combatant Command responsible for the wars in Iraq and Afghanistan, were broken into.
In 2007, attackers, likely state sponsored hackers, stole several erabytes of information from the Department of Defense and State Department (Etzioni, 201 1 At first glance, these breaches appear to be a public sector issue only, however as Etzioni (2011) points out, the computer systems and software used by DOD and DOS are created, maintained and serviced by the private sector. Recommendations and Future Legislation Security must be a collective priority. Existing public sector regulations, such as FISMA, can serve as a starting point for private industry legislation, although there are issues that must be addressed prior to doing so.
Current legislation often focuses on milestones agencies must meet in order to be deemed compliant, rather than articulating the end-state and allowing the respective agency (or business) to determine how best to accomplish the goal. Existing regulations also tend to focus more on penalties for non-compliance, rather than rewards (such as financial incentives) for meeting the standard (Hart, 2012). Finally, even though ensuring the integrity of information systems related to national security is a task that should be shared by all, there are currently no public cyber security funds available for private industry (Etzioni, 2011).
The government can not assert security must be a collective priority, but then place the financial burden solely on US corporations. An ideal way forward would be the formation of groups comprised of representatives from both the US government and private industry, whose focus is conducting a national-level vulnerability assessment, and using the results to craft applicable and proactive legislation that provides incentives for securing our nations critical infrastructure.
Additionally, the group would help craft an environment that fosters information-sharing between the private and public sector to develop est practices to ensure continued security. The Obama administration backed Cybersecurity legislation last November (2012) that would have increased limited information-sharing between intelligence agencies and private organizations, and would have set voluntary standards for companies responsible for the US electric grids, water treatment facilities and other critical infrastructure (Finkle, 2013).
The bill died in the Senate due to private sector allegations of over-regulation, and will likely be re-introduced to Congress in 2013. Until then, the President signed an executive order that irects federal authorities to increase information-sharing on cyber-threats regardless of classification to better protect critical infrastructure from cyber- intrusion (Reed, 2012). Another recent proposal, The Consumer Data Notification Act, would require private institutions to report security compromises to the consumer and the Federal Trade Commission within 60 days.
This proposal hopes to create incentives for companies to fix security issues, but has also encountered resistance by private industry who feel it mandates they publicly disclose their security vulnerabilities, which may impact consumer confidence (Finkle, 2013). Conclusion When unveiling his cyber-security policy in 2009, President Obama stated “let me be very clear: My administration will no dictate security standards for private companies” (Etzioni, 2011). The administration should not dictate security standards; however neither should US businesses continue to operate with impunity.