Cybersecurity: Will We Ever Be Safe?
Hacking attacks are estimated to cost the global economy a whopping $400 billion each year. With recent attacks on Sony and U.S. Central Command, it seems like nothing online is completely safe. The United States is scrambling to improve cybersecurity and prevent attacks that could otherwise have major impacts on national security, the economy, and personal safety. Here’s what you need to know about cybersecurity policy, government efforts, and what to expect in the future.
What is cybersecurity?
In the increasingly digital world with an ever-growing e-commerce sector, cybersecurity is of vital importance. Cybersecurity is a broad concept that resists a precise definition; it involves protecting computers, networks, programs, and data from cyber threats. Cybersecurity can help protect privacy and prevent unauthorized surveillance and use of electronic data. Examples of cyberattacks include worms, viruses, Trojan horses, phishing, stealing confidential information, and control system attacks. Because of it loose definition, it is hard for the government to regulate how businesses should protect their systems and information. A number of different measures are used to ensure at least a basic level of cybersecurity.
How does cybersecurity work?
Cybersecurity helps to prevent against the risks associated with any cyber attack, which depend on three factors:
- Removing the threat source. Determining who is attacking can indicate what kind of information or advantage they are seeking to gain. Cyberattacks may be carried out by criminals, spies, hackers, or terrorists, all of whom may do it for different reasons.
- Addressing vulnerabilities through improving software and employee training. How people are attacking is important in trying to set up the best cybersecurity possible. This can be likened to an arms race between the attackers and defenders. Both try to outsmart the other as the attackers probe for weaknesses in their target. Examples of vulnerabilities include intentional malicious acts by company insiders or supply chain vulnerabilities that can insert malicious software. Previously unknown, “zero day” vulnerabilities are particularly worrisome because they are unknown to the victim. Since they have no known fix and are exploited before the vendor even becomes aware of the problem, they can be very difficult to defend against.
- Mitigating the damage of an attack. A successful attack may compromise confidentiality, integrity, and even the availability of a system. Cybertheft and cyberespionage might result in the loss of financial or personal information. Often the victims will not even be aware the attack has happened or that their information has been compromised. Denial-of-service attacks can prevent legitimate users from accessing a server or network resource by interrupting the services. Other attacks such as those on industrial control systems can result in destruction of the equipment they control, such as pumps or generators.
Examples of common cybersecurity features include:
- Firewall: a network security system to control incoming and outgoing network traffic. It acts as a wall or barrier between trusted networks and other untrusted networks.
- Anti-virus software: used to detect and prevent computer threats from malicious software.
- Intrusion Prevention System: examines network traffic flows to prevent vulnerability exploits. It sits behind the firewall to provide a complementary layer of analysis.
- Encryption: involves coding information in such a way that only authorized viewers can read it. This involves encrypting a message using a somewhat random algorithm to generate text that can only be read if decrypted. Encryption is still seen as the best defense to protect data. Specifically, multi-factor authentication involving a two-step verification, used by Gmail and other services, is most secure. These measures (at least for the time being) are near impossible to crack, even for the NSA.
Watch the video for a basic overview of cybersecurity.
What is the role of the federal government in cybersecurity?
Most agree the federal role should include protecting federal cyber systems and assisting in protecting non-federal systems. Most civilians want to know online shopping and banking is secure, and the government has tried to help create a secure cyber environment. According to the Congressional Research Service, federal agencies on average spend more than 10 percent of their annual IT budget on cybersecurity measures.
There are more than 50 statutes that address various issues of cybersecurity. While much legislation has been debated in recent years, no bills have been enacted. The most recent and significant cybersecurity legislation came in 2002 with the passage of the Federal Information Security Management Act (FISMA), which requires each federal agency to implement and report on cybersecurity policies.
Over the past several years, experts and policymakers have shown increasing concern over protecting systems from cyberattacks, which are expected to increase in both severity and frequency in the coming years. Most proposed legislation and executive branch action with regard to cybersecurity focus on immediate needs, such as preventing espionage and reducing the impact of successful attacks. Historically there has been an imbalance between the development of offensive versus defensive capabilities. Coupled with slow adoption of encryption technologies, many programs were vulnerable to attack. While the cybersecurity landscape has improved, needs still exist with regard to long-term challenges relating to design, incentives, and the environment. Overcoming these obstacles in cybersecurity remains a challenge.
Developers of software or networks are typically more focused on features than the security of their product. Focusing primarily on the product’s features makes sense from an economic standpoint; however, shifting the focus away from security makes these products more vulnerable to cyberattacks.
The distorted incentives of cybercrime make it hard to prevent. Cybercrime is typically cheap, profitable, and relatively safe for criminals. In contrast, cybersecurity is expensive, often imperfect, and companies can never be certain of the returns on the investments they make in cybersecurity.
Cybersecurity is a fast-growing technology. Constantly-emerging properties and new threats complicate the cybersecurity environment. It is very difficult for the government or private companies to keep up with the pace of changing technology used in cyberattacks. What laws and policies do exist are almost always out of date given the rapid pace of change in cybersecurity.
Watch the video below for an overview of the difficulties of cybersecurity policy.
Has President Obama taken any action on cybersecurity?
With recent attacks and data breaches at Sony, Target, Home Depot, and the Pentagon’s Central Command, the need for toughened cybersecurity laws has been highlighted. Cybersecurity is an issue where both sides of the political aisle see the need to work together. It is clear that a comprehensive policy playbook is needed to guide the government’s response to such serious cyberattacks.
On January 13, 2015, President Obama announced a new cybersecurity legislative proposal, which consists of three parts:
- Enabling cybersecurity information sharing: The proposal enhances collaboration and cybersecurity information within the private sector and between the private sector and the government. The proposal calls for the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Sharing information about cyber threats with the NCCIC would shield companies from liability. The bill would require the Department of Homeland Security to share threat information as quickly as possible with other agencies like the FBI or NSA. The proposal would also require private entities to comply with privacy restrictions like removing unnecessary personal information and taking measures to protect any personal information that must be shared.
- Modernizing law enforcement authorities to fight cybercrime: This ensures that law enforcement has the proper tools to investigate and prosecute cybercrime. These provisions would criminalize the sale of stolen U.S. financial data, expand authority to deter selling of spyware, and shutdown programs engaged in denial-of-service attacks. Other components criminalize various cybercrimes.
- National data breach reporting: Many state laws require businesses that have suffered from breaches of consumer information to notify consumers. The proposed legislation would simplify and standardize these existing state laws. The proposal would also put in place a timely notice requirement to ensure companies notify their customers about security breaches.
Watch the following video for an outline of President Obama’s plan.
On January 16, 2015, President Obama and British Prime Minister David Cameron promised to cooperate with regard to cybersecurity. Cameron expressed concerns about encryption technologies that might make it easier for would-be terrorists to avoid detection. Cameron hopes to outlaw certain forms of encryption. President Obama did not as easily dismiss privacy concerns, but did state that he believes the government can do a better job of balancing both privacy and security.
Why is it hard to implement effective cybersecurity policy?
Congress has tried for years to pass legislation encouraging companies to share information from cyberattacks with the government and with each other; however, liability issues and privacy concerns stopped such laws from passing. Many privacy advocates are speaking out against President Obama’s proposed legislation for the same reasons. They fear that such information-sharing legislation could further the government’s surveillance powers. Some groups caution that substantial National Security Agency reform should come before considering any information-sharing bill. Privacy concerns such as these have made it difficult to pass cybersecurity packages in Congress in the past; however, the recent Sony attack may prove to be a game changer in passing new cybersecurity bills.
Even if President Obama and Congress can implement the above changes, it will still be difficult for the government to enact more effective policy changes. Technology can easily mask the identity or location of those organizing cyberattacks. This can make identifying and prosecuting those responsible near impossible. Justifying an appropriate response to attacks is even harder.
Legislatures and citizens also tend to be kept in the dark due to extreme security regarding a country’s cyber capabilities. Edward Snowden’s revelations about the NSA sparked public interest in cybersecurity and in the extent of the government’s capabilities. But still, information regarding the U.S.’ cyber policies remains classified and not open to general discussion. Without transparency, it is hard to exercise oversight or explain to the public the government’s cybersecurity activities.
Critics also contend that President Obama’s proposal leaves large gaps in cybersecurity policy. The policy fails to establish ground rules for responding to cyber attacks once they have occurred and it remains unclear how the United States might respond to cyberattacks against government networks or even private sector entities like Sony. While attacks may be criminalized, prosecuting these cases with limited evidence is difficult.
A recently uncovered 2009 U.S. cybersecurity report warned that the government was being left vulnerable to online attacks because encryption technologies were not being implemented fast enough. While the country has come a long way since 2009 there is still much room for improvement. A 2015 review of the Department of Homeland Security stated that:
DHS spends more than $700 million annually to lead the federal government’s efforts on cybersecurity, but struggles to protect itself and cannot protect federal and civilian networks from the most serious cyber attacks.
More needs to be done in the realm of cybersecurity to prevent against cyberattacks. While less legislation may have worked in the past, the scale of recent cyberattacks shows the vast potential for damage to the government, companies, and individuals. President Obama’s recent proposal may be a good start, but more long-term policies are needed to protect citizens from serious cyberattacks. No cybersecurity solution is permanent, so public policy must constantly evolve to suit the needs of its citizens in the cyber realm.