Government Involvement in Private Sector Cybersecurity 2
Impacts of Cybersecurity Regulation ....4
Conclusion .... 6
References . 7
Introduction
Cybersecurity, or, in other words, protection of computers, computer networks and data from attack, disruption, damage, unauthorized use and a range of other malicious acts; has become one of the defining concerns of the modern information society. The main reason for this is that the world has grown increasing reliant on computers and the Internet to perform a broad spectrum of tasks and actions from the simply and frivolous to the most important and essential. While on the one hand, our reliance on information technology has allowed us to be more productive, more economically, and more connected than before. On the other hand, it has also provided criminals and foreign enemies with more tools and opportunities to act on their desires. Accordingly, as information technology became more essential in relation to our work and daily life so there is a the need for robust cybersecurity.
Government Involvement in Private Sector Cybersecurity
One of the unique features of cyberspace in the United States, is that it is almost fully run or administered by the private sector. That is to say, unlike other essential elements to modern life such as the provision of water, gas, electricity or even roads and bridges buildings; the infrastructure of the cyberspace, including the protocols that manage it, the software that runs it, and the hardware that access it have been all provided by private companies. What the nation’s reliance on the private sector means for cybersecurity is that rather than asking the police or an Army to take actions against a threat, government officials are limited in the means that they could use to get a private company’s support in implementing cybersecurity measures. Nonetheless, there are a number of justifications that are clearly persuasive though.
First, the Internet is a network of interconnected computers. Moreover, as technology advances, the connectivity between computers will only become more intensive. Accordingly, there is a decrease in division between public and private use. A private sector application that compromises the personal computer of a government staffer may allow a foreign enemy to access his government phone when he comes home. In turn, when the staffer returns to work, the government system is at risk as the hacker has an access to the device. In short, the nation’s cybersecurity is only as strong as its weakest link. Accordingly, if the private sectors cybersecurity practices put the nation at risk, then the government will have not only a justification, but also a duty to get involved in improving private sector practices.
Secondly, as the members of the national community, the private sector has a lot to lose if the nation’s cybersecurity is compromised. Since the Internet is mainly run by private corporations, unlike traditional warfare, an enemy cyberattack will likely target a private corporation. For instance, Google’s “g-mail” is one of the most popular e-mail applications in the world. To be sure, g-mail counts as its customers, politicians, government leaders, journalists, and everyone else. Foreign enemies seeking to access a senator that opposes their government, have targeted Google with cyberattacks with the hopes that it would be easier and more efficient to access g-mail than to attack the Senate’s e-mail system. This is one of the reason’s why Google decided to leave China in 2010, and why it has upgraded its g-mail security to make it one of the more secure e-mail applications. It is notable to mention that while Google was learning the hard way to cybersecurity understanding, other private corporations that lack similar experiences might not have come to the same conclusion without strong governmental suggestion.
The government has a number of ways implemented assisting the private sector to increase their cybersecurity. Firstly, with such cyber-oriented government resources as the National Security Agency (NSA) and the Department of Homeland Security’s Computer Emergency Response Team (CERT) the state cannot only provide technical assistance and training, but also it can respond to many incidents (USCERT, 2015). Secondly, the government can share information that has been obtained in regards to cyberattacks with private industry to allow them the means to stop an attack or mitigate one’s damage. Similarly, it can encourage private corporation to share information that they obtain with the state to give the government the information they need to implement an appropriate defense or response. In order to help facilitate such information sharing, Congress passed recently and the president signed the Cybersecurity Act of 2015 (Kerr, 2015). Under one of the provisions of the law, private corporations are allowed to share relevant information about a cyberattack with the government. Moreover, the law also provides corporations with the limits on liability that might attend with the information shared violating privacy laws.
Impacts of Cybersecurity Regulation
Despite the passage of the Cybersecurity Act, its impact of the regulation of private sector cybersecurity will likely be limited. Firstly, it's main cybersecurity focus is on facilitation of information between the private sector and the state. Moreover, its information sharing provisions are voluntary. Thus, private corporations that share information, will be exempted from liabilities that may occur if shared information violates a privacy regulation.
Outside of the Cybersecurity Act, there is no overarching federal cybersecurity legal framework to require private actors to upgrade or improve their cybersecurity. Instead, just as with the Cybersecurity Act, there are a number of single-subject laws and statutes that cover specific elements of cybersecurity (Fischer, 2013). For example, the main federal cybercrime law, the Computer Fraud and Abuse Act (CFAA), attempts to improve cybersecurity by increasing the penalties that cab be charged against cybercriminals if or when they are caught.
Accordingly, based on the lack of cybersecurity regulation and the fact that the regulation is voluntary, whether a private corporation follows government guidelines or not does suggest that there will be any impact on national security. To be sure the government’s cybersecurity initiatives provide little incentive or penalties for private corporation to simply continue to do what they have always been doing, namely provide cybersecurity for their own reasons. Reasons that may include, self-preservation, as with the Google case, or for marketing or shareholder protection, as we will lose customers if we do not provide cybersecurity. Whatever, the reason that companies choose to improve their cybersecurity, despite the common interests, national security does not seem to be the decisive factor.
This rises the question: Do private corporation have a responsibility to protect the national security? While on first thought, as mentioned, it seems that they would have a responsibility especially concerning the interconnectivity of the Internet and its control by the private sector. But on the other hand, some of the most impressive cybersecurity protections, such as automatic encryption and two-factor authorization have come from the private sector on its own accord without assistance from the state. Moreover, implementing cybersecurity is not for free, however, there seems to be little government interest in providing funds or reimbursements for the private corporations that do hard work of creating and securing the Internet.
Conclusion
While it is clear that cybersecurity problems are currently and will continue to pose a major threat to the nation’s security, the government efforts to improve its regulation have left much to be desired. Although, private corporations have a role to play in increasing cybersecurity methods, tools and procedures, they government needs to lead from the front rather than behind the efforts of private corporations.
References
Fischer, E.A. (2013, Jun. 20). Federal law relating to cybersecurity: Overview and discussion of proposed revisions. Retrieved from https://www.fas.org/sgp/crs/natsec/R42114.pdf
Kerr, O. (2015, Dec. 24). How does the Cybersecurity Act of 2015 change the Internet surveillance laws? Retrieved from https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/24/how-does-the-cybersecurity-act-of-2015-change-the-internet-surveillance-laws/
U.S. Computer Emergency Response Team (USCERT). (2015). https://www/us-cert.gov/about-us