Time is running out for the United States to address issues of inadequate cyber security. Critics have long warned that the U.S. is “facing the possibility of a ‘cyber-Pearl Harbor” if action is not taken. (See Note 1). These warnings do not come lightheartedly. Mass scale cyber warfare consisting of multiple simultaneously timed attacks targeted at targets within the United States is inevitable. The threat of successful attacks is all too real. All private, public, and government actors are at risk. No party is safe. One only has to open a newspaper, turn on the television, or read online news headlines to be informed about the latest attacks and breaches. One must remember these are just those attacks and breaches that have been reported or are made available to the public. Countless others go unreported or are non-public information. (See Note 2). These attacks cost companies and private actors millions of dollars in damages. (See note 3). Compare that to attacks on critical cyber infrastructure, where attacks could inflict far more than just financial losses.
The news has been consistent in reporting on the latest breaches and providing updates on previous breaches. Every week we are inundated with news about the latest to fall victim. This past summer witnessed a string of breaches from industry giants such as Yahoo, LinkedIn, and Gamigo. (See Note 4). The attacks continued and more companies, government actors, and private parites fell victim. Recently it was Apple and Burger King. (See Note 5 and Note 6). And how could anyone have missed the headlines regarding state-sponsored hackers from China that inundated the news for the past two weeks.
Given the pervasiveness of attacks and successful breaches it is clear that the topic of national cyber security is extremely relevant and demands attention. This timely issue needs to be adequately addressed. President Obama issued an executive order earlier this month regarding cyber security and protecting the nation’s critical cyber infrastructure. (See Note 7). While this step was in the right direction; many critics feel the order falls drastically short. For example, critics have emphasized the problems associated with having non-mandatory recommendations and not including mandatory requirements for all participants. (See Note 8).
Shortly after Obama’s executive order was made public, a proposal to reintroduce the Cyber Intelligence and Sharing Protection Act (CISPA) was made. (See Note 9). If you recall, CISPA was approved by the House but never approved by the Senate back in 2012. While the President’s executive order calls for a general method of sharing information for the purpose of protecting national security in regards to cyber infrastructure; CISPA specifically calls for the sharing of information between the private sector and government sector. However, many critics, such as the ACLU, feel that CISPA impedes on civil rights. (See Note 9).
More productive and proactive actions must be taken. Non-mandatory executive orders are an inadequate means of addressing current cyber threats to national security. Why the country is not actively pursuing more viable options makes no sense. Even the entrepreneurial security firm start-ups are flourishing and capitalizing on the current state of fear and general unpreparedness. (See Note 10). So when will the United States as a whole wake up and stop prolonging the inevitable? Action needs to be taken now. Not later. Threats to national security should be a top concern.
One does not have to look far to confirm the various threats to national security from cyber attacks. The issue is not solely a problem plaguing corporations and private parties. Instead, national security is at risk via breaches of databases and critical control systems. For instance, the State Department has been battling the hacker group Anonymous after a cyber war was ignited stemming from the apparent suicide of one of its group members Aaron Swartz. (See Note 11). Also, and perhaps the most significant recent hacking news regarding national security, is that of what is alleged to be state-sponsored attacks by the Chinese military. Whether the Chinese government actually sponsored the attacks or legitimately can assert plausible deniability remains unknown. For now, the Chinese government outwardly denies these allegations. (See Notes 12, 13, and 14).
With CISPA seeing a renewed interest, it could be possible to direct attention to resurrecting other defeated bills. One possibility is to revive the long defeated Cyber Security Bill of 2012. There were many shortcomings in the current executive order and the old language of the 2012 bill. However, with some revision, cooperation, and forward thinking, revisions could be made accordingly. If enough support could be garnered, then there stands a chance of properly protecting the country’s cyber infrastructure from cyber threats. Other previous suggestions include a Cyber Arms Treaty, imposing trade sanctions, or possibly imposing fines. (See Note 15 and Note 16). Individual cyber security pacts, similar to the United Kingdom’s pact with India, are also possible options. (See Note 17). Time will tell how the U.S. government will address the issue, and more importantly, if it will be in time.
For additional information please email Ian N. Friedman, Esq., Friedman & Frey, L.L.C., at firstname.lastname@example.org or visit www.faflegal.com.
1. Craig A. Newman & Daniel L. Stein, A need for clearer disclosure rules after cyberattacks, NYTIMES.COM (2012), http://dealbook.nytimes.com/2012/11/09/a-need-for-clearer-disclosure-rul….
2. Cyberattacks: Why companies keep quiet. CNBC.COM (2013), http://www.cnbc.com/id/100491610/print.
3. In 2010 alone, “[d]ata breaches cost U.S. companies $214 per compromised customer” with an average per-incident cost of $7.2 million as well as incalculable damage to brand image and reputation. Randy George, Reports: Database Defense, INFORMATIONWEEK.COM (2011), http://reports.informationweek.com/abstract/21/7616/Security/database-de…
4. For additional information see Ian Friedman, Gamigo Breached: Online Gamblers Lose More than Just Their Hard Earned Money, snaptwig.com (2012), http://snaptwig.com/article/gamigo-breached-online-gamblers-lose-mor… Ian Friedman, LinkedIn and eHarmony Hacked: Can I please get some salt to go with that hash?, snaptwig.com (2012), http://snaptwig.com/article/linkedin-eharmony-hacked-can-i-get-some-… Ian Friedman, Yahoo and Formspring Hacked Just One Month After LinkedIn & eHarmony Targeted, snaptwig.com (2012), http://snaptwig.com/article/yahoo-and-formspring-hacked-just-one-mon… Ian Friedman, Billabong and Nvidia Hacked: It Seems Companies Cannot Protect Their Users, snaptwig.com (2012), http://snaptwig.com/article/billabong-and-nvidia-hacked-it-seems-com….
5. Report: Apple hacked in “sophisticated” attack, SCMAGAZINE.COM (2013), http://www.scmagazine.com/report-apple-hacked-in-sophisticated-attack/ar….
6. Mathew J. Schwartz, BK hack triggers Twitter password smackdown, INFORMATIONWEEK.COM (2013), http://www.informationweek.com/security/attacks/bk-hack-triggers-twitter….
7. See Ian N. Friedman, snaptwig.com (2013), Will State of the Union discuss Cyber Security Executive Order?, http://snaptwig.com/article/will-state-of-the-union-address-discuss-….
8. For further explanation on the various criticisms of the Cyber Security Act please see Ian N. Friedman, Cyber Security Act fails in Senate: Yet even U.S. military admits vulnerability, snaptwig.com (2012), http://snaptwig.com/article/cyber-security-act-fails-senate-yet-even… see also Ian Friedman, Cyber Security Act of 2012: Revised and Watered Down with Voluntary Participation, snaptwig.com (2012), http://snaptwig.com/article/2012-cyber-security-act-revised-and-wate….
9. Danielle Walker, Following cyber order from Obama, CISPA is back, SCMAGAZINE.COM (2013), http://www.scmagazine.com/following-cyber-order-from-obama-cispa-is-back….
10. Evelyn M. Rusli & Nicole Perlroth, Amid hacker attacks, security start-ups draw attention, NYTIMES.COM (2012), http://dealbook.nytimes.com/2012/09/05/amid-hacker-attacks-security-star….
11. Mathew J. Schwartz, Anonymous takes on State Department, more banks, INFORMATIONWEEK.COM (2013), http://www.informationweek.com/security/attacks/anonymous-takes-on-state….
12. David E. Sanger, et al., Chinese army unit is seen as tied to hacking against U.S., NYTIMES.COM (2013), http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied….
13. Chinese hackers allegedly disrupted a multibillion dollar foreign acquisition between Coca-Cola and a Chinese juice company. Michael J. De La Merced, Accusations of Chinese hacking in Coke’s failed big deal, NYTIMES.COM (2013), http://dealbook.nytimes.com/2013/02/19/accusations-of-hacking-in-cokes-f…. The U.S. has recently focused specifically on addressing the issue of hackers compromising trade secrets. See J. Nicholas Hoover, U.S. trade secret strategy targets hackers, INFORMATIONWEEK.COM (2013), http://www.informationweek.com/government/security/us-trade-secret-strat….
14. Danielle Walker, Report on China spy threat may make attackers have to work harder, SCMAGAZINE.COM (2013), http://www.scmagazine.com/report-on-china-spy-threat-may-make-attackers-….
15. Mathew J. Schwartz, The case for a cyber arms treaty, INFORMATIONWEEK.COM (2012), http://www.informationweek.com/security/government/the-case-for-a-cyber-….
16. Danielle Walker, U.S. may rely on trade sanctions, fines to curb foreign cyber spy threat, SCMAGAZINE.COM (2013), http://www.scmagazine.com/us-may-rely-on-trade-sanctions-fines-to-curb-f….
17. Gary Flood, U.K., India sign cybersecurity pact, INFORMATIONWEEK.COM (2013), http://www.informationweek.com/security/management/uk-india-sign-cyberse….