What is the U.S. Government Cybersecurity Role in Private Industry? At the epicenter of cybersecurity resides the difficult task of how organizations tackle security in every sense of the term. While many groups may argue, the United States Government has an obligation to enact laws and regulation that both assists and provides guidance in the cyber world; this is a highly debatable subject. In reality, the business conducted via electronic means, has advanced so quickly over the last ten years that legislation have fallen behind to a point that today the risk are vast. National Security is at risk and electronic cyber warfare is increasingly important and similar to the traditional responsibility of the United States Military in the area of protection of citizens from both domestic and foreign threats. To put the urgency of this matter into perspective within the private sector all that is required is to reference the cyber-attacks upon Sony and their Play Station network in early 2011. Once the smoke cleared, the estimated financial impact cost was $170 million dollars. Outside the obvious financial impact to a business is the concern about consumers. It is clear that while security education is on the rise, basic security measures are ignored from many organizations for reasons that are not clear.
What better way to begin addressing the relationship of the United States Government and the private sector than turning to the Chief Executive Officer (CEO) of Northrop Grumman and his remarks on cyber-attacks. In September 2011, Wes Bush was addressing an audience at the Aerospace and Defense Summit and made the statement that further regulations are warranted to address cyber security (Wutkowski, 2011). In today’s political climate, this statement clearly is in the minority where many are now calling for less regulation. The need for regulations may be questionable but it does set the stage for the debate to combat the problem at a level where a variety of interested parties will have a voice in the matter.
There have been partnerships that span the across the government to include cabinet level departments, states, international countries, and over sixty private sector organizations. This partnership called Cyber Storm has the purpose is to identify threats, establish procedure, address information sharing, and lessons learned (Homeland Security, 2011). Cyber threats are not isolated to the private or public sector therefore; partnerships such as Cyber Storm bring these sectors together to best address the ever-growing cyber threat.
Over the last decade, more and more regulations become law that levels the playing field and protects both business and consumers. Many individuals claim that the federal government has done nothing but intrudes into private business to a degree that the business often believes the federal government has crossed the line (Fisch, 2004).
High Level Threat Overview
Cyber threats stem from a wide range of technologies as well as arguably the greatest challenge being the individual. Once these threats are defined and understood, only then does the bigger picture come into focus. Verizon Security publishes a security finding each year and figure 1 demonstrates the mechanisms on how security differ as well as outlining the landscape in which they occur (Baker, 2011).
While I understand the role of the government, the concern is that many regulations may not have been completely and appropriately addressed because technology is both complex and a moving target. For example, the U.S. Congress has taken up a bill that addresses personal data privacy and security, which on the surface sounds like a noble cause. The issue may be that Congress is not entirely capable of instituting the details, which will be executed within the effected entities across the nation. While this bill outlines legal authority and defines the roles clearly, it is not entirely clear in the details of implementation and execution. The most alarming part of this bill is that Internet Service Providers (ISP) are mandated to keep 18 months of history when it comes to their customers. While the bill speaks to security, it does not provide meaningful and clear guidance and if we continue to see data breaches that have occurred in 2011 private data in this case a break will become the single greatest risk.
Often regulations lay the framework but they fall short in properly addressing the underlying problem and security is a moving target. To overcome this, the government should partner with business experts to address the shortcomings of regulations.
Businesses typically do a good job with protecting themselves, employees, and their infrastructure, but often turn up short in protecting consumers. In fact, consumers depend upon entirely too much on the organization that they are conducting business with to the degree that proper security measures are established and provided (Crews, 2007). Obviously, this dependency is fundamentally flawed when Sony Play Station fell victim to a substantial cyber-attack.
This bill, as well as past and future regulations, will begin addressing both privacy and security as organizations begin to understand the scope of the risk. One argument is that anonymity contributes to the security problem and there are those who believe individuals must be clearly identified similar to proper identification to a driver’s license for example (Crews, 2007). A modern day example of taking identity seriously is Google+ and the restriction they require when it comes to real and verifiable names, which in its own right has been surrounded with controversy. In order for the Internet to become a safer environment, we must undergo change and there will be growing pains. While no one desires the “big brother” effect, our government is responsible to protect its citizens.
Private Industry Responsibility
As a deeper dive into the private sector occurs, it becomes evident that this sector burdens a large responsibility in terms national security. In reality, the private sector provides services to the government and in many cases possess information that if fell into the wrong hands would substantially affect a number of areas. Take the military as an example, the dependency and relationship between the government and private is very clear. The military secures aircraft, ships, weapons, and much more all from private industry. Clearly, this industry must protect national security as well as work closely with the government to ensure this is accomplished.
Private Industry and Government Partnership
The private industry clearly is the sole largest stakeholder in terms of finances and the government falls into public safety (Lin et al., 2007). In terms of roles and responsibility, the decision would vary depending who is speaking. At the end of the day, private industry should burden the largest responsibility with government regulations to assist. To drive home this point, direction from the National Research Council (NRC) published a paper that out outlines five key steps that address barriers to cybersecurity (Lin et al., 2007). From this publication came a proposal in terms of regulation titled the Cybersecurity Bill of Rights (CBoR). Should you ask if cybersecurity is at the point that government intervention is required, the answer is yes! According to Harry D. Raduege (2009),
Nearly every day our nation is discovering new threats and attacks against our country’s networks. Inadequate cybersecurity and loss of information has inflicted unacceptable damage to U.S. economic and national security. (p. 37)
The threat surrounding the nation’s cyber infrastructure is rooted in reality and the future of cyber warfare is quickly becoming painfully disturbing. The lack of urgency will result in a detriment to the economy and national security. At the end of the day, the real issue comes down to that companies do not believe that the government can help is resolving the problems that they face within the business segment (Homeland Security, 2005).
Real Word Examples
Arguably, 2011 should be labeled as the year of the hacker. Data breaches came from all types of private industries as well as government across the globe. At the end of the third quarter of 2011 contains large names which fell victim to cyber-attacks which include McAfee, Sony, Central Intelligence Agency (CIA) and many more (The Guardian, 2011). Taking a deeper look into the scope of organizations that were impacted emerges the fact that no one is safe. What is likely most distressing is the top 3 which include hospitality, retail, and financial services. These three areas of business play an enormous role in the economy and the associated risk is critical to an immense audience. In fact, the financial services group could potentially cause damage across the globe not to mention the possibility of destroying individual investment opportunities or even retirement plans.
In order for private sectors and the government to provide the much needed security measures all sectors must work together in a coordinated effort. The last thing that should occur is the government disappears behind closed doors and emerges on the other side with a bill that addresses a problem. In reality, the private sector is willing to work with the government body. When it comes down to policy, the language must be clear and concise. Often arguments may be that policy is over demanding and problematic to implement at any level due the complexity of technology. In fact, a well-meaning policy may start off strong but as it moves through the government body and eventually becoming law it may result lacking the initial desired effect (Armstrong, 2010).
In today’s political environment, one could make the argument that the government has our best interest at heart. At the end of the day, the government is doing the best possible job to combat cyber-attacks and the needed level of protection in the cyber world for its citizens. On the other hand, with the state of the national debt one could argue that this is a way to generate revenue or an argument can be made that the government does not provide the necessary expertise to drive the technical aspects of security. To substantiate this point that the government is incapable of properly dealing with security resides the Federal Information Security Management Act of 2002 (FISMA). This act could serve as a perfect example and it has come under fire over the years. Critics have argued that FISMA has become nothing more than an annoyance and that organizations simply check the boxes without truly dealing with the problems that law originally intended to address.
In any case, it is clear that cyber security is paramount to protecting this great nation and its citizens. The common denominator comes back to regulation and the voiced needs for the Federal Government to take an active role to deliver expectations and guidance within the cyber world. In fact, once the public and private sectors begin working closely together then and only then may a real change occur. The positive is that government regulations also have positive impacts in term of decision making and best practices that can assist to protect all interested parties (Fisch, 2004). In closing, just like other aspects of business change will always be good and bad therefore, with technology plays a larger role with each passing day and the importance to cybersecurity regulations will become fundamental to all.
- Wutkowski, K. (2011). Northrop CEO urges more regulation. Reuters. Retrieved on September 14, 2011 from http://www.reuters.com/article/2011/09/07/us-aero-arms-summit-regulation-idUSTRE7865GX20110907
- Crews Jr., C. (2007). Cybersecurity and authentication: The marketplace role in rethinking anonymity – before regulators intervene. Knowledge, Technology & Policy, 20(2), 97-105. doi:10.1007/s12130-007-9010-z
- Lin, H. S., Spector, A. Z., Neumann, P. G., & Goodman, S. E. (2007). Toward a safer and more secure cyberspace. Communications of the ACM, 50(10), 128. Retrieved from http://www.acm.org.ezproxy.umuc.edu
- Swartz, N. (2005). Cybersecurity report reveals weaknesses. Information Management Journal, 39(3), 19. Retrieved from http://www.arma.org
- Raduege, H. (2009). Cyber threats may be hazardous to your privacy. Policy & Practice, 67(2), 24. Retrieved from http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_ps_CyberThreatsMayBeHazardoustoYourPrivacy_Technology%20Speaks%20_061509.pdf
- Homeland Security, (2005). Homeland Security Advisory Council private sector information sharing task force on Homeland Security information sharing between government and the private sector final report. United States Department of Homeland Security. Retrieved from https://www-hsdl-org.ezproxy.umuc.edu/?view&did=462311
- Homeland Security, (2011). Fact Sheet: Cyber Storm III: National cyber exercise. United States Department of Homeland Security. Retrieved on September 17, 2011 from http://www.dhs.gov/files/training/cyberstorm-iii.shtm
- The Guardian, (2011). Biggest series of cyber-attacks in history uncovered. The Guardian. Retrieved on September 15, 2011 from http://www.guardian.co.uk/technology/2011/aug/03/biggest-series-cyber-attacks-uncovered
- Baker, W. (2011). 2011 Data Breach Investigations Report released. Verizon Security. Retrieved on September 13, 2011 from http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/
- Armstrong, I. (2010). Following FISMA. SC Magazine: For IT security professionals (15476693), 21(2), 36-39. Retrieved on September 14, 2011 from http://www.scmagazineus.com
- Fisch, J. E. (2004). The new federal regulation of corporate governance. Harvard Journal of Law & Public Policy, 28(1), 39-49. Retrieved from http://www.law.harvard.edu/studorgs/jlpp/