The Growing Importance of Cybersecurity in our Digital Age

In the “Digital Age” that we live in, computers and the Internet pervade our everyday lives.  Across the U.S., millions of people and businesses rely on computers and networks every single day and could not operate without them.  Businesses today rely on networks and global connectivity to perform numerous tasks such as paying bills, tracking data, tracking shipments, keeping inventory, ordering raw materials, and selling finished products.   According to one survey, E-commerce retail totaled roughly $132 billion in 2008 alone, which is a truly staggering number.  Networking technology also powers all public utilities such as electricity, water, and gas.  Military and governmental entities are not immune from the need for connectivity in order to operate smoothly and efficiently.  But, as President Obama pointed out in a May 29, 2009 press conference, “the very technologies that empower us to create and to build also empower those who would disrupt and destroy.”

With the amount of information individuals and businesses have floating around in cyberspace, many technology-savvy people have found ways to exploit the interconnectivity of the Internet to their advantage.  According to an article written by Bardzell, et al., there are many scams being run by high-tech con men, such as phishing (which commonly prompts users to input sensitive information such as passwords, credit card numbers, or social security numbers into fake websites designed specifically to look like a trusted site, such as Bank of America or AOL) or crimeware (which is malicious software running on a computer that can spy on a users actions and steal their private information by recording the user’s keystrokes or capturing the contents of the screen).  The same article also points to studies that show that identity theft perpetrated by scams like these cost U.S. businesses $50 billion in 2004 and $57 billion in 2005.  President Obama also remarked that last year alone cyber criminals stole an estimated $1 trillion in intellectual property from businesses worldwide.

Numbers like these make it clear that cybersecurity is hugely important for the private sector.  Much must be done to raise awareness of these issues, and to educate the public on how they can protect themselves and their businesses.  However, federal and local governments also have a huge stake in devising new ways to protect “America’s digital infrastructure” because entities such as NASA, the White House, and the Department of Defense all had their networks breached by foreign intruders last year.  Also, the government has an interest in cybersecurity as a matter of public safety and national security because “cyber-terrorists” could attack many crucial private and public sector companies, such as utilities, public transportation authorities, and air traffic control organizations.

In response to these concerns, the Cybersecurity Act of 2009 (S.773) was drafted.  The Act contains several fairly uncontroversial sections that appear to be good steps in the right direction such as Section 7, which establishes a national certification and licensing program for “cybersecurity professionals”, Section 10, which charges the Secretary of Commerce to “develop and implement a national cybersecurity awareness campaign”, and Section 11, which mandates that the Director of the National Science Foundation give substantial support to research and development in the cybersecurity field.  However, certain provisions in the Act are garnering a lot of attention and debate from civil and digital rights activists.  Section 6, for instance, directs the National Institute of Standards and Technology to establish “measurable and auditable cybersecurity standards” for systems operated by the Federal Government and its contractors, as well as all “grantee critical infrastructure information systems”.  This section of the Act concerns certain advocates because it will impose governmentally defined standards on businesses that are in the private sector.  Another particularly contentious provision in the Act is Section 14(b)(1) which gives the Secretary of Commerce access to “all relevant data” concerning critical infrastructure information networks “without regard to any provision of law, regulation, rule, or policy restricting such access”.  This section obviously raises many privacy issues, especially the “without regard to any provision of law” clause.  The other heavily debated provision of the Act is Section 18(2) which grants the President the power to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised” critical infrastructure information network.  This raises issues as to what constitutes an “emergency” and how much power the President can actually have over a traditionally public forum like the Internet.

While the issues raised by privacy, civil, and digital rights activists are very real concerns, I think that they should take a back seat when issues of national security are at stake.  Of course no one likes the idea of Uncle Sam spying on them and collecting all sorts of personal information, but as long as the law specifically and narrowly defines what constitutes “relevant information”, what constitutes an “emergency”, and what exactly qualifies as “critical infrastructure” in terms of cybersecurity, then issues of national security should trump all other concerns.  Also, I think that governmental standards need to be imposed because private voluntary actions would probably not go far enough, much the same way that publicly traded businesses clamored to govern and audit themselves.  This lack of oversight and accountability set the stage for financial fiascos such as Enron and Worldcom, leading to the promulgation of the Sarbanes-Oxley Act, which imposed governmentally defined standards on private sector businesses and, if anything, the risks involved in protecting “America’s Digital Infrastructure” go far beyond money.

Advertisements

~ by brentnewton on November 16, 2009.

2 Responses to “The Growing Importance of Cybersecurity in our Digital Age”

  1. This seems to be another area where new legal measures need to be put into place to prevent (or at least combat) crime in a virtual context, but attempts to do so are either unlikely to be effective or overreaching in scope of granting government the power to act. I find it unsurprising that Section 14(b) (1) is garnering negative attention – that clause is constructed in terms of absolute language by using words like “all”, “any”, and “without regard”. With so much of American law based on checks and balances or other limits on government power, bestowing a limitless grant of power on the Secretary of Commerce is both a frightening concept and inconsistent with American legal theory. A call for oversight and accountability should cut both ways – the government needs some additional authority to ensure public safety where it intersects with digital mediums, but its own power can’t be without some boundaries.

    The second controversial clause doesn’t cause me quite as much concern, but probably because I don’t understand it as well. On a quick first read-through, I thought it purported to grant the President the power to shut down the internet, which I found incomprehensible. I couldn’t fathom that the internet could be physically shut down by anyone. Restricting access to “compromised” networks that pose “security concerns” is a bit more reasonable, and perhaps even a wise idea, but I still find it hard to imagine that implementation would be extremely difficult.

    Law is usually about balance – the government’s concern about national security is legitimate and should be addressed, but we can’t throw American jurisprudence out the window and repress civil rights in exchange.

  2. I don’t understand either how the President could shut down the Internet. But in theory I don’t think it’s a controversial power to give the President. In the physical world, we give the government power to restrict access to public streets and waters in emergency situations (e.g., by imposing curfews, etc.), and this would just be an extension into cyberspace of that same general principle. As to the reaction of critics to Section 6 of S.773, isn’t it sort of common to impose governmentally defined standards on businesses in the private sector? Isn’t that exactly what the EPA does? Why is it so much more objectionable in this context?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: