The U.S. National Security Agency reported that just over 293 billion emails were sent per day in 2011. Spam email comprised a large portion of that volume. Cyber criminals utilize phishing scams to perpetuate hacks like the one that recently occurred on the Associated Press Twitter account. The time to develop cyber security policy is now. However, complex business and political relationships make developing such policies a difficult proposition. This paper highlights the need for new cyber policy and proposes some preliminary frameworks to expedite their creation.
The Internet is not new but it is only now becoming mature. The development of global information communication technology (ICT) infrastructure has reached a critical mass. As a result, the interdependency created by these mediums of communication has been increasing at an alarming rate over the last five to ten years with no sign of slowing down. According to a 2009 report compiled by Cisco, the number of users that are online and the number of mobile devices in circulation is set to double between 2015 and 2020 (Appendix: Figure I). Beyond the increased access individuals have to the internet, there is also an increasing amount of infrastructure that is going online, “the internet is going from a network comprised of PCs with people typing behind them, to one in which all manner of devices – from cars to machines to sensors on buildings, bridges, trees and even in people – communicate over a network.” These digital infrastructures will play a significant role in global political relations. The power dynamics at play between nations, private entities, and non-state actors is in perpetual flux. These entities are utilizing the technologies of the Internet in unique ways to stake their claims to power. If we wait too long to create policies regulating this emerging technological landscape then we risk finding ourselves attempting to combat deeply entrenched control structures that will be vulnerable to malicious intentions. Society must create new global communication policies that have legislative checks and balances, are increasingly agile and sufficiently secure.
Nowhere are these new policy developments more pressing or essential than as they relate to cybersecurity. Cybersecurity is important because the President of the United States said so. During his State of the Union address in February 2013, President Obama said of cybersecurity, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” Obama went on to increase the sense of urgency surrounding the matter by telling the American public that he had just signed an executive order related to cybersecurity. Stephanie Sanok, an analyst at the Center for Strategic and International Studies, described the mandates of the executive order to the USA Today. She says that it “expands the government program that provides cyber threat information to industries, such as banking, energy, telecommunications and other ‘critical infrastructure’” and “puts mechanisms in place (for private entities) to share information but does not make it mandatory.”
In case the “because he said so” defense is not enough to convince you of the importance of cybersecurtiy , I will try to further the case in the following analysis by paying special attention not only to the significant threats posed by cyber attacks but also to the complexity surrounding the development of new policy in this field. The threats are real and the policy issues at hand need to be forwarded immediately because codifying these policies into law and developing abilities to implement them practically is going a difficult and time consuming process . Creating a policy framework for cybersecurity is also important because the threats posed by cyber attacks are imminent. In March of 2013, the Directors of the FBI, CIA, and other leading intelligence officials issued a joint statement saying, “cyber-attacks and cyber-espionage pose a greater potential danger to U.S. national security than Al Qaeda.” The longer the U.S. goes without pushing an agenda to construct up-to-date cybersecurity policies, the longer the U.S. will be vulnerable to attack. According to a 2007 annual report filed by the Internet security company McAfee, approximately 120 countries have been developing ways to use the Internet as a weapon that will target financial markets, government computer systems and utilities. The focus on cybersecurity is also important because the policy issues surrounding this dilemma are very revealing of policy concerns that reoccur across the spectrum of issues related to global communication.
What is Cybersecurity?
The focus of this paper will primarily be on cybersecurity in the U.S. because the country provides a unique environment to reflect on this issue . The U.S. legal system and prevailing culture places a high value on three crucial variables associated with this subject; government power, citizen’s rights and economic free-market principles. Their importance is highlighted in Obama’s Executive order, “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
Before delving into the complexity of the policy issues at hand and further justifying my focus , I will provide some functional definitions. What is cybersecurity? In order to adequately answer that question, let’s look at what cybersecurity is tasked to defend against, cyber attacks . Cyber attacks may be broadly categorized in three different ways; cyber crime, cyber espionage, and cyber warfare. Cyber-crimes include but are not limited to “attacks against computer data and systems, identity theft, the distribution of child sexual abuse images, internet auction fraud, the penetration of online financial services, as well as the deployment of viruses, and various email scams such as phishing.” According to Interpol, cyber crime is one of the fastest growing criminal activities because “criminals are exploiting the speed, convenience and anonymity” offered by modern technology. Cyber espionage is “the practice of obtaining secrets without the permission of the holder of the information.” This may be personal, proprietary or classified information that comes from a variety of entities and is used to create economic, political or military advantages. U.S. government security expert Richard Clarke defines cyber warfare as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”
The Threats of Cyber Warfare
From these definitions we can begin to infer why cybersecurity is an important part of social dialogue. Cybersecurity is a matter of life and death. First of all, a cyber attack against the critical infrastructure of a civilian population could cause chaos and lead to the loss of life. The equivalent of a “Cyber Pearl Harbor” or what others call a “Digital 9/11” may manifest itself in a number of ways. In my mind, the most chilling circumstances involve a combination of cyber and conventional attacks. Let us take a hypothetical scenario into consideration . Imagine that the 2003 northeast blackout, which “was famously traced to a single software bug that prevented a beleaguered Ohio utility from spotting a local failure,” had been instigated by an antagonistic state or non-state actor. Combine this digital assault with a coordinated activation of militaristic sleeper cells that are well-armed and fully prepared to operate in a “dark” environment where communication and transportation systems are crippled. In this terrifying case, a relatively small militia force would be able to effectively take over the entire island of Manhattan and inflict untold levels of damage. Even a more straightforward form of cyber warfare attack, like the Stux.net virus launched by a joint U.S. and Israeli coalition against Iranian nuclear facilities, could easily become the catalyst for a “boots on the ground” type of conventional war. The repercussions of that type of escalation are massive and long-lasting. The U.S. already understands the concept of a military quagmire all too well.
Livelihoods could be destroyed by cybercrime and espionage in a “death by a thousand cuts” scenario. Attacks against computer data systems, identity theft, the penetration of online financial services, and the deployment of viruses could potentially create what U.S. Army Gen. Keith B. Alexander, director of the National Security Agency (NSA) and chief at the Central Security Service (CSS), has called “the greatest transfer of wealth in history.” He went on to justify his claim ; “(In 2011) Symantec placed the cost of IP theft to the United States companies at $250 billion a year, global cybercrime at $114 billion annually ($388 billion when you factor in downtime), and McAfee estimates that $1 trillion was spent globally under remediation. And that’s our future disappearing in front of us.”
On April 23rd 2013 , a single tweet from the Electronic Syrian Army (ESA) guised as the Associated Press (AP) caused a temporary but significant drop in the Dow Jones Industrial Average of 150 points and sent the price of crude oil plummeting. The ESA gained access to the AP system by bombarding their email accounts with phishing scams. The economic effect may have been an unintended byproduct of their plot to terrorize by spreading misinformation and the financial losses recovered after only about five minutes but the damage was done. Now that this vulnerability of the stock market has been exposed, the potential to cause large fluctuations in stock prices by forging negative indicators to influence electronic high-frequency trading systems may cause the next big stock crash. Another social media hack job could have far-reaching economic and political effects that last much longer than five minutes. If cyber criminals could anticipate how these variables would influence specific fluctuations in the stock market then they would hold a digital weapon with enormous earning potential. Any such attacks also negatively affect investor’s confidence causing broader short to long-term economic volatility. A 2004 Cisco report shows that “target firms (of cyber attacks) suffer losses of 1%-5% in the days after an attack. For the average New York Stock Exchange corporation, price drops of these magnitudes translate into shareholder losses of between $50 million and $200 million.”
Safeguarding human life and well-being is a fundamental goal in establishing viable communication policy in cybersecurity. However there are other positive outcomes that emerge from drawing our attention to this topic. The concerns related to cybersecurity policy are representative of issues that reoccur across the spectrum of global communication policy . Solving problems in this field could lead to progress in many other realms of policy development . In the following section of this analysis, I will review some of the obstacles associated with cybersecurity policy and propose some general solutions, along with questions that anticipate future debates.
The Obama executive order, signed in February 2013, encourages the sharing of information between government and private entities that are critical to our infrastructure . They aspire to create new policy that allows the government to share information with these entities and vice versa. Providing more information for everyone in order to strengthen national security seems like a unifying and righteous cause. This is especially true after the government’s acknowledgement that they had the information to potentially stop the 9/11 attacks but failed to “connect the dots.” The result at that time was the creation of the Department of Homeland Security which solicited a “too much, too late” sentiment from the general public who often felt that their privacy was being invaded by the practices of the new government agency. In fact, this month’s cover of Time Magazine depicts the Statue of Liberty holding surveillance equipment in her raised right hand rather than the typical flame of liberty. This shows how turning good intentions into good policy and just law can be a difficult task .
A delicate balance must be struck when transitioning this executive order into reality to maintain free market economic principles and privacy protection for corporations and citizens alike. The “biggest barriers to bolster our cyber defenses can be fixed only with legislation,” said House Intelligence Committee Chairman Mike Rogers. Michael Daniel, the Obama Administration’s Cybersecurity Coordinator, said of a World Conference on International Telecommunications (WCIT) that it “ended without what should have been a limited effort to modernize quarter-century old telecommunications regulations,” because the legislative process “turned into an attempt to legitimize greater state control over the Internet.” ICT technologies and the laws which regulate them are in need of an upgrade. However the process is disrupted by special interests’ vie for power . Daniel went on to state the general U.S. position outlining the creation of Internet policy and law, “the Internet’s social and economic benefits come from the free flow of information and ideas and that the technical innovation enabling this information flow comes from the full engagement of civil society, industry, and governments in the process .” The executive order speaks in generalities that could prove problematic when it comes time for implementation and codification into law. The mechanisms that will enable this free-flow of information, the type of information shared, the agencies and corporations involved, and how this information will be used , are all outstanding issues that have no specific resolutions.
Individual’s privacy implications are paramount in the formation of cybersecurity policy. In 2011, the Justice Department granted the FBI powers to “data-mine vast stores of information about individuals without making a reviewable record of their actions.” It is unclear how much of this type of data has been mined by intelligence agencies and what part of this dataset may be included in a new information-sharing network between government and private entities. The executive order simply states that, “It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.” This describes the lofty intention behind sharing information in one direction; from the government to private entities. When made more concrete, developing channels of communication to enable cybersecurity enhancements could also go a long way in addressing other policy concerns related to national security, the banking system, and even healthcare. For example, as “Obamacare” is put into practice, these open lines of communication could be used to streamline new processes associated with its implementation. They would allow for an added venue through which the government could communicate the ways “Obamacare” will impact private healthcare providers and even a channel to facilitate feedback from the providers back to the government.
The cybersecurity executive order also aims to encourage the flow of information from private entities to the government. One way this will manifest itself is through the government utilizing the intellectual capital held by pertinent private entities. This is in line with the principle of Joy’s law which states, “No matter who you are, most of the smartest people work for someone else.” Crowd sourcing knowledge related to emerging technologies and trends in computing will allow for an agility of policy development that would otherwise be hampered by the relative lack of expertise that exists in the U.S. government. “Groups of individuals with diverse social, intellectual, and professional backgrounds can now use technology to collaborate in new ways that can drive progress more rapidly and effectively than ever before,” and this type of collaboration can have a tremendous application to the process of policy development.
Another obstacle the government must overcome is incentivizing private companies, which operate in a competitive free-market economy, to share sensitive information. The protection of proprietary knowledge is a central concern in capitalism. The chairman of the House technology panel highlights one way the government could convince corporations to participate, “Tax breaks and liability protection may spur banking, energy and telecommunication companies to improve cybersecurity on their computer networks.” The government must also rely, in part, on companies realizing that they have a vested interest to participate in this information sharing platform because they will otherwise not be able to withstand a sophisticated onslaught of attacks from state and non-state actors alike. However, companies may feel that their security systems are sufficient without government support. The government must offer adequate proof of their ability to provide these companies with security services greater than what they can produce on their own. Assurances must also be made that proprietary knowledge which gives businesses advantages in their markets is not to be shared with their competitors. This will be a potentially difficult promise to keep because highly sensitive information, like the software code that creates Google’s search algorithm, may be at the heart of future cyber attacks. Defense capabilities created by the government in the wake of such an attack may inadvertently give a company like Yahoo enough information to recreate their biggest competitors “secret sauce.” It would akin to Burger King getting the recipe for a McDonald’s Big Mac from the Food and Drug Administration in order to prevent the distribution of weaponized mayonnaise. That analogy may have been a far stretch but I hope I have conveyed my point.
About one year ago, the European Union (EU) created a proactive and empowered organization that is being considered as a viable option by the U.S. government. The EU Permanent Computer Emergency Response Team (CERT-EU) is a sort of cybersecurity watchdog for EU institutions, agencies and bodies. It is made up of IT security experts from the EU Institutions including the European Commission, General Secretariat of the Council, European Parliament, Committee of the Regions, and the Economic and Social Committee. CERT-EU also “cooperates closely with other CERTs in the Member States and beyond as well as with specialized IT security companies.” CERT-EU has important enforcement capabilities. It is able to legally compel private companies to disclose operational information related to potential threats after a cyber attack has occurred against their infrastructure. The ways in which this increased intelligence will be made actionable creates yet another critical question. Once the government gains access to information collected from private entities such as Facebook, Google, credit card and insurance companies, what is to stop the government from over-reaching their powers and using this information outside the context of the cybersecurity knowledge sharing platform? It boils down to this, who is going to watch the watchdog ?
By the time I have completed this paper some of its implications may already be somewhat obsolete. Such is the pace of technological advancement in today’s society. As a result of technological progress, new and unique challenges related to cybersecurity challenges are ever-changing. One of the most important governance questions that can be asked today is, “Can we make use of emerging technologies in order to govern in more effective and efficient ways?” However, even if technology is sufficiently leveraged to create a cybersecurity knowledge sharing platform, who will ensure the infrastructural security of the very platform that is intended to develop more security? Such paradoxes persist throughout this discussion.
Kenneth Culkier describes government efforts to manage Internet resources as being stuck in a “time capsule” because it is not sufficiently forward-looking and agile. Instead, he says, “the (Internet) network is in the process of a dramatic transformation for which the Internet governance community is unprepared.” If regulating a (relatively) straightforward threat to society like gun-control is seemingly impossible given Congress’ recent track-record, then I am only cautiously optimistic with regards to the future of establishing laws related to cybersecurity
Cyber attacks affect white collar bank statements, black operations, and green berets more than the blue-collar citizen. The U.S. has yet to experience a major cyber attack that has concrete impacts on civilian infrastructure on a massive scale. In fact, it is rare to hear about this scale of cyber attack anywhere. Nations and private entities have a vested interest to not report such attacks in order to protect stock prices and the semblance of national security . For these reasons, society tends to underestimate the magnitude of the problem and believes .
Ultimately there are more questions than answers currently surrounding this debate and it is not a new issue. I must acknowledge that this analysis has touched on cybersecurity policy issues only on a very high-level. There is much more work to be done. The impetus behind this paper is to highlight the need to get started. The sooner we pass even a general framework of guiding policies for cybersecurity, the sooner we can begin to define the actionable steps necessary to ensure the safety of the global community. My hope is that we make the willing choice to upgrade our cybersecurity systems through efficient and effective policy formation and not be forced to retroactively acknowledge our deficiencies only after a catastrophic attack.
- “AP Twitter Feed Hacked; No Attack at White House.” USA Today. Gannett, n.d. 13 Jan. 2014.
- “CERT-EU News Monitor.” CERT-EU News Monitor. N.p., n.d. 13 Jan. 2014.
- “Cisco -Economic Impact of Network Security Threats.” Cisco -Economic Impact of Network Security Threats. Cisco, n.d. Web. 13 Jan. 2014.
- “Congress, Politics, Booksand American History.” C-SPAN. N.p., n.d. 13 Jan. 2014.
- “C-SPAN VIDEO LIBRARY Created by Cable. Offered as a Public Service.” C-SPAN Video Library. N.p., n.d. 13 Jan. 2014.
- “Cybercrime.” / / Crime Areas / Interpol / Home. N.p., n.d. 13 Jan. 2014.
- “Keith Alexander Speach.” Brightcove. N.p., n.d. 13 Jan. 2014.
- “The Governance Lab.” NYU Wagner. N.p., n.d. 12 Apr. 2013.
- “The White House.” The White House. The White House, n.d. Web. 12 Jan. 2014.
- Calabresi, Massimo and Crowley, Michael Homeland Insecurity: After Boston, The Struggle Between Liberty and Security. Time Magazine Online. May 2013
- Cisco Systems Inc. Cisco 2011 Annual Threat Report. Cisco. San Jose, CA. Web. 2011.
- Culkier, Kenneth. The Next Internet Governance Battles. The Economist, Tokyo. 2007.
- Daniel, Michael. A Principled Stance on the Internet’s Future. White House Blog. December 21, 2012.
- Dilanian, Ken. “Cyber-attacks a bigger threat than Al Qaeda, officials say”, Los Angeles Times, March 12, 2013.
- Duncan, Geoff. WILL THE NEXT 9/11 BE DIGITAL? Digital Trends. April, 2013.
- Kleinwachter, Wolfgang. The Power of Ideas: Internet Governance in a Global Multi-Stakeholder Environment. Wagner Translations. 2007.
- Lakhani KR, Pannetta JA. The Principles of Distributed Innovation. MIT Press. 2007.
- Messmer, Ellen. “Cyber Espionage: A Growing Threat to Business”. Jan 21, 2008.
- Strohm, Chris. Cybersecurity Bill in U.S. Senate Calls for Industry Rules. February, 2012. Web.
- Clarke, Richard and Knake, Robert. Cyber War: The Next Threat to National Security and What to Do About It. Harper Collins, 2010.
 Cukier, Kenneth. The Next Internet Governance Battles. Pg. 285
 Dilanian, Ken. “Cyber-attacks a bigger threat than Al Qaeda, officials say”, Los Angeles Times, March 12, 2013.
 Clarke, Richard and Knake, Robert. Cyber War: The Next Threat to National Security and What to Do About It. Harper Collins, 2010.
 Alexander, Keith. Speech at the American Enterprise Institute. July, 2012.
 Alexander, Keith. Speech at the American Enterprise Institute. July, 2012.
 “Cisco -Economic Impact of Network Security Threats.” Cisco -Economic Impact of Network Security Threats. Cisco, n.d. 13 Jan. 2014.
Calabresi, Massimo and Crowley, Michael Homeland Insecurity: After Boston, The Struggle Between Liberty and Security. Time Magazine Online. May 2013
 Lakhani KR, Pannetta JA. The Principles of Distributed Innovation. MIT Press. 2007.
 Strohm, Chris. Tax Breaks Considered to Improve Network Security. Bloomberg News. February, 2012.
 Culkier, Kenneth. The Next Internet Governance Battles. The Economist, Tokyo. 2007
The author quotes Sanok as stating that the executive order
If you added this to the quote it goes in brackets, no parenthesis.
It’s not enough, and this is an overly casual tone for this style of paper.
Maybe “The following analysis will focus on both significant threats posed y cyber attacks in addition to the complexity of the relevant developing policy” or similar.
Progressed sounds better here.
This phrasing is a bit awkward
“is going [to be] a difficult…” also explain why. Who would be responsible for undertaking this? What challenges would they face?
A new transition into your idea here would be ideal
I don’t know if dilemma is the best word, and since you say “policy concerns” later in the sentence “policy issues” is a bit of an awkward phrasing.
Why are they revealing, and how?
Sounds a bit vague and awkward.
You can just say that it narrows your focus.
You can write with a first person perspective, but this particular phrase is vague and not appropriate for the style of paper.
This should be rephrased to avoid using “let’s” and putting the fact that you’re focusing on cyber attacks at the beginning instead of the end of the sentence.
Introduce your source, state why it’s a legitimate authority.
Again, identifying the source and why you’re citing them.
This is very week phrasing, and should not use “we.” Maybe “These definitions comprise much of …”
This is ridiculously overdramatic.
You should note who called these things “Digital 9/11” and “Cyber Pearl Harbor.” If there’s no source it should really be changed.
“Consider this hypothetical scenario…” is better.
This is mostly fine, but there’s just a sense of moralism that could be toned down a bit.
“claim with the following statistics;”
Providing a better transition here would help
What realms? How?
What month is that?
I don’t think one example of public response from the cover image of Time Magazine justifies this statement. There are so many other things that make this difficult and I haven’t seen you mention any of them.
If you don’t get to what this delicate balance is within a few lines, this statement loses its usefulness.
Maybe. “claimed that the (insert year) World Conference on International Telecommunications (WCIT) ‘ended…’”
I know the scope of this paper is not enough to go into the current legislative issues to do with the internet, but if you can’t offer a few sentences to describe the current issues you mean maybe statements like this should be omitted.
Maybe mention specifics.
Maybe this part of the quote should be separated to make this sentence flow better.
A little more depth on what these mechanisms, information types, agencies and corporations, and information use are. Even just a sentence apiece.
That’s not actually true. Maybe you can’t get exact information, but just writing this off isn’t legitimate.
This really doesn’t have a place in this style of paper.
This is a bit simplistic and unnecessary.
whether we can make use of emerging technologies in order to govern in more effective and efficient ways.
This isn’t even tangentially related, you might want to find a better example.
“cybersecurity. In the U.S….”
Why this transition? Also, it’s very vague.
You probably should have built on this idea more in the body of the paper, and given examples
“of the internet”
This is a bit too much in contrast to your Time Magazine example earlier.