Cybercrime is on the rise.
According to the Department of Justice, more than 17 million Americans experience identity fraud each year. Tech savvy criminals can do as much damage as “traditional” attackers, so politicians have made a point to question the nation’s “cybersecurity” policies.
But are they asking the right questions?
Ram Chellappa, an associate professor of Information Systems & Operations Management at Goizueta Business School, says there is ambiguity in policy.
“There is no such one thing as cybersecurity,” he said. “Cybersecurity and privacy are not the same thing. Cybersecurity and rights are not the same thing. Cybersecurity simply means securing something in the online world.”
[soundcloud url=”https://api.soundcloud.com/tracks/244077118″ params=”color=0066cc&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false” width=”100%” height=”166″ iframe=”true” /]
But simply putting a lock on information isn’t so easy.
Hackers consistently prove an ability to break into sophisticated systems. Policy makers must contend with issues of consumer privacy and what — if any — information can be stored.
As a result, leaders on both sides of the aisle create vague documentation. The White House expanded the “Comprehensive National Cybersecurity Initiative” in 2009, continuing work started by the Bush Administration. It aims, quite simply, to “deter interference and attacks in cyberspace.”
“The role of the government in this is a complicated one,” Chellappa said. “One could argue that if there are attacks primarily originating from out of the country into these (private) firms that are located in the U.S. and storing data in the U.S., then it is the role of the government to pursue that non-private portion of it, meaning that the criminal activities take place elsewhere.”
State governments and private industries also have power to address security issues, which can muddy the already murky waters.
In May, New Jersey Governor Chris Christie announced the New Jersey Cybersecurity and Communications Integration Cell, “a central hub for analyzing threats and sharing information with residents, private companies and the federal government.”
Christie is also one of more than a dozen candidates for the Republican nomination in the 2016 presidential race.
While their views differ on many issues, Democratic candidate Hillary Clinton and GOP hopeful Jeb Bush reflect similar — though vague — positions in protecting the country’s digital assets. Clinton writes on her website: “Cyber attacks have profound consequences for our economy and our national security.” Writes Bush: “Cybersecurity should be considered a critical element of our national defense, economic well-being, and national resilience.”
In order to create a comprehensive security plan, Chellappa argues, it is necessary to understand the distinction between the public and private sectors. He said security and defense programs emanating from the NSA, the FBI and other U.S. defense agencies can monitor governmental web servers relatively easily because those are servers maintained by government IT groups.
But personal data lives largely on private servers. From email, to credit cards, to health insurance — Americans give a lot of information to non-government entities. And, according to Chellappa, private servers are, in some cases, impossible for the government to regulate.
While organizations like Google and healthcare companies are required to protect client information, there is no clear mark for consistency. Marrying public and private servers to provide more defense against hackers is also a hot debate that creates an interesting crisis of policy and platform.
The Presidential candidates have not spoke in great detail, but suggest a partnership between industry and the government. For example, GOP candidate Carly Fiorina — the former CEO at tech firm Hewlett-Packard — recommends tearing down “cyberwalls” that keep the data of private firms private.
Clinton writes of leveraging the work of public and private sectors and overcoming the “mistrust that impedes cooperation.” Bush also speaks of creating public-private partnerships to beef up the nation’s cyber defenses.
He emphasizes the importance of U.S. defense agencies in protecting the cyber world, especially the NSA, which came under fire in 2013 for its role in capturing and reviewing data from privately owned servers.
“There’s no one, overarching framework,” Chellappa said. “But one can clearly understand where the public-private partnership comes in.”
However, even the government hasn’t been insulated from attacks.
In June of this year, The United States Office of Personal Management (OPM) announced that it had been hacked. The intrusion, which allegedly began in late 2014 by Chinese hackers, compromised the personal information of almost 22 million people.
While news of the data breach broke only months after the attack, it took until early October for the government to begin notifying the 21.5 million people affected.
“The role of the government in this is a complicated one,” Chellappa says. “Industrial espionage used to be a concern of a respective industry. But now at the scale of which it is happening, it has become the concern of the government.”
In a November GOP debate, Christie and fellow candidate John Kasich vocalized a budding Republican plan to take a cyberwar between the United States and international hackers on the offensive.
“If the Chinese commit cyberwarfare against us, they are going to see cyberwarfare like they have never seen before,” Christie said with his colleagues harkening a similar response against all perpetrators of cyberattacks.
“Unless we punch back, we will continue to get hit,” says James Lewis, a cyber-security expert at the Center for Strategic and International Studies, commenting on the U.S. government’s response to data breaches.
While this strategy might deter other governments from hacking into U.S. firms and agencies, it is not likely to keep out individual hackers, especially those based in the U.S. or looking for more salacious data.
In July 2015, a group of hackers calling themselves the “Impact Team” hacked the extramarital affair website Ashley Madison, releasing “the names, partial credit card numbers, email and physical addresses, and sexual preferences of 32 million customers,” according to CNNMoney.
A reported three suicides resulted from the hack. It’s likely many others were significantly affected.
“Firms are liable to protect (data),” Chellappa says. “They have to take adequate measures to protect the data from getting into the hands of hackers.”
In the last decade hackers have proven themselves a novel danger to society.
More and more, governments, businesses and individuals are aware of the risks accompanying our increasingly interconnected and necessary digital lives. With nearly three billion Internet users worldwide, the need to secure the cyber arena is proving to be a formidable task for governments and businesses.
Perhaps the most important question is, who will take on this responsibility?
“There is a difference between government action on behalf of its electorate and an industry’s response to its customers,” writes Goizueta Business School Dean Erika James in the recent edition of Ethisphere, “There are additional ethical concerns when nations seek the source of attacks.”
“My fear for victims of cyber-crimes, including consumers, companies, and governments, is a bumper crop of third-party offerings claiming to protect vulnerable databases. This sort of land rush on fertile consumers comes with a laundry list of ethical concerns, particularly the inevitable influx of businesses that will put a singular emphasis on profit.”
