Technology has grown exponentially over the past two decades. As time goes by we continuously benefit from and increase our dependence on technology. Web applications, drones, mobile applications, industrial automation, and machine learning applications, and other technologies have changed our lives. But there are immense dangers that these technologies bring us. Therefore, our governments have introduced cybersecurity laws.
The Scale of the cyber threat
The United States government spends an approximate 19 billion dollars every year on cybersecurity. But cyber-attacks continue to increase every year rapidly.
There are three main threats cybersecurity efforts attempt to mitigate:
Cybercrime: includes single or colluded acts to target systems for financial gain or to cause disruption.
Cyber-attacks: often involves politically motivated information gathering
Cyber-terrorists: are intended to undermine electronic systems to cause panic or fear
With this in mind, cybersecurity laws are designed to provide protection and counter cyber-attacks. Virtually all organizations today have an online component, so cybersecurity laws apply to nearly every business.
What do cybersecurity laws cover?
Cybersecurity laws and regulations tend to cover the most common matters that arise from cyber threats. These matters include a focus on criminal activity, corporate governance, insurance matters, and the jurisdiction of law enforcement.
Cybersecurity Laws of the Past
In the previous century, cybersecurity laws did not hold much weight. The type of cyber-crime being committed at that time was not as damaging as it is today. The laws of the time were comparable to copyright protection or laws about software piracy.
But now the threat has elevated and much more severe cyber-crimes the norm. These crimes range from deployment of ransomware to actual treason. Now, serious action must be taken to counter and deter such crimes. The increased threat has led to increased legislative action.
Current Cybersecurity Laws
Fines as significant as five million dollars and lengthy jail terms have been put in place to curb such activities. The institution of such penalties for cyber-crimes may still not be enough given the amount of damage that hackers can cause.
Before 2015, the federal government of the United States unaware of several attempted data breaches on private institutions. All this changed with the Cybersecurity Act of 2015. After numerous attempts, Congress passed legislation that allowed companies in the U.S to share personal information related to cybersecurity with the government. The government could use this information as evidence to prosecute crimes.
Difficulty in Prosecution
In the past, cybersecurity crimes were difficult to prosecute for the following reasons:
Area of jurisdiction
One of the reasons prosecutors had trouble was a result of Jurisdiction. Many times the person committing the crime was outside of the country or legal jurisdiction of the court. This is why the United States is focused on the international stage and establishing allies in the cyber-world.
Many cyber-crimes go unreported
A majority of cyber-crimes do not get prosecuted because the victims do not report the crime to the authorities. Small, medium and even large organizations have failed to disclose breaches because of the negative impact and loss of trust that would occur.
Evidence collection was quite difficult
Digital Forensics has evolved dramatically in recent years. Best practices and strict processes have been developed to identify and preserve evidence that can be used to prosecute cyber-criminals. But in the not so distant past, it was challenging to prosecute cyber-criminals because few people had the expertise needed to gather and preserve the evidence.
Cyber-criminals use advanced methods to cover their tracks
The use of TOR and VPNs allows hackers to operate with a certain degree of anonymity. Beyond this, hackers work tirelessly to cover their tracks. Cyber-criminals are on the cutting edge of research, and they continuously work to be more and more challenging to identify, track, and apprehend.
What sorts of activities are criminalized by law?
Cybersecurity laws and regulations affect the crimes in the various sectors where they are committed. The sectors include federal law or county law.
Activities that are made criminal by cybersecurity laws include:
- Computer hacking
- Economic espionage
- Corporate espionage
- Identity theft
- Breaking into computer systems, accessing unauthorized data, modifying or deleting the data
- Stealing confidential information
- Unauthorized publication or use of communications
- Criminal infringement of copyright
- Spreading of fake news
- Sexual exploitation of children
- Defacing internet websites
- Flooding websites with increased volumes of irrelevant internet traffic to make sites unavailable to the actual users who are supposed to be viewing them.
The various categories of the law have also criminalized numerous other crimes committed over the internet.
Ways in which cybersecurity laws are enforced
The United States addresses cybersecurity through sector-specific initiatives, general regulation, and private sector involvement. At the national or federal level cybersecurity standards are executed using a variety of methods.
The Federal Trade Commission (FTC) is the primary federal consumer protection agency responsible for enforcing the prohibition on ‘unfair and deceptive acts or practices’. Using this authority, the FTC frequently enforces minimum security requirements concerning entities collecting, maintaining, or storing consumer’s personal information.
In June 2015, the FTC issued ‘Start with Security’ guidance. This guidance appropriately identified the FTC’s lessons learned from over 50 data security enforcement actions brought by the FTC since 2001. This guidance advises companies to incorporate a series of 10 lessons learned, ranging from authentication controls to network segmentation. In mid-2018, a federal appellate court vacated an FTC order issued against a company for allegedly ‘unreasonable’ security practices in violation of the FTC Act.
The court held that the FTC’s order had failed to direct the company to cease committing any specific unfair acts or practices. Instead, it imposed only the general requirement that it maintain a ‘comprehensive information security program. The program must be reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers’.
The court avoided the broader issue of whether the alleged security failings constituted ‘unfair’ business practices under the FTC Act. The decision raised questions about parts of the FTC’s prior data security consent orders. This may cause the FTC to shift its approach for future data security enforcement actions.
Major US Federal Cybersecurity Laws
Health Insurance Portability and Accountability Act (HIPAA) (1996)
HIPAA was enacted in 1996 and signed by President Bill Clinton.
Before HIPAA there was no standard method for safeguarding the protected personal information (PPI) that was stored by organizations in the healthcare industry. There were no security best practices in place. One of the reasons that there were no standards related to cybersecurity in the healthcare industry was that health records were traditionally stored as paper records.
Just before the introduction of HIPAA, the healthcare industry was scrambling to move away from paper records to become more efficient. The need to become more efficient drove the need to be able to access and transfer patient information quickly.
Since there was an urgency to convert to electronic healthcare records, many companies were founded to capitalize on the need and profit from it. Security for most of these companies was merely an afterthought. The government quickly saw the need to create regulations in an attempt to enforce security standards.
The primary objectives of HIPAA include
- Modernize how healthcare information is stored and processed
- Ensure that private personal information is protected adequately by hospitals, insurance companies, and other health-related organizations
- Address limitations on healthcare insurance
Gramm-Leach-Bliley Act (GLBA) (1999)
The Gramm-Leach-Bliley was signed into law in 1999. This law is also known as the Financial Services Modernization Act of 1999.
The main thing that GLBA did was to repeal a portion of an outdated law from 1933. This 1933 law was called the Glass–Steagall Act. The Glass–Steagall Act prevented companies from doing combined business in banking, securities, and insurance. A bank was not allowed also to sell insurance or securities.
Along with the above, GLBA also requires financial institutions to disclose how they store and protect their customers’ private information. The GLBA introduced Safeguard Rules to that must be followed. These safeguard rules are explicitly defined in the law. Among other things, the safeguard rules include:
- Conduct background checks on employees who are going to have access to customer information
- Required that new employees sign a confidentiality pledge
- Limit access to private information on a “Need to Know” basis
- Require strong passwords that are changed frequently.
- Require computer screens to lock after they are inactive after a specific duration
- Enact security policies for devices and data encryption.
- Conduct initial and periodic security training for employees and regularly remind the employees of the policy.
- Develop policies for remote work security.
- Develop policies to enforce security violations through discipline.
- Take steps to secure data at rest and data in transit. Also, control access to this data.
- Dispose of information securely.
Homeland Security Act (2002)
The Homeland Security Act was signed into law by George W. Bush in 2002. This act included the Federal Information Security Management Act (FISMA).
The United States introduced the Homeland Security Act following several terrorist attacks in the United States. These terrorist acts include the World Trade Center bombing and mailing of anthrax spores to some news outlets along with some government officials.
The Homeland Security Act established the Department of Homeland Security (DHS). Beyond this, the act also had other purposes, including FISMA cybersecurity-related regulations. FISMA included the implementation of the National Institute of Standards and Technology (NIST). NIST became responsible for developing standards, guidelines, and methods for cybersecurity protections.
The National Institute of Standards and Technology( NIST) outlines nine steps toward compliance with FISMA:
- Categorize the information to be protected.
- Select minimum baseline controls.
- Refine controls using a risk assessment procedure.
- Document the controls in the system security plan.
- Implement security controls in appropriate information systems.
- Assess the effectiveness of the security controls after implementation.
- Determine agency-level risk to the mission or business case.
- Authorize the information system for processing.
- Monitor the security controls continuously.
Are These Laws Enough?
The three regulations outlined above cover mandates for healthcare organizations, financial institutions, and federal agencies. But many other industries do not have applicable cybersecurity laws.
Some argue that the need for additional government intervention is not necessary. It is in the best interest of any business to secure data and sensitive information. The importance is so high that companies and organizations spend massive capital amounts on this effort.
Others that it is the government’s responsibility to protect its citizens. This responsibility requires the introduction and enforcement of laws to ensure that the citizens are protected.
Data breaches and successful attacks continue to occur to organizations despite the best efforts to maintain compliance with laws, standards, and best practices. Even so, the presence of effective laws can certainly help toward the objective of keeping data safe.