In conjunction with the recent State of the Union Address, the White House announced a package of legislative proposals titled, Modernizing Law Enforcement Authorities to Combat Cyber Crime, aimed at providing law enforcement the “appropriate tools to investigate, disrupt and prosecute cyber crime.”
Editor’s note: See the Homeland Security Today report, Obama’s Cyber Info-Sharing Executive Order Applauded, But Legal Protections Still Required.
In addition to recommending enhanced cybersecurity information sharing and nationaldata breach reporting, the proposal also revived several 2011 proposals to update the Racketeer Influenced and Corrupt Organizations Act to apply to cybercrimes and to “modernize” the Computer Fraud and Abuse Act (CFAA) to address a perceived gap to more easily pursue prosecution of employees who misuse their authorized access to a computer to commit fraud, steal or damage data or hardware.
However, attempts to broaden criminalization of cyber crimes begs the larger questions of whether expansion of federal criminal laws will indeed deter rogue states or diffuse hacking groups trolling the Internet for security vulnerabilities. Current White House proposals do not significantly assist law enforcement, or, for that matter, the private sector, in reaching conduct that isn’t already criminalized by existing language.
The recent Sony and Anthem hacking events easily violated multiple federal and state laws. Therefore, the emphasis upon broader criminalization — while applauded by many in political circles — still falls short of addressing the most important core issues: that corporations need to place greater resources into security and that the federal government, for its part, needs to provide guidance on “reasonable security precautions” to replace the current confusing matrix of separate state guidance. And, most critically, the federal government needs to provide a workable mechanism for systematic and protected information sharing between the public and private sectors.
With cyber threats emanating from all over the globe and by way of every potential mode of delivery, corporations and other sectors of the economic grid that handle and store data must engage in their own self-help, and place security at a higher priority than ease of use. It is unacceptable that Anthem, Inc., as the second largest insurer in the country, possessed records of more than 80 million Americans, and yet did not possess sufficient security to detect a breach of such epic proportions. This particular intrusion apparently began in April 2014 and was only discovered on January 27, 2015, when an employee manually discovered his credentials were being misused.
Despite havingmade it known prior to the breach that it had a “state-of-the-art security system to protect your data,” Anthem since admitted it did not employ encryption of Social Security numbers and birth dates—two pieces of information that are money in the bank to identity thieves.
If anything is to be gained from these “teachable moments,” it is that companies need to reassess, redefine and harden what reasonable base security standards look like. Indeed, the private sector needs to be an active participant in the debate on national standards. If companies fail to act on their own behalf, they are likely to expose themselves to national standards that will impact their business model in potentially expensive and negative ways.
The Department of Defense and General Services Administration have already recommended the institution of baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions, leading some to suggest the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework released in February 2014 should become mandatory for government contractors.
The Department of Defense described the NIST standards as the “absolute minimum level of standards” from a cloud perspective for securing its systems. And, since release of the framework, the Department of Homeland Security and other federal agencies have worked to raise awareness of the framework and to facilitate its voluntary use. However, headlines about major corporate cyber attacks belie the fact that existing cybersecurity efforts are clearly not enough.
Key federal government contractors KeyPoint Government Solutions and USIS became the victims of major cyberattacks in 2014. Federal agencies like the US Postal Service and government websites including Healthcare.gov —and even the network in the executive office of the President itself — all have been hacked.
Additionally, Congress desperately needs to enact smart protection from liability for companies that proactively share information with the government. This protection must balance consumer privacy and civil liberties. Recent (and controversial) attempts at information sharing legislation have either stalled or failed in the Senate. The White House recently attempted to make strides at coordinated information sharing when it issued a February 13, 2015, Executive Order encouraging the development and formation of “Information Sharing and Analysis Organizations (ISAOs).” However, the executive order was noticeably silent on the issue of liability. And until the liability pitfall is addressed, the success of any ISAO or similar effort will be severely limited.
It is also essential that policymakers and others engaged in this dialogue appreciate and consider the global nature and potential ramifications of information sharing. This is not a debate which will take place in only the United States Congress. It will also be debated, in Brussels at the European Union (EU) headquarters. For example, in late October 2014, the German Federal Court of Justice referred the question of whether an IP address constitutes “personal data” under the EU Data Protection Directive 95/46/EC to the European Court of Justice.
This issue could have serious implications for a global information sharing framework wherein the recording of “personal data” may be strictly limited. For example, under current German law, personal data may only be stored with a user’s consent or for billing purposes. Theoretically, the solutions for limiting liability for information sharing should be discussed on a global, not merely domestic, scale.
Some companies have already been forced to make large scale strategic business decisions to deal with policies which dramatically affect their business model. Many of these policies have been adopted without input from key global companies. For example, last year Russia adopted a “Localization Law” that requires companies to store the personal data of Russian citizens indatabases physically located in Russia. It currently remains unclear whether or not the law limits the cross-border transfer of personal data from Russia to foreign jurisdictions, but many companies, including Google, Adobe and Skype, have closed their Russian offices or relocated employees in the wake of the law.
The world economy would be wise to pay attention and take action — in 2014, the Center for Strategic International Studies, on behalf of McAfee and with the help of a team of economists and intellectual property experts, issued a report estimating the global cost of cyber crime to top $400 billion. The cost to the US economy alone equaled approximately $100.4 billion, or 0.64 percent of the US gross domestic product.
Policymakers additionally need to recognize the limits of criminalization, in that cybercriminals often hack for reasons other than financial gain, including political, social and religious reasons. This breed of cyberterrorist will not be deterred by the risk of a felony conviction and the prospect of decades behind bars.
Moreover, these same individuals often have no assets to be seized to compensate victims, meaning that an ounce of prevention is better than a pound of criminalization when it comes to cybercrime.
Michael Zweiback is a former Chief of the United States Attorney’s Office Cyber and Intellectual Property Crime Section and a principal advisor to the US Attorney General’s Advisory Committee on Cyber Crime. Currently a partner in Arent Fox LLP’s complex litigation, white collar and data privacy groups, hisexperience includes civil litigation and international proceedings in which privacy/data security issues are prominent, as well as in litigation involving the theft of trade secrets, intellectual property disputes, national security, technology and complex commercial disputes.
Kelly Kress is an associate in Arent Fox’s complex litigation, white collar and investigations practice groups.