- Cyber threats to U.S. security and prosperity are real, and the U.S. should act to combat these threats. This does not mean, however, doing just anything.
- Instead of a top-down regulatory approach to cybersecurity that will create a static culture of compliance, the U.S. should pursue true private–public cooperation that will encourage a dynamic culture of security.
- By encouraging information sharing, promoting a viable liability and insurance system, emphasizing the importance of a secure cyber supply chain, determining the bounds of cyber self-defense, and fostering cybersecurity awareness and education, the federal government can partner with the private sector to secure U.S. computer systems.
- The U.S. should also continue to advance its international cybersecurity efforts by building a coalition of like-minded nations to reject U.N. control of the Internet and respond to aggressive cyber nations through legal, economic, and diplomatic deterrents and penalties.
No threat facing America has grown as fast or in a manner as difficult to understand as has cybersecurity. The media vacillate between claiming that the threat is nothing but hype and panicked cries that the digital sky is falling. Neither position is correct.
President Bush took strong steps to improve the overall security of the nation’s networks, and it seemed that President Obama was following suit. Securing cyberspace was a very early priority for the Obama Administration, which was wise enough to use former Bush appointees to set the tone and maintain some continuity, but the initial flurry of activity was not followed up in a consistent and effective manner.
There have been several legislative fights over cyber bills. They have been characterized repeatedly as partisan battles that have left America exposed to a growing variety of cyber threats, but this is a very inaccurate and self-serving view. In fact, every cyber bill that has been introduced has had bipartisan support as well as bipartisan opposition. The fight is not over a need for appropriate cyber legislation; it is over how one defines “appropriate.”
The main point of contention is the degree to which federal regulatory powers should play a role in cybersecurity. Many seem to think reflexively that this 19th century solution is the answer. Those with a little more understanding of the dynamic and fast-moving nature of cybersecurity see regulation as far too slow and clumsy to be of any benefit and recognize that it might actually hinder security by building a culture of mere compliance with regulations and a false sense of security against enemies who are agile, motivated, and clever.
Russia is the most sophisticated cyber threat, with China close behind. China also has a strong desire to jump-start its economic efforts by rampant theft of commercial intellectual property. This fact is common fodder for the news media but is actually a greater problem than the news illustrates. Iran and North Korea are much less sophisticated than the two giants, but what they lack in expertise they make up for in malice. The recent “Shamoon” virus that was unleashed upon the Saudi ARAMCO oil production company was a brute-force attack that destroyed 30,000 computers. This shot across the bow told Saudi Arabia that Iran has the capabilities to do much more.
How can America address this growing threat? It must do so by leveraging the forces of the market, motivating the private sector to make the sort of continual and dynamic investment needed to really secure our diverse networks. The Heritage Foundation has developed steps to do this that should be taken legislatively to begin the process of improvement that is so badly needed.
- Pass cybersecurity laws that have the necessary components. Cybersecurity laws should promote information sharing; provide for cyber insurance; improve cyber supply chain security; establish a cyber right to self-defense; push public cyber hygiene; foster a better cyber workforce; and make valid international engagement a priority.
- Improve information sharing. Information sharing has been talked about as a key enabler, but little has been done to foster it effectively. The regulatory model would demand information sharing but in reality would hinder it. The U.S. should create conditions that encourage voluntary sharing and make it as safe and easy as possible. Those that share should be protected from lawsuits; this is a key element. There must also be a provision that exempts data shared with the government from being exposed by Freedom of Information Act requests. This protects proprietary information from further exploitation. Finally, the government should be made to push the information back out to other companies as fast as possible through a public–private partnership organization and in formats that allow effective use of the data.
- Allow and encourage the development of a valid and effective cyber insurance business. The first step is for the government to encourage the gradual development of liability standards as a result of common-law development and private-sector organizations. This is arguably the most difficult step, but if done with industry cooperation, it could hugely enhance security awareness and activities. As cybersecurity risks and liabilities are better understood, cybersecurity insurers could take the lead in developing “actuary tables” from which they could sell insurance on a risk-based model: The better your company’s security, the less you pay in premiums. These market-driven solutions would push the private sector to invest in appropriate levels of cybersecurity without the threat of out-of-date and onerous government regulations.
- Protect the cyber supply chain. Given that the components of computers, tablets, smartphones, and pretty much everything else are made all over the world (many of them in countries that pose a cyber threat like China), this is a crucial step. A non-government organization needs to be established to evaluate supply chain practices, operations, and security methods, and its evaluations should be made public. It could “give grades” to a tech company’s supply chain operation, much as Underwriters Limited, the ubiquitous and nonprofit accreditor famous for its “UL” stickers on everything from toasters to computers, evaluates the safety of other products. If a company received a very high “grade,” it could charge more for its tech products. If a buyer wanted to economize, he could take a chance with less expensive but potentially less secure items. Customers would be able to make informed risk-based decisions, and many companies would have a profit motive to shore up their supply chain practices.
- Consider a specified and controlled cyber self-defense authority. Today, a company does not know what its rights to self-protection against hackers really entail. Who does a hacked company call—local police, the FBI? If it is attacked and has a strong tech capability, can it fight back? No one wants vigilantes rampaging about with no controls or parameters. To avoid that, any cyber legislation should establish basic rules for self-defense that are legitimate and well known.
- Expand the push for real awareness, education, and training. This effort was started by the Obama Administration, but thus far it is too little and too seldom. This effort must end both the ignorance and the hype. This has been given a lot of lip service, but there has been little effective action. Tell people the truth about cyber threats and give them the tools to play a role in protecting themselves, their homes, and their businesses. This must be a broad-based effort that reaches every community in America, at all levels. It must also be a regular part of training in every company and government entity. It should be done early, often, dynamically, and continuously.
- Develop and keep a superb cyber workforce. Cybersecurity affects everyone and everything we do in government, business, and the military. The U.S. needs to promote STEM (science, technology, engineering, and mathematics) education and adjust visa and certification practices to ensure that the best and brightest can use their skills to advance U.S. security. This effort should also update the security clearances process and use the pools of talent the U.S. already has in its military, businesses, and hacker communities. Any law should enable this effort and foster it by all possible means.
- Undertake stronger international cybersecurity engagement. This is not a call for cyber-arms control, but a requirement to ensure that the view of the Internet seen and pursued by authoritarian or radical regimes such as Russia, China, and Iran is not the vision that prevails. The U.S. should work with other freedom-loving nations to fight U.N. administration of the Internet and work to shame and punish malicious cyber nations.
Facts & Figures
- The private sector controls 80 percent–90 percent of cyber-relevant critical infrastructure in the United States.
- While targeted attacks on large organizations continue to increase, targeted attacks on small companies are increasing even faster, with targeted attacks on companies smaller than 250 employees increasing from 18 percent of all attacks in 2011 to 31 percent of all attacks in 2012.
- In 2012, 40 percent of all data breaches occurred due to intrusions by hackers, with 23 percent caused by accidental release and another 23 percent caused by theft or loss.
- According to multiple cybersecurity firms, between 100,000 and 200,000 versions of new malware were found every day in 2012.1
- As the use of mobile devices such as smartphones continues to expand, cyber threats against these devices have also grown. From 2011 to 2012, the families of mobile malware increased by 58 percent, and the number of variants within each malware family increased by over 600 percent.
- As of July 2013, the Commission on the Theft of American Intellectual Property assessed that cybercrime and espionage by other countries account for U.S. companies losing $300 billion per year. Of this $300 billion, anywhere from 50 percent–80 percent of those losses is attributed to China.2
- “Infographic: The State of Malware 2013,” McAfee, April 1, 2013, http://www.mcafee.com/us/security-awareness/articles/state-of-malware-2013.aspx (accessed September 30, 2013); AV-Test, Malware Statistics, 1994 to 2013, http://www.av-test.org/en/statistics/malware/ (accessed September 30, 2013); “2012 by the numbers: Kaspersky Lab now detects 200,000 new malicious programs every day,” Kaspersky Lab, December 10, 2012, http://www.kaspersky.com/about/news/virus/2012/2012_by_the_numbers_Kaspersky_Lab_now_detects_200000_new_malicious_programs_every_day (accessed September 30, 2013).
- Kenneth Corbin, “Economic Impact of Cyber Espionage and IP Theft Hits U.S. Businesses Hard,” CIO.com, July 10, 2013, http://www.cio.com/article/736132/Economic_Impact_of_Cyber_Espionage_and_IP_Theft_Hits_U.S._Businesses_Hard (accessed December 2, 2013).
Selected Additional Resources
- David S. Addington, “House Cybersecurity Legislation: A Small Step, but Flaws Need Correction,” Heritage Foundation Issue Brief No. 3913, April 16, 2013, http://www.heritage.org/research/reports/2013/04/cybersecurity-legislation-cyber-intelligence-sharing-and-protection-act.
- Steven P. Bucci, Paul Rosenzweig, and David Inserra, “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2785, April 1, 2013, http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace.
- Dean Cheng, “Chinese Cyber Attacks: Robust Response Needed,” Heritage Foundation Issue Brief No. 3861, February 23, 2013, http://www.heritage.org/research/reports/2013/02/chinese-cyber-attacks-robust-response-needed.
- James L. Gattuso, “Ensuring Cybersecurity: More Red Tape Is Not the Answer,” Heritage Foundation Issue Brief No. 3626, June 5, 2012, http://www.heritage.org/research/reports/2012/06/cybersecurity-and-red-tape-more-regulations-not-the-answer.
- Kim R. Holmes, “Staying One Step Ahead of Cyberattacks,” Heritage Foundation Commentary, April 17, 2013, http://www.heritage.org/research/commentary/2013/4/staying-one-step-ahead-of-cyberattacks.
- Paul Rosenzweig, “Obama’s Cyber Executive Order: More Government Control of the Network,” Heritage Foundation Issue Brief No. 3777, November 15, 2012, http://www.heritage.org/research/reports/2012/11/cybersecurity-draft-executive-order-pushes-for-more-government-control.
- Paul Rosenzweig and David Inserra, “Government Cyber Failures Reveal Weaknesses of Regulatory Approach to Cybersecurity,” Heritage Foundation Issue Brief No. 3968, June 13, 2013, http://www.heritage.org/research/reports/2013/06/weaknesses-of-a-regulatory-approach-to-cybersecurity.
- Jessica Zuckerman and David Inserra, “Homeland Security Appropriations Need Different Priorities,” Heritage Foundation Issue Brief No. 3954, June 3, 2013, http://www.heritage.org/research/reports/2013/06/homeland-security-budget-appropriations-need-different-priorities.
Heritage Experts on Cybersecurity
Director, Douglas and Sarah Allison Center for Foreign Policy Studies
James Jay Carafano, PhD
Vice President, Foreign and Defense Policy Studies