IA#1 Cybercrime Law, Regulation, Effects on Innovation
John Doe
CSEC 620 Section 9022
Note: This paper was submitted through originality check websites.

Table of Contents

1. Introduction 3 2. Private Industry & Regulations 4 3. National Security Concerns 4 4. Methods 6 5. Impacts of Government Regulation 7 6. Compliance 8 7. Responsibility 9 8. The Real World 10 9. Conclusion 11 References 12

1. Introduction
Cybersecurity and cybersecurity initiatives are commonplace in all aspects of our digital lives. Personal computers are still widely used, especially in the workplace, but mobile devices seem to be the preferred computing choice of the average person. This would include but not be limited to; smart phones, tablets, and laptops to name a few. Mobile devices have changed the digital landscape in a manner that could not have been predicted. This is because other than work or school related activities, most personal computers were used to play a few games, check email, and browse the internet. These activities eventually transitioned over to the aforementioned mobile devices. Now we mix in social media, and a whole new digital cyber-world has emerged. Talk about getting your head out of the clouds. We live in the cloud, literally and figuratively.
What does this mean to the average consumer? Perhaps not much. Most people who operate in the digital world could probably care less about the underpinnings of cyberspace and the digital devices that we use from the time we wake up in the morning until we go to sleep at night. As with many other aspects of our lives here in the U.S., there needs to be something in place to try and protect our citizens from the pitfalls that await them through the use of these devices. There is a reason for government intervention in many cases. We citizens need certain protections to ensure our safety. Regulations put in place to thwart cybercrimes are just as important given the terrible consequences that could result. With that said, this may seem like a personal issue. However, given the threat potential that data breaches carry, this could evolve from a simple personal issue to a national security issue. 2. Private Industry & Regulations
There is a large percentage of our population that feels that our government is too involved in regulating our lives. There is likely an equally large percentage of our population that feels just the opposite. Is our government justified in its efforts to dictate to private industry the methods in which they choose to setup, maintain, and/or improve their cybersecurity? That answer is two-fold. The private industry entities that provide products and services for the federal government and/or public use in this country need to face at least some regulations. This is especially true for those industries that service national security, our critical infrastructures, the military, and perhaps those that have access to our personal and/or financial data. The private industry entities that do not fall under this category probably should not be bound to such regulations. “Recent trends of globalization, outsourcing, offshoring, and cloud computing, have changed the structure of organizations and their cyberspace”, (Asllani, White, & Ettkin, 2013). This is why it is essential to have laws and regulations in place to protect organizations and their digital assets. A compromise in the confidentiality, integrity, and availability of these organizations and their systems could lead to a number of different problems for the general public, and even lead to potential national security issues. 3. National Security Concerns
Putting our nation’s national security at risk is unacceptable. Therefore, the products and services that the federal government procures from private corporations have to follow certain guidelines to ensure that they are relatively safe to use. Adherence to NIST (National Institute of Standards & Technology) standards is mandatory for federal organizations. NIST is a “a non-regulatory agency of the Department of Commerce, to develop a cybersecurity framework to help regulators and industry participants identify and mitigate cyber risks that potentially could affect national and economic security”, (Lei, 2014). Laws have to be in place to ensure that the products and services that the government procures meet these standards. Without such regulations, we run the serious risk of acquiring products and services from companies that put profit over quality. If the bottom line becomes the top priority of a company then the quality and integrity of the product or service can come into question. This is especially true as it relates to national security and cybersecurity. Any compromise to the integrity of our classified information and networks puts everyone at risk. We honestly cannot control what types of information that is collected on us by intelligence agencies, although many would argue that we should. How and why that information is collected and used is often considered a matter of national security. These discretionary actions by the three letter agencies (NSA, FBI, CIA, etc.) are supposedly needed to protect us, although I’m sure Edward Snowden would argue to the contrary. I would contend that when it comes to cybersecurity and national security, there may not be any other choice. We have to decide at what cost we are willing to pay for this extra blanket of protection. I believe the next great wars will be fought in cyberspace. With that in mind, I believe that private industry will need to be an active participant in the products and services that are used to protect us. For this reason I cannot see how to avoid government intervention into the private sector as it relates to cybersecurity.

4. Methods The debate as to which methods the government uses to ensure regulation of private industry products and services is an extensive one. There are already a number of heated exchanges regarding government intervention and regulation of the internet for example. An article in the Information & Communications Technology Law journal appropriately refers to the internet as a “network of networks” (King, 2004). The internet essentially provides interconnectivity between organizations which can inadvertently expose their information and assets to the cyber-world. Since organizations operate in both public and private spaces, some regulation is necessary to ensure that they operate at a standard that protects and safeguards data that they access. There are different data security laws on the books to do just that. Financial institutions for example have to follow data security regulations set forth by the Gramm-Leach-Bliley Act (GLBA). This act was named after its co-sponsors Sen. Phil Gramm a Republican from Texas, Rep. Jim Leach a Republican from Iowa, and Rep. Thomas J. Bliley, Jr. a Republican from Virginia. Private financial institutions are therefore forced to adhere to laws and regulations to protect its customers and their assets. One cannot expect these financial institutions, many of which have not always operated in the most ethical manner, to police themselves. Without some level of government intervention, these institutions could essentially avoid responsibility for security, and protect the information and assets of its customers. The same issues exist in the cyber-world. Many cybercriminals target consumers and their financial institutions to attempt to steal their money. Without data security regulations in place, these institutions would have the ability to operate independently of any specific framework or guidelines. There is also the proposed Cyber Intelligence Sharing and Protection Act (CISPA). This act would support the voluntary act of sharing information between private industry and government. It would also provide “liability protections for companies engaged in such information sharing”, (Dennis & Goldman, 2013). Regulations that should help improve security and protection of data are supported by both sides of the isle in congress. The problem is that when we get past the basic premise that these proposed laws represent, the additional provisions seem to be the source of opposition between the two major political parties. CISPA is a good example given that it passed in House which held a republican majority, but not the senate which was dominated by democrats at the time. The part of the legislation that was most likely the sticking point was the liability protection that both sides would not agree on. Unfortunately, this is the reality that we face with opposing views on regulation, privatization, and government intervention. 5. Impacts of Government Regulation
The impacts and effects of government regulation being implemented by private industry are debatable. However, I would argue that these regulations help since they would provide government oversight to help deal with cyber-threats. Companies like General Dynamics, Lockheed Martin, and Northrop Grumman to name a few have government regulations that they have to adhere to in order to do business with our government. Since the public sector and defense industries are their bread and butter, they have to adapt to such regulations. This is important since actions by cyber-criminals can precede physical attacks on critical infrastructures, systems, and people. Monitoring terrorist recruitment activities in cyberspace is a good example of the effects of regulated cooperation between private industry and the government. This example also has global implications as well given that the internet and cyberspace are entities that span the globe. Cybersecurity regulations, best practices, and monitoring all have international implications as well. Thankfully, no large scale acts of terrorism have succeeded in the United States since the September 11th attacks back in 2001. We have seen a number of cyber-attacks on private and public systems, but none that have resulted in a major disaster.
One could also argue that we have been lucky in a sense. Considering that there are some regulations in place by the federal government that the private industry must adhere to, there are several seemingly good cybersecurity bills that never manage to get passed. This in my opinion has more to do with bipartisan politics than what is good for the country. I say this because one side of the isle favors privatization and the other side favors government intervention. A happy medium would suffice, but does not seem to be much of an option. The Cybersecurity Act of 2010, The Protecting Cyberspace as a National Asset Act of 2010, International Cybercrime Reporting and Cooperation Act, and The Cybersecurity Act of 2012 are all examples of legislation that failed to pass, but all proposed good viable options that could not seem to traverse the bipartisan barrier of U.S. politics, (Boulee et al., 2013). 6. Compliance
Failure to comply with cyber regulations could have major negative or deadly consequences. Also, these regulations are not always dictated by the federal government. With internet governance for example, in 2009 the U.S. “agreed to transfer some authority to advisory committees made up of government officials and private-sector representatives from around the world” (Shackelford & Craig, 2014). These collaborative methods should keep both private sector and public sector organizations mutually engaged in the legislative process.
Exceeding the minimum standards and requirements of cyber regulations should always be the intent. Cost cutting measures are not justified when it comes to implementation of such policies. Cybercriminals are usually a step ahead as it is, so not maximizing the efforts to secure our cyberspace could lead to far reaching negative consequences. As a matter of fact, many cybercriminals bank on the fact that some organizations both public and private may try to trim costs from their computer security budgets. This only increases the probability of a cyber-attack. This could also serve as an example of how not to actually save a dime if your organization becomes the victim of a cyber-attack that could have been prevented by simply aiming to exceed the minimum cybersecurity standards and requirements. “Spam, phishing, and computer viruses are becoming multibillion-dollar problems”, (Goodrich & Tamassia, 2011). Depending on what your organizational function and objectives are, the financial implications of these types of attacks could go a long way towards the ultimate failure of your operations or business. 7. Responsibility
The responsibility to protect national security should fall into the hands of our federal government. However, both the federal government and private industry have an obligation to operate in a manner that protects the information and assets of our nation. This includes not only corporate or public assets and information, but also the assets and information about our citizens. Private industry’s role in protecting national security is an important one, but since regulation of private industry has limits, the ultimate responsibility needs to fall on our federal government. Despite the limited federal regulations that private industry is currently bound, there are a few very important pieces of legislation that provide important protections and accountability requirements that must be adhered to. The Sarbanes Oxley Act of 2002 (SOX) requires that corporate management “assess the effectiveness of internal control measures, including cybersecurity” (Rishikof & Lunda, 2011) by ensuring accountability, protection, and safeguarding of financial resources and assets. Violation of this act can result in government and criminal sanctions. For private corporations that deal with healthcare industries, the Health Insurance Portability and Accountability Act of 1996 provides similar protections when it comes to safeguarding health related information that is transmitted electronically. Also, as mentioned earlier, the Gramm-Leach-Bliley Act of 1999 (GLBA) enforces and regulates data security requirements to protect financial information. Despite all of these different laws and regulations, again private corporations still have additional levels of responsibility when it comes to cybersecurity and the protection of both public and private information and assets. 8. The Real World
There are a number of large corporations that are allowed to operate with limited regulations when it comes to cybersecurity and data protection. Large retailers for example have the means in which to adequately protect consumer data and PII (Personally Identifiable Information). However, many until recently sort of had a lackadaisical approach to cybersecurity. It was only after large-scale data breaches that exploited millions of customer’s personal and credit card information, did they bother to take more precautionary measures. The problem is that the damage was already done.
In a report in the Internal Auditor journal it was stated that in 2014 alone “thieves have targeted customer data at eBay, Home Depot, Neiman Marcus, and Target” (Pyzik, 2014). This would account for millions of customer’s personal and credit card information. Given the level of financial ruin that identity theft can cause, more regulation under these circumstances is needed, and I would not leave it up to these large corporations to decide how and when to put such regulations into effect. I would make it mandatory so the only way to achieve that goal is to put it into law. 9. Summary and Conclusion
Cybersecurity laws and regulations are a good thing. Mitigating risks that put our national security and personal information in jeopardy is a good thing. Forcing private industry to adhere to rules and regulations that protect such information is a good thing. Putting the needs of the public before profits and politics is a great thing. Former President George W. Bush launched the Comprehensive National Cybersecurity Initiative (CNCI) in 2008 to put in place initiatives that would protect our country from both physical and cyber-threats. President Obama has taken this and added parts of it to an evolving “broader, updated national U.S. cybersecurity strategy” (The Comprehensive National Cybersecurity Initiative”, “n.d.)
Some will still debate the viability of government intervention and regulations of private sector entities, especially those whom do business with the government. Regulations should not just be limited to these particular private companies and organizations. All private industry entities that have access to people’s personal, health, and financial information need a system of checks and balances in place to ensure that they properly handle and safeguard this information. The only way to achieve that objective is to have our federal government intervene.

References
Asllani, A., White, C. S., & Ettkin, L. (2013). Viewing cybersecurity as a public good: the role of governments, businesses, and individuals. Journal of Legal, Ethical & Regulatory Issues, 16(1), 7-14. Lei, S. (2014). The NIST Cybersecurity Framework: Overview and Potential Impacts. Journal of Internet Law, 18(6), 3-6.

King, I. (2004). Internationalizing Internet Governance: Does ICANN Have a Role to Play?. Information & Communications Technology Law, 13(3), 243-258. doi:10.1080/1360083042000296277

Dennis, C. M., & Goldman, D. A. (2013). Data Security Laws and the Cybersecurity Debate. (cover story). Journal of Internet Law, 17(2), 1-11.

Boulee, J., Davis, W., Kantner, R., McDonald, K., Metcalf, J., & Paez, M. (2013, July 26). The cybersecurity debate: Voluntary versus mandatory cooperation between the private sector and the federal government | Lexology. Retrieved May 29, 2015, from http://www.lexology.com/library/detail.aspx?g=70a72c39-3168-45c3-9da6-5c4baadaf94b

Shackelford, S. J., & Craig, A. N. (2014). Beyond The New "Digital Divide": Analyzing the Evolving Role of National Governments in Internet Governance and Enhancing Cybersecurity. Stanford Journal of International Law, 50(1), 119-184.

Goodrich, M., & Tamassia, R. (2011). Introduction. In Introduction to computer security (p. 3). Boston, Massachusetts: Pearson.

Rishikof, H., & Lunda, K. E. (2011). Corporate Responsibility in Cybersecurity. Georgetown Journal of International Affairs, 12(1), 17-24.

Pyzik, K. (2014). Safeguarding Customer Data. Internal Auditor, 71(5), 22-23.

(n.d.). Retrieved May 26, 2015, from https://www.whitehouse.gov/sites/default/files/cybersecurity.pdf