Criminals don't follow the law
Alex Heid, chief research officer at SecurityScorecard, a New York-based firm whose mission is to empower organizations with collaborative security intelligence, says legislators should focus less on outlawing specific cyber activities and devote more on defining the intentions of the individual.
Attempts to prevent hacking primarily through legislation tend to overlook the fact that criminals, by definition, do not follow the law. As a result, legislative developments affect researchers and security professionals more than the intended targets, says Heid.
This point would be easy to dismiss. Governments, of course, are tasked with creating laws to advance the well-being of the societies they serve. To abandon this task, of course, would lead to anarchy. And yet, legislation – especially edicts that penalizes hackers – is one the least effective tools in the struggle for information security.
That is owing to the fact that the most profound attacks are often executed by offshore actors and nation-state-sponsored hackers, especially from countries that don't have extradition treaties with the U.S.
For a sense of the scope of the problem, last year the U.S. Senate Armed Services Committee released a report detailing the successes of Chinese hackers who were able to penetrate the networks of 50 government contractors and steal sensitive information. The report, “Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors,” showed that in all but two of the breaches, the U.S. Transportation Command (TRANSCOM) – which provides air, land and sea transportation for the Department of Defense – was not made aware of the breaches.
Further, it takes an enormous amount of resources to catch a cybercriminal. When prosecutors do achieve a conviction, the convicted “hacker” is often a low-level miscreant, not the well-organized hacking group that authorities would have preferred to catch.
For example, Matthew Keys, a former Reuters journalist, provided login information to the hacktivist group Anonymous that enabled it to hack into the website of the Los Angeles Times and alter information. Keys was a former employee who seemed to harbor a grudge against the parent company of the former employer that fired him months earlier.
Certainly, he possessed few or none of the coding skills one typically associates with hackers. However, he was convicted of conspiracy to make unauthorized changes to the website, transmitting malicious code and attempted transmission of malicious code. Meanwhile, the hacker who used the login information that Keys provided to make changes to the Times' website – a hacker who goes by “Sharpie” – was not prosecuted.
The limitations of legislation are clear. But what are the alternatives? To start, balancing incentives is a goal that has been underutilized for too long, say experts. Underfunded and understaffed information security professionals face constant resistance from C-suite management reluctant to invest in the necessary tools. How might this dynamic be different if corporations were incentivized by the specter of civil liability to strengthen their information security efforts?
Ekeland believes it should be a felony to store personally identifying information that is not password protected, but one need not advocate this approach to expect a shift in the dynamic. Currently, corporate boards have little incentive other than reputational factors, to invest heavily in much-needed information security solutions.
In November, Moody's announced plans to weigh cyber risks as part of corporate credit ratings. Mike Buratowski, VP of cybersecurity services at Fidelis Cybersecurity, a Boston-based firm that equips organizations to detect, investigate and stop advanced cyberattacks, says the decision is another factor that will incentivize boards of director to invest in cybersecurity. “They are trying to meet that nebulous web of cybersecurity due diligence – and it's hard to quantify,” says.
Might this eventually be followed by efforts from regulatory agencies to enforce cyber best practices? The tech sector has been intentionally under-regulated, in part because it has been a chief driver of the U.S. economy. “No one wants to be blamed for hampering innovation,” says Karl Rauscher (left), strategic advisory board chairman at Sonavation, a Palm Beach Gardens, Fla.-based company that designs and manufactures tools for secure authentication, including biometric fingerprint sensors. He also is chief architect of cyberspace policy at the Institute of Electrical and Electronics Engineers (IEEE).
In the same way that a focus on punitive legislation has its limitations, regulatory requirements alone will not solve cyber problems. Through cooperation, Rauscher says, individuals can create solutions to the problems that we create.
“I think the key is in the people,” he says.