Hacking and eavesdropping into a technological or telephonic network surreptitiously is a crime in accordance with provisions set forth within 18 USC 1030 and 2511.
Consider this: Would you expect to be arrested if you were the victim of being robbed in a dark alley? The rationale for your arrest being that:
- You should not have been in the alley in the first place, and
- You should have armed yourself with a weapon in order to have prevented the mugging.
The obvious answer to this ludicrous question should be: of course not. It is just as ridiculous to hold a corporation or an employee responsible for its technological network being hacked into unless they were in fact involved with the infraction. I am not suggesting that as trusted agents and corporate stewards that we not take prudent measures or employ industry best practices in order to safeguard our networks. However, I am recommending we develop a paradigm shift in the way that we view data breaches. In most cases, there is absolutely no way possible to prevent a crime, cyber or otherwise, unless you have foreknowledge that the crime is about to be committed. The countervailing idea or thought is the creation of Hollywood fiction along the lines of movies such as Minority Report.
Develop a collaborative network of law enforcement agents...
Domestic and international law have not kept pace with the ever-growing epidemic of cybercrime throughout the world. In most cases, cybercriminals are never brought to justice by law enforcement agencies, thus leaving the public with the idea that it is impossible to do so. This trend must stop. The legal system and law enforcement agencies at all levels must be equally equipped to accost and successfully prosecute those that are guilty of breaking into the networks of others without their expressed permission. Enemies of our state, such as North Korea, make no secret of their commitment to cyberwar – to the extent that it has operationalized its activities within their military forces. The U.S. is currently trying to address this disturbing trend via the expansion of the Department of Homeland Security's cybersecurity division in Utah. But, we lag far behind our enemies in our efforts.
What can be done in order to aggressively address this issue? Firing the CEO, CIO or CISO after a data breach is not an effective method of solving the problem in and of itself. In fact, some enterprises that resort to such strategies experience recurring incidents after their terminations. Government organizations and non-government organizations must take a pragmatic approach to addressing the issue.
U.S. government – Strengthen/develop international laws with respect to what constitutes a violation of a state's sovereignty relative to cybercriminals and actions that can be executed when such breaches of sovereignty are violated. Additionally, strengthen relationships within the League of Nations as to prevent safe harbor of cybercriminals wherever they reside.
Law enforcement agencies at all levels – Become more technologically savvied, astute, and competent. Develop a collaborative network of law enforcement agents both locally and internationally with the sole mission of bringing cybercriminals to justice.
Corporations and leadership – Take ownership for safeguarding and hardening your network infrastructure beginning with securing the human at all levels, especially top-tier leadership, by providing them with information security awareness and training. Investment in a state of the art enterprise encryption solution with multifactor authentication is a must.
In the final analysis, all parties concerned must stop blaming the victim with respect to cybersecurity crimes launched against them. The blame should always rest squarely on the shoulders of the transgressor and not the victim. The matter of information security is everyone's business.
Zachery S. Mitcham is CISO at the University of North Carolina Wilmington. The opinions expressed in this article do not represent the opinions and beliefs held by UNC Wilmington.