The Issue

No threat facing America has grown as fast or in a manner as difficult to understand as has cybersecurity. The media vacillate between claiming that the threat is nothing but hype and panicked cries that the digital sky is falling. Neither position is correct.

President Bush took strong steps to improve the overall security of the nation’s networks, and it seemed that President Obama was following suit. Securing cyberspace was a very early priority for the Obama Administration, which was wise enough to use former Bush appointees to set the tone and maintain some continuity, but the initial flurry of activity was not followed up in a consistent and effective manner.

There have been several legislative fights over cyber bills. They have been characterized repeatedly as partisan battles that have left America exposed to a growing variety of cyber threats, but this is a very inaccurate and self-serving view. In fact, every cyber bill that has been introduced has had bipartisan support as well as bipartisan opposition. The fight is not over a need for appropriate cyber legislation; it is over how one defines “appropriate.”

The main point of contention is the degree to which federal regulatory powers should play a role in cybersecurity. Many seem to think reflexively that this 19th-century solution is the answer. Those with a little more understanding of the dynamic and fast-moving nature of cybersecurity see regulation as far too slow and clumsy to be of any benefit and recognize that it might actually hinder security by building a culture of mere compliance with regulations and a false sense of security against enemies who are agile, motivated, and clever.

Russia is the most sophisticated cyber threat, with China as a close second. China also has a strong desire to jump-start its economic efforts by rampant theft of commercial intellectual property. This fact is common fodder for the news media but is actually a greater problem than the news illustrates. Iran and North Korea are much less sophisticated than the two giants, but what they lack in expertise they make up for in malice. For example, the 2012 “Shamoon” virus unleashed upon the Saudi ARAMCO oil production company was a brute-force attack that destroyed 30,000 computers, and the recent cybersecurity breach of the Office of Personnel Management, a campaign believed to be undertaken by the Chinese government, resulted in compromised information of approximately 4 million federal employees. Attacks such as these have shown the U.S. that countries like China have the capabilities to inflict serious damage. North Korea has also used high-profile cyberattacks against the U.S., with the most notable being the one launched against Sony Pictures Entertainment, allegedly over a movie depicting North Korea in a negative light. The hackers took terabytes of private data and released confidential information to the public, including five Sony movies.

To address this growing threat, the U.S. should leverage the forces of the market, motivating the private sector to make the sort of continual and dynamic investment needed to really secure our diverse networks. Heritage Foundation analysts have developed steps to do this that should be taken legislatively to begin the process of improvement that is so badly needed.


At the time of this writing, the House and the Senate had passed largely beneficial cybersecurity information-sharing legislation. In their current forms, they are a good step in the right direction in terms of affirmatively giving public and private organizations the ability to share information and providing clear liability protection for such sharing. Now there are other things that the U.S. should focus their attention on. Congress should pursue a cybersecurity policy that avoids a cumbersome and expensive regulatory approach and includes six key elements that will produce truly dynamic cybersecurity defenses. Such an approach should:

Undertake Stronger International Cybersecurity Engagement. If the U.S. is to take a more active role in combatting cybercrime and espionage, then a more comprehensive set of policies are needed. With allies and friends, the U.S must continue and increase cooperation and coordination. The U.S. should lead international efforts to “name and shame” nations that use cyberspace for malicious purposes, either against other nations or their own people. Regrettably, after some movement toward this policy, the Obama Administration recently went in the wrong direction by striking an agreement with China to stop economic cyber-espionage. The Chinese, however, had no intention of abiding by this agreement as they have a dramatically different view of cyberspace and warfare. For them, their cyber operations are just parts of their larger warfare strategy during peacetime. Furthermore, they have already broken their word, yet more proof that this agreement will do nothing to keep the U.S. safe in cyberspace. The U.S. must respond to aggressive cyber campaigns by other nations by causing those nations to feel diplomatic and economic pain to deter cyber-aggression. Large-scale, state-sponsored cyber-espionage must be deterred by making the cost to bad actors unacceptably large or frustrating. The U.S. response should include ceasing naive cooperation, curtailing visas for guilty parties, and subjecting those with stolen information and intellectual property to criminal charges and other legal action. Furthermore, many bad cyber actors also maintain some form of control over the Internet in their country. The U.S. should explore ways to weaken these nations’ grip on the Internet in order to weaken their control of the populace. All of these efforts should be tied to the completion of a coherent national conversation concerning the entire array of cyberspace issues.

Allow and Encourage the Development of a Valid and Effective Cyber-Insurance Business. The first step is for the government to encourage the gradual development of liability standards as a result of common-law development and private-sector organizations. This is arguably the most difficult step, but if done with industry cooperation, it could hugely enhance security awareness and activities. As cybersecurity risks and liabilities are better understood, cybersecurity insurers could take the lead in developing “actuary tables” from which they could sell insurance on a risk-based model: The better a company’s security, the less it pays in premiums. These market-driven solutions would push the private sector to invest in appropriate levels of cybersecurity without the threat of outdated and onerous government regulations.

Protect the Cyber-Supply Chain. Given that the components of computers, tablets, smartphones, and pretty much everything else are made all over the world (many of them in countries that pose a cyberthreat like China), this is a crucial step. A non-government organization needs to be established to evaluate supply-chain practices, operations, and security methods, and its evaluations should be made public. It could “give grades” to a tech company’s supply-chain operation, much as Underwriters Limited, the ubiquitous and nonprofit accreditor famous for its “UL” stickers on everything from toasters to computers, evaluates the safety of other products. If a company received a very high “grade,” it could charge more for its tech products. If a buyer wanted to economize, he could take a chance with less expensive but potentially less secure items. Customers would be able to make informed risk-based decisions, and many companies would have a profit motive to shore up their supply-chain practices.

Consider a Specified and Controlled Cyber Self-Defense Authority. Today, a company does not know what its rights to self-protection against hackers really entail. Who does a hacked company call—local police, the FBI? If it is attacked and has a strong tech capability, can it fight back? No one wants vigilantes rampaging about with no controls or parameters. To avoid that, any cyber legislation should establish basic rules for self-defense that are legitimate and well known.

Expand the Push for Real Awareness, Education, and Training. This effort was started by the Obama Administration, but thus far it is too little and too seldom. This effort must end both the ignorance and the hype. This has been given a lot of lip service, but there has been little effective action. Tell people the truth about cyber threats and give them the tools to play a role in protecting themselves, their homes, and their businesses. This must be a broad-based effort that reaches every community in America, at all levels. It must also be a regular part of training in every company and government entity. It should be done early, often, dynamically, and continuously.

Develop and Keep a Superb Cyber-Workforce. Cybersecurity affects everyone and everything we do in government, business, and the military. The U.S. needs to promote STEM (science, technology, engineering, and mathematics) education and adjust visa and certification practices to ensure that the best and brightest can use their skills to advance U.S. security. This effort should also update the security clearances process and use the pools of talent the U.S. already has in its military, businesses, and hacker communities. Any law should enable this effort and foster it by all possible means.

Facts and Figures

  • Targeted attacks on large organizations have continued to increase, with an estimated rise of 40 percent in 2014 from the year before, but small and medium-sized organizations still bear the brunt of the force by receiving 60 percent of all targeted attacks.
  • In 2012, 40 percent of all data breaches occurred due to intrusions by hackers, with 23 percent caused by accidental release and another 23 percent caused by theft or loss.
  • According to multiple cybersecurity firms, more than 317 million new pieces of malware were created in 2014. As the use of mobile devices such as smartphones continues to expand, cyber threats against these devices have also grown. From 2011 to 2012, the families of mobile malware increased by 58 percent, and the number of variants within each malware family increased by over 600 percent.
  • In 2014, it was reported by security firms that 17 percent of all Android apps were malware in disguise, and 36 percent of all mobile apps are grayware (inadvertently harmful).
  • As of July 2013, the Commission on the Theft of American Intellectual Property assessed that cybercrime and espionage by other countries account for U.S. companies losing $300 billion per year. Of this $300 billion, anywhere from 50 percent to 80 percent of those losses is attributed to China.
  • According to security firms, ransomware attacks, which restrict computer access until payment is made by the user, grew about 113 percent to 127 percent in 2014.

Selected Additional Resources

David S. Addington, “House Cybersecurity Legislation: A Small Step, but Flaws Need Correction,” Heritage Foundation Issue Brief No. 3913, April 16, 2013.

Steven P. Bucci, Paul Rosenzweig, and David Inserra, “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2785, April 1, 2013.

Dean Cheng, “Chinese Cyber Attacks: Robust Response Needed,” Heritage Foundation Issue Brief No. 3861, February 23, 2013.

James L. Gattuso, “Ensuring Cybersecurity: More Red Tape Is Not the Answer,” Heritage Foundation Issue Brief No. 3626, June 5, 2012.

Kim R. Holmes, “Staying One Step Ahead of Cyberattacks,” Heritage Foundation Commentary, April 17, 2013.

Paul Rosenzweig, “Obama’s Cyber Executive Order: More Government Control of the Network,” Heritage Foundation Issue Brief No. 3777, November 15, 2012.

Paul Rosenzweig and David Inserra, “Government Cyber Failures Reveal Weaknesses of Regulatory Approach to Cybersecurity,” Heritage Foundation Issue Brief No. 3968, June 13, 2013.

Jessica Zuckerman and David Inserra, “Homeland Security Appropriations Need Different Priorities,” Heritage Foundation Issue Brief No. 3954, June 3, 2013.