No threat facing America has grown as fast, or in a manner as difficult to understand, as the danger from cyberattacks. While the cyber threats to U.S. interests are real, the digital sky is not falling. As such, the U.S. must do more to secure its networks—but first, it must do no harm.
While prior Administrations have taken some steps to improve the overall security of the nation’s networks, it has not been enough. Add to this the constantly changing threats and vulnerabilities in the cyber domain, and the U.S. remains unprepared.
There have been several legislative fights over cyber bills. While some have characterized these as partisan battles that have left America exposed to a growing variety of cyber threats, this is not generally true. Many cyber bills have had bipartisan support as well as bipartisan opposition. The fight is not over a need for appropriate cyber legislation; the fight is over how to define “appropriate.”
One of the main points of contention is the degree to which federal regulatory powers should play a role in cybersecurity. Many seem to think reflexively that this 19th-century solution is the answer. Those with a little more understanding of the dynamic and fast-moving nature of cyber threats see regulation as far too slow and clumsy, and recognize that it might actually hinder security by building a culture of mere compliance with regulations and a false sense of security against enemies who are agile, motivated, and clever.
In terms of the threats the U.S. faces, nation-state hackers are the most serious. Russia presents the most sophisticated cyber threat, with China as a close second. The U.S. has implicated Russia in efforts to hack U.S. political entities such as the Democratic National Committee. Russian hackers are also believed to be behind multiple cyberattacks that took down portions of Ukraine’s electric grid.
China has a strong desire to jump-start its economic efforts by rampant theft of commercial intellectual property. The cybersecurity breach of the Office of Personnel Management (OPM), a campaign believed to be undertaken by the Chinese government, resulted in compromised information of at least 20 million federal employees. Iran and North Korea are much less sophisticated than the two giants, but what they lack in expertise they make up for in malice. The 2012 “Shamoon” virus unleashed on the Saudi ARAMCO oil production company, for instance, was a brute-force attack that destroyed 30,000 computers.
North Korea has also conducted high-profile cyberattacks against the U.S., the most notable being the one launched against Sony Entertainment, allegedly over a movie depicting North Korea in a negative light. The hackers took terabytes of private data and released confidential information, including five undistributed Sony movies, to the public. In addition to these nation-states, cyber criminals, hacktivists, and terrorists all seek to use cyberspace for their own ends.
To address this growing threat, the U.S. should leverage the forces of the market, motivating the private sector to make the sort of continual and dynamic investment needed to secure the country’s diverse cyber networks. The Heritage Foundation has developed legislative policy proposals to begin making sorely needed improvements.
Allow and Encourage the Development of a Valid and Effective Cyber-Insurance Business. The first step is for the government to encourage the gradual development of liability standards through common-law development and private-sector organizations. This is arguably the most difficult step, but if undertaken with industry cooperation, it could enhance security awareness and measures enormously. As cybersecurity risks and liabilities are better understood, cybersecurity insurers could take the lead in developing “actuary tables” from which they sell insurance on a risk-based model: The better a company’s security, the less it pays in premiums. These market-driven solutions would push the private sector to invest in appropriate levels of cybersecurity without the threat of outdated and onerous government regulations.
Encourage the Private Development of Cybersecurity Supply-Chain Ratings and Accreditation. These ratings should be based on a private-sector set of best practices. Such a framework would contain different tiers or ratings for different levels of accreditation, ranging from minimal overview of a company’s supply chain to in-depth analysis of specific products’ supply-chain features. These different levels of accreditation will provide consumers with more information, with which they can make informed, risk-based decisions. Additionally, producers will find such accreditation valuable for selling their products, thus connecting security with a profit incentive. Instead of mandating government cybersecurity solutions, the U.S. government should collaborate with the private sector. A specific way to encourage the adoption of this system would be to require government agencies that deal with large amounts of sensitive data, or have security-related duties, to purchase technology only from organizations accredited by this cyber-supply-chain ratings system.
Deepen Collaboration on Cybercrime Among Like-Minded Nations. The U.S. should look to create an acceptance for active cyber defenses that allow better attribution of, and intelligence on, cyber threats. Laws and tools from the organized crime arena, such as the Racketeer Influenced and Corrupt Organizations (RICO) Act, should be expanded to cover transnational cyber-criminal organizations.
Expand Cybercrime Cooperation Beyond Current Signatories of the Budapest Convention. The U.S. should create a cyber version of the Financial Action Task Force (FATF) that combats money laundering and financing of terrorism. While they need not abide by all the terms of the Budapest Convention, the U.S. should still pressure non-signatory countries to take reasonable actions against cybercrime. Nations that do not assist in international cybercrime investigations, or do little to stop cybercrime within their territories, should be considered non-cooperative, and face repercussions from members of the new cyber task force.
Develop a Robust Policy of Deterrence that Tailors a Proportionate U.S. Response to Bad Actors. Deterrence is in the mind of the adversary—he chooses to alter his behavior when he believes the costs are too high. The only way to achieve deterrence in cyberspace is to establish a clear pattern of policy and action that leads an actor to rethink his plans. The U.S. has a whole host of tools it can use to retaliate against any sort of cyber aggression, including diplomatic naming and shaming, cutting off cooperation, visa restrictions, commercial and financial limitations, sanctions, legal action, trade enforcement tools, action on other military or foreign policy matters, support to dissidents in malicious cyber states, and other tools not considered here. These tools should be tailored to fit the adversary, and proportionate to the scale and effects of his aggressive action.
Create a New Strategy for International Collaboration in Cyberspace. The U.S. needs to articulate a bolder strategy for how it will operate in the cyber domain. From deterring and retaliating against cyber aggressors to reinforcing cybercrime defense with allies, the U.S. should craft a new strategy that will direct the whole of government to protect U.S. interests in cyberspace. This strategy must also consider the central role the private sector plays and make use of its expertise and skills.
Permit “Attribution” Activities by Certified Private Parties. The Computer Fraud and Abuse Act and the Wiretap Act should be amended to allow private cyber defenders to engage in more aggressive and, currently legally problematic, “attribution” activity (such as beaconing or dark Web information gathering) only if certified to do so by the Department of Homeland Security (DHS). The DHS should create a certification program in consultation with the National Institute of Standards and Technology that provides an assessment for companies to determine whether they are sufficiently technically proficient and understand the restrictions and limits of their legally permitted activity. These licensed parties should also have limited protection from relevant criminal statutes regarding illicit activities that they may unintentionally find on the “dark” parts of the Internet when researching cyber threats.
Facts and Figures
FACT: Cyberattacks and espionage are costly to the U.S. and global economy.
- Cyber breaches are projected to cost the global economy $2.1 trillion by 2019, more than quadrupling the cost since 2015.
- IBM’s 2016 Cyber Security Intelligence Index says that health care, financial services, and manufacturing are the top three sectors targeted by hackers due to of the vast quantity of personal information and potential monetary gain that exist in those fields.
- Multiple firms project that by 2020, 30 billion devices will be connected to the “Internet of things,” a huge growth in devices that connects ever more of daily life to the Web.
- The cyber-insurance industry is already estimated to be worth well over $3 billion, and will provide a market mechanism for quantifying cyber risks and encouraging companies to improve their security.
FACT: China, Iran, North Korea, and Russia, as well as hacking groups working with these countries, continually attack U.S. economic interests and critical infrastructure. The United States must implement an all-tools-of-national-power approach to dealing with these bad actors.
- In May 2014, the United States government indicted five members of the Chinese People’s Liberation Army on cyber-theft charges. China is also believed to be behind the theft of millions of classified personnel records from the OPM.
- In the 2016 American presidential election, the Russian government conducted a series of hacks on a number of political organizations, the most well-known being the Democratic National Committee.
- A high-profile cyberattack (using the WannaCry ransomware), was carried out by Lazarus, a hacking group connected to North Korea. Lazarus is also behind the cyberattacks on Sony, a Bangledeshi bank, and numerous South Korean government and private-sector targets.
- In 2016, the U.S. indicted seven Iranian hackers for cyberattacks against U.S. banks and trying to disrupt a New York dam. The U.S. also believes that Iran is behind numerous other cyberattacks against the U.S., as well as against regional rivals, such as the 2012 Shamoon attack against Saudi Aramco.
Selected Additional Resources
Steven P. Bucci, Paul Rosenzweig, and David Inserra, “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2785, April 1, 2013.
Dean Cheng, “Chinese Cyber Attacks: Robust Response Needed,” Heritage Foundation Issue Brief No. 3861, February 23, 2013.
James L. Gattuso, “Ensuring Cybersecurity: More Red Tape Is Not the Answer,” Heritage Foundation Issue Brief No. 3626, June 5, 2012.
David Inserra, “Cybersecurity Beyond U.S. Borders: Engaging Allies and Deterring Aggressors in Cyberspace,” Heritage Foundation Backgrounder No. 3223, July 14, 2017.
Paul Rosenzweig, Charles Stimson, Steven Bucci, James Jay Carafano, David Shedd, and David Inserra, “Encryption Commission: Making Sense of Critical Policy Options,” Heritage Foundation Issue Brief No. 4531, March 18, 2016.
Paul Rosenzweig, Steven Bucci, and David Inserra, “Next Steps for U.S. Cybersecurity in the Trump Administration: Active Cyber Defense,” Heritage Foundation Backgrounder No. 3188, May 5, 2017.
Riley Walters, “Cyber Attacks on U.S. Companies in 2016,” Heritage Foundation Issue Brief No. 4636, December 2, 2016.