Because the servers, network backbones, and actual critical infrastructure is owned by private corporations the final implementation of any statutes or regulations will be carried out by the involved owners. This will potentially result in inconsistent implementations across different entities’ equities. Compared to the stipulated requirements, the inconsistent implementations will fall into three categories: noncompliance, minimal compliance, extra compliance.
The most significant risk to national security will come from locations that choose to remain in noncompliance with the future laws and regulations. This group will probably start small and shrink quickly because of the danger of remaining the soft target, plus the threat of governmental punishment. The primary reason for non remaining in this group though will be that once it begins to be published who is in noncompliance then those companies will be elevated to prime targets for cyber spies and thieves. Lewis claims that “the primary damage to U.S. national security and economic strength from poor cybersecurity comes from the theft of intellectual property and the loss of advanced commercial and military technology to foreign competitors.” Those few identified to be in noncompliance will have their intellectual property copied completely as all the adversaries are targeting them. (Lewis, 2009)
Since the present cybersecurity actors will surely be lobbying heavily on any cybersecurity laws or regulation, it is unlikely that the legal minimum will be much higher than the current status quo, so the companies that barely become compliant will continue to be targets of cybertheft. At best we can hope for a slowing of the “economic cyber espionage” (McConnell et al, 2012) from foreign actors.
Companies that work to become more than compliant are where we will see a real gain in national security. They will be the ones that will be quick to call CERT and FBI when they think they were breached. They will be configuring their workstations to meet NSA recommendations. Hopefully they will be intercepting and analyzing every email coming into their networks.
Lewis, J. A. (March 2009). Innovation and Cyberspace Regulation. Center for Strategic and International Studies.
McConnell, M., Chertoff, M. & Lynn, W. (January 27, 2012) China’s Cyber Thievery Is National Policy - And Must Be Challenged. The Wall Street Journal. Retrieved 5 October 2012 from: http://www.boozallen.com/media/file/WSJ-China-OpEd.pdf
Analysis of Cybersecurity as a Public Good: US Government Implications |
---|
Introduction |
Workstation Cybersecurity a Public Good? |
Data Security a Public Good? |
Government as Trustee |
Implementation Reliance back with Industry |
Conclusions |
No comments:
Post a Comment