Cybersecurity finally takes center stage in the U.S.

• Author: Morency, Kayla

1. Introduction

   It is no secret that in the wake of globalization and the explosion of the Internet the world is more interconnected than ever. (1) The Internet provides access to content stored by governments, corporations, interest groups, institutions, and individuals to millions of users located across the globe on a daily basis. (2) It also provides users with the capabilities to create and disseminate their own material to other users regardless of their location. (3) It is essentially a "network of networks," (4) where data is accumulated and participation is relatively inexpensive as compared with other media outlets. (5) As a result, the Internet is an integral part of modern-day life and it connects people "globally, regionally, and locally for business, research and education, and political and social interaction." (6)

   In addition, "The United States ... [is] among the world's largest cyber actors." (7) For example, computer networking systems are responsible for critical functions such as "managing and operating nuclear power plants, dams, the electric power grid, the air traffic control system, and the financial infrastructure." (8) Furthermore, computer networking systems play a fundamental role in the day-to-day operations of government, organizations, and companies by managing payroll, performing research and development, and conducting and tracking sales and the movement of goods. (9) However, due to the nation's reliance on computer networking systems and the interdependence of private citizens, sensitive data and information remains vulnerable to attack or exploitation; thus, the security of cyberspace remains a priority for the nation's public and private sectors. (10)

   In light of the September 11th tragedy, the United States' government and private industries reevaluated their focus on a variety of security measures, including cybersecurity. (11) As a result, several legislative efforts were made, and upon its own initiative, the private sector put more emphasis on developing software with the idea in mind that there is the potential for outsider intrusion at every level of its design. (12) In addition, the government allocated significant resources into researching and tracking cyber espionage and potential threats of cyber-terrorism. (13) Furthermore, private cybersecurity firms have risen, including Mandiant, a cybersecurity consulting firm located in Virginia, which has developed security software to help organizations with even the most aggressively secure networks to rapidly detect, analyze, and resolve security breaches. (14) However, Mandiant's investigative efforts came to the forefront, in February 2013, when it publicly released its controversial findings concerning their seven-year long investigation, which linked China to a major cyber espionage (15) campaign targeting several United States' business and industries. (16) Since the report's release, there has been widespread concern stemming from both the public and private sectors in determining what steps must be taken to reduce the United States' vulnerability to cyber-attacks. (17)

   This note examines the current mechanisms in place for protecting computer-networking systems, reviews the findings of the Mandiant Report, and analyzes the highlights of President Obama's Official Framework for Improving Critical Infrastructure Cybersecurity as a comprehensive approach towards decreasing the United States' critical infrastructure vulnerabilities. In Part II, this note highlights an historical perspective of cybersecurity law in the United States, with particular emphasis on legislative efforts in the post-9/11 political arena. Part III acknowledges recent Congressional action and the recent developments leading up to the current state of affairs regarding cybersecurity policies, including a detailed summary of the key findings of the Mandiant Report. In Part IV, this note analyzes whether the Official Cybersecurity Framework is an adequate measure towards improving the nation's cybersecurity defenses. Furthermore, this note assesses whether Congress will have an important role in future cybersecurity policies. While legislation is important to create valuable infrastructure and allocate appropriate resources to research and development, this note argues that the Official Cybersecurity Framework is an excellent starting point towards improving the vulnerabilities of the nation's critical cybersecurity infrastructure, but it is only the beginning of long journey towards a comprehensive solution.

2. History

   1. Cybercrime Defined

      In light of the Information Age, crimes relating to computer networking systems are far beyond traditional, because these crimes transcend borders by inflicting harm "from anywhere and against any computer in the world." (18) Essentially, cybercrime refers to the unauthorized access to confidential computer networks and the unlawful meddling with systems, programs, and information. (19) However, cybercrimes take on a variety of forms. (20) For example, hacking into a computer system provides the user with access to read personal information, erase important data, or install a "digital time bomb," in which companies are forced to pay extortionists large sums of money. (21) Additionally, cybercriminals plant viruses that have the capacity to delete valuable material, spread other viruses, or disrupt the company's productivity. (22) One of the most common forms of cyber crime is online fraud. (23) Cyber fraud can take the shape of counterfeiting, investment fraud, or stolen credit information. (24) Another major area of concern is cyberterrorism, which is defined as a "premeditated, politically motivated attack against information, computer systems, computer programs, and data which.. .[leads to] violence against noncombatant targets by subnational groups or clandestine agents." (25) Cyberterrorists possess the capabilities to cause major disruptions in banking, pharmaceuticals, air traffic control systems, or electronic power systems. (26) As a result, this final category has the potential to cause the most catastrophic destruction, including the death of thousands of innocent people. (27)

   2. Calling Attention to Cybersecurity

      Dating back to 1991, the United States' government acknowledged the nation's ever-increasing dependence on computers, which correlated to its ever-increasing vulnerabilities. (28) For example, in 1991, the National Research Council publicly announced:

      We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable to the effect[s] of poor de sign and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb. (29) This report was among the first to publicly announce that computer networking severely impairs the nation's cybersecurity. (30) In 1997, during the Clinton administration, the President's Commission on Critical Infrastructure Protection concluded that the exponential growth of a "computer literate population" guarantees that millions of users across the globe will posses the knowledge and capabilities to conduct a cyber attack, which reinforced the notion that cybersecurity should become a high priority concern at the top of the government's agenda. (31) Finally, during the George W. Bush administration, two additional reports called attention to the threat of severe cyber attacks and acknowledged the vulnerability of critical infrastructures affecting the nation's overall economy and national security. (32) The overall goal of these reports was to engage the public in a dialogue in matters affecting their daily lives. (33)

   3. Cybersecurity Policies in the United States

      One of the earliest legislative efforts to protect citizens again cybercrime was the Computer Fraud and Abuse Act (CFAA). (34) The Act has been amended numerous times; however, as it reads today, the statute broadly prohibits (1) "knowingly caus[ing] the transmission of a program, information, code or command.. .and intentionally caus[ing] damage without authorization, to a protected computer;" (2) "intentionally accessing] a protected computer without authorization, and.recklessly causes damages;" (3) "intentionally accessing] a protected computer without authorization, and.. .causes damage and loss." (35) However, according to the provision of the statute, the definition of "protected computer" is narrow and largely limited to computers used by the federal government or financial institutions. (36)

      In the immediate aftermath of the September 11th attacks, President George W. Bush issued Executive Order 13231 on October 16, 2001. (37) The order called attention to the technological revolution responsible for the new ways in which business was transacted, government was operated, and national defense policies were accomplished. (38) As a result, the order demanded the protection of these information systems to prevent any interference with the telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services sectors. (39) Furthermore, the order created the National Infrastructure Advisory Council (NIAC), which later became absorbed by the Department of Homeland Security. (40) The NIAC was responsible for making recommendations about the security of the nation's critical economic infrastructures and the U.S. national security. (41)

      The Federal Information Security Management Act of 2002 (42) (FISMA) was passed, which provided a mechanism for improving the management and oversight for information security programs of federal agencies. (43) It also...