Society today is plagued with crime that is difficult to combat, constantly changing, and has no borders; this type of crime is called cybercrime. The United States of America is attacked on a daily basis by cyber criminals both foreign and domestic. The crimes committed involve fraud, identity theft, theft of proprietary trade secrets, and even theft of national secrets. The 2009 Internet Crime Report indicates there were 336,655 received cybercrime complaints in 2009 and a total monetary loss of $559.7 million (“2009 Internet Crime Report,” 2009). Cybercrime affects everyone; therefore, individuals, corporations, and government entities are responsible for safeguarding information against these attacks. Clearly, a unified front must be established to combat this epidemic. A unification of individual citizens, corporations, and government entities must occur to prevent and deter cyber-attacks. A united front to fight cybercrime requires that a standard set of cyber security controls be established for the public good, but who should be responsible for mandating those controls?
Directing cyber security controls involves establishing laws, setting penalties for breaking laws, and creation of foreign policies regarding cybercrime with other nations. Since laws, penalties, and foreign policy are required, the responsibility for mandating security controls for the public good falls on the government. Before the government is allowed to require certain cyber security controls be put in place, the following questions must be answered:
• Is the government justified in mandating cyber security controls?
• Should individuals and corporations be responsible for protecting trade and national secrets through cyber security controls?
Is the Government Justified in Mandating Cyber Security Controls?
Whenever the government becomes involved with mandating requirements that affect the individual citizen and corporations, the government is often met with resistance. Mandating cyber security controls; although for the public good, will most likely be resisted as well. In March of 2010, The Affordable Care Act was passed by Congress and signed into law by President Barack Obama. The law was passed and put in place health insurance reforms that hold insurance companies accountable, lower health care costs, and guarantee more choice involving health care (“Understanding the Affordable Care Act,” 2010). The law was considered to be for the public good; however, it was immediately met with resistance. Shortly after the law was passed, attorneys general in 14 states filed suit on grounds that the law was unconstitutional (Kranish, 2010). Mandating cyber security controls will be met with similar resistance unless the government can provide strong justification for the action.
Direct and aggressive cyber security attacks against the United States of America from a foreign country, provides a strong case for the justification of mandating cyber security controls. Recent government reports and news releases implicate foreign countries in targeting government entities, individuals, and corporations with hopes of compromising important information. One example of a country specifically targeting the United States’ information pool is the People’s Republic of China. The 2009 Report to Congress for the U.S.-China Economic and Security Review Commission indicates that government counterintelligence officials believe that the People’s Republic of China is one of the most aggressive countries targeting the United States. The report continued and indicated that economical secrets, trade secrets, and national secrets are specifically being targeted (“2009 Report to Congress,” 2009).
Recent government reports and publicized cyber-attacks clearly indicate a need for mandated cyber security controls. The stability of the United States’ trade and economy are threatened continuously by attempted and successful cyber-attacks. The United States government should mandate a set of cyber security controls and require that every government entity, corporation, and individual adhere to a basic set of required information security mechanisms. These cyber security controls should be directed by the government; however, the controls themselves should be specified by a committee of corporations and information security experts. The required controls should be a minimum baseline of security for all to build upon. Responsibility resides with every individual, corporation, and government entity to be good keepers of information.
Should individuals and corporations be responsible for protecting trade and national secrets through cyber security controls?
All computer users are responsible for protecting the integrity of their information systems infrastructure. Whether the infrastructure is as simple as a home network or as complicated as a corporate wide-area network, cyber security must be taken into consideration. Protecting of information and information systems infrastructure is accomplished by instituting strong cyber security controls. Cyber security controls can be defined as any security mechanism which ensures the confidentiality, integrity, and availability of information and information systems. The controls being implemented can include training and awareness, policies and procedures, physical or logical security mechanisms, and laws enforced by the government. Since many organizations and individuals within the United States of America work closely with trade secrets, intellectual property, and national secrets, it is the responsibility of all parties involved to protect that information. Protecting trade and national secrets are the responsibility of individuals, corporations, and the government.
The individual user is the first line of defense for protecting the confidentiality, integrity, and availability of information. When a person works for a corporation or a government entity, they are entrusted with certain proprietary and secret information. Individual employees are targeted on a daily basis by cyber criminals deploying social engineering tactics with hopes of obtaining confidential information. The individual is attacked by these criminals through telephone, online social networking sites or email, and persuasion. Everyone must be made aware of these tactics and be mindful of information they may provide to others (Kee, 2008). Research conducted by the National Cyber Security Alliance and Computer Associates discovered that 75 percent of computer users provide personal information to social networking sites. Providing personal information to social networking sites makes the users susceptible to online attacks (Jacobs, 2006). The users may fall prey to hackers and inadvertently provide important information to these hackers that could compromise the individual’s financial well-being, corporate information they may possess, and even national secretes for those trusted with the information. Proper training and awareness is an important cyber security control that should be pursued by all individuals. An informed user will be able to detect when they are being phished for information.
Care must be taken by all individuals when working with confidential information to avoid theft of extremely important data, including the systems which the information resides on. An employee of the Veterans Administration had their home burglarized and the employee’s laptop was stolen during the crime. The employee’s laptop contained 26.5 million veterans’ personal information and the employee was placed on administrative leave for violating the information policy of the Veterans Administration. Another case of theft occurred when a Wells Fargo employee had their laptop stolen and a considerable amount of confidential information was compromised (Bosworth, 2006). Individual employees must be mindful and ensure the physical security of their mobile devices; as well as, follow prescribed policies and procedures regarding removal of sensitive information.
The individual is the corner stone in building a strong and sound information security infrastructure. Whether at work or at home, the individual user must understand the dangers that exist in cyberspace. It is imperative that all individuals be vigilant keepers of information and be held responsible for information compromised due to neglect on their part.
Many corporations today use their trade secrets to aid in being awarded government contracts. In many cases, these contracts require security clearance and involve releasing some national secrets to the company awarded the contract. Since many corporations have close relationships between their trade secrets and national secrets, a responsibility exists to keep information as safe as possible. Each organization is responsible for managing and protecting their information systems security. Within a company’s information systems infrastructure resides trade secrets, intellectual property, and sometimes national secrets. An organization’s major obligation is to ensure they have a sound information systems security plan. The information systems security plan requires the company to conduct a risk and vulnerabilities assessment to fully understand where security threats may reside. Additionally, the organization must have clear and concise policies and procedures in place to aid in governing the rules and regulations required to secure the information systems infrastructure. Training each employee is another responsibility charged to the corporation. Training employees in information security aids in keeping trade secrets, intellectual property, and national secrets secure. Corporations must stress compliance to all employees and enforce the policies and procedures put in place to protect information (Jessup & Valacich, 2008). The information systems security plan is a pivotal cyber security control that must be implemented by all organizations.
Ensuring information is properly secured is an extremely important responsibility placed on corporations. Failure to properly enforce the organization’s information systems security plan may result in harmful security breaches. An example of an extremely devastating security breach is the January 2010 attack on Google. During a three day distributed attack, Google’s security infrastructure was compromised and their password management system was infiltrated (Markoff, 2010). Shortly after the breach, Google was awarded a $6.7 million contract to house the e-mail for 17,000 employees and contractors of the United States General Services Administration (Whitney, 2010). The attack on Google and subsequent awarded government contract clearly show the need for corporations to be responsible for the security of their trade secrets; as well as, national secrets. Companies must strive to ensure they are deploying proper logical and physical security controls to combat cyber security attacks.
The corporations which make up the business pool within the United States are charged with an important responsibility. Regardless of how close or how far removed from national secrets an organization is, every company has a responsibility to be good keepers of all information they are trusted with. Failing to keep trade secrets, intellectual property, and national secrets safe could have a detrimental effect on the security and safety of the nation.
The government is just as responsible for protecting trade and national secrets as individuals and corporations are. Government entities are not excluded from cyber-attacks and in most cases they are the primary targets for foreign and domestic cyber criminals. Government entities must constantly protect against espionage, Web site defacement, and relentless hack attempts. The government must enforce the policies and procedures outlined within their information systems security plan to protect trade and national secrets; however, their responsibility extends further. The government must also be responsible for prosecuting those who break the laws which enforce the protection of trade and national secrets.
Pursuing and prosecuting those who break cyber security laws are a major focus of the government. Within the past year the government has apprehended many cyber criminals related to theft of trade or national secrets. In May of 2009, a Swedish national was charged with hacking and theft of trade secrets at the National Aeronautics and Space Administration (NASA) and Cisco. The indictment included one intrusion count and two trade secret misappropriation counts (“Swedish National Charged with Hacking and Theft of Trade Secrets Related to Alleged Computer Intrusion at NASA and Cisco,” 2009). Another apprehension occurred in August of 2010, where a Chinese national was charged with economic espionage involving theft of trade secrets. The individual was arrested and charged in a 17 count indictment regarding theft of trade secrets from an agricultural company based in Indianapolis, Indiana (“Chinese National Charged with Economic Espionage Involving Theft of Trade Secrets,” 2010). In another incident, a Chinese national pleaded guilty to stealing trades secrets from the Ford Motor Company. The individual involved stole over 4,000 documents which included system design specifications (“Chinese National Pleads Guilty to Stealing Ford Trade Secrets,” 2010). The government must enact strict laws and regulations regarding cyber security; additionally, the government must move with the times and advance policies as technology advances. The enacted laws must be enforced to ensure protection of the nation’s trade and national secrets.
The government a difficult task regarding cyber security controls. Technology advances at a rapid pace and laws, policies, and regulations must move at an equal pace. The current structure for passing and enacting laws is not conducive to ever-changing environments and cyberspace changes on a daily basis. The government is challenged with creating laws that are general enough to apply to many cases, yet clear enough to keep cyber criminals from falling through the cracks.
Situational awareness is a term that describes the ability to identify, process, and comprehend critical elements of information in at any given time (“Situational Awareness,” 1998). Individuals, corporations, and government entities must all think deeply about their situational awareness regarding cyber security and the controls necessary to keep information and infrastructures secure. There is no single group that is responsible for the protection of information, trade secrets, intellectual property, or national secrets. The security of the nation depends on everyone’s ability to foresee, deter, and react to cyber security incidents. There is a clear need for mandated cyber security controls so that individuals, corporations, and government entities all operate with the same beginning base of cyber security controls.