Computer networks and the Internet have radically altered the way people live and conduct business. Integrated information systems, based on vast networks, make up the center of operation for current business environments and governmental operations. The United States’ and other developed nations’ governments hold sensitive information about its citizens in such infinite computer networks. Businesses rely on networks in order to perform business transactions that use electronic money transfer in a new business paradigm referred to as e-commerce. However, while these systems are efficient and effective in management, they present the most vulnerable systems to security breaches. Unlike the physical storage of data, intruders can access data in computer networks from thousands of miles away. This has hampered operations of several businesses while exposing confidential information to unauthorized users. Additionally, terrorists and criminal gangs are now targeting these networks in order to advance their illegal activities as well as attack citizens. Terrorist or illegal gangs may target networks that control most public service systems such as train systems, gas supply networks, water treatment systems, power, and nuclear plant systems as well as electronic voting system employed by non-democracies. In the private sector, there have been several instances of security breaches that have threatened the business that private organizations run. The point in case is the famous hacking of several Fortune 500 companies by the young Canadian hacker known by his pseudo name Mafia Boy. Therefore, questions abound as to the role of government with regard to cybersecurity. For instance, does the government have the moral responsibility to help secure cyberinfrastructure from illegal intruders? Does cybersecurity have any bearing on national security, and if so, what are some of the interventions that the government can employ to intervene and secure the cyber world? And in so doing, what is the cost of government intervention on the free Internet and freedom of communication? This research paper will attempt to address these issues in light of cybersecurity in the context of the United States of America.
Role of Government Intervention in Improving Cyber Security
The Internet is perhaps the most transformative invention of the twentieth century. It has allowed instant connectivity to all corners of the world in a revolutionary manner. Business and commerce have now spread to several clients and consumers with relative ease. Thus, the Internet is an international, interactive and consistently evolving center for connectivity. Therefore, measures to maintain some order over the Internet has to be an effort of several players, that is, governments and private sector businesses.
The United States government has always maintained that authority to intervene in those entities that would deter investment. This is because of the fact that investing in cybersecurity is both a complex and expensive venture. Moreover, the field of cybersecurity is undergoing constant change, and new technologies emerge every other day. Thus, subsequent governments have left the issue of cyber to be an initiative of the private sector and the industry to a level, which private organizations perceive to be necessary to protect their business and, by extension, information about Americans.
In asserting the market-based policy, the Bush Administration developed the National Strategy to Secure Cyber Space in 2002 (Internet Security Alliance, 2008). The strategy very much relied on voluntary measures taken by the industry to secure the cyberspace. While the concept of a market-driven strategy is plausible, there is a missing link that will motivate private businesses to heavily invest in matters of national interest. Companies do not find investment in cybersecurity justifiable because of their random nature. The result of such an open-ended security strategy is far less secure cyberspace for the Americans.
Several instances of security breaches over the Internet simply bring the social responsibility that rests with the government with regard to cybersecurity to the fore. In a recent report by the U.S. Chamber of Commerce, the private sector has poorly performed with regard to cybersecurity (U.S. Chamber of Commerce, 2011). The report depicts the negligent nature, in which business executives and leaders have handled the issue of cybersecurity. The reports list a few startling issues that reflect on the poor manner in which executives have handled cybercrime:
- About 30% of senior executives in the private sector were unaware of cyber events within their organization;
- About one-half of all senior executives in the private sector could not estimate the cost of cyber intrusion, both from siphoned monies and litigations due to such breaches;
- Over one-third of all executives could not attest to having any cybersecurity measures;
- One-half of executives consider training staff on cybersecurity as very important, the other half does not;
- Less than half of senior executives, about 43%, perform security audits on their cyber systems; and
- Only one-half of companies use encryption systems in their networks, and only two-thirds employ firewalls.
Real-World Example: The T.J Maxx intrusion
A great example of the incident depicting such low concern for cybersecurity is the T.J Maxx case. T.J Maxx is a department chain store owned by TJX Companies, founded in 1956. T.J Maxx boasts of more than 900 stores in the United States alone with operations in other countries such as Poland, Germany, United Kingdom, and Ireland. In the United States, T.J Maxx is one of the leading department stores with operation in almost every corner of the nation and is capitalized at about $13 billion.
On January 17, 2007, the company announced that unauthorized users had breached its integrated information system and that customer data had been stolen. Malicious intruders had managed to gain access to the computers and accessed credit and debit card information. They had also managed to view a transaction record of millions of customers, and the integrity of the information was in doubt. The company first discovered the intrusion in mid-December 2006, but investigators requested the incident to be kept confidential to give room for proper investigation.
After the investigation, the results were disturbing. The company had exposed important financial information of more than 45 million American customers. In addition, hackers had downloaded other key information, such as driver license numbers and social security numbers of about 451,000 customers. This was against public policy that ensures credit and debit card information held by companies is confidential.
The manner in which the hackers were able to gain access created much concern about the cyberspace. The network, used by the company, was a weak wireless network, commonly secured by the Wired Equivalent Privacy (WEP) protocol. This is a much weaker network protocol, and the encryption techniques used under WEP are equally weaker. In this kind of network, a simple algorithm would allow hackers to eavesdrop on communication.
Moreover, investigations found that the company had not installed any firewalls or software patches as directed by Visa and MasterCard. Lack of firewalls in the information system of the company exposed data to malicious intruders who may not be very sophisticated. With these weaknesses, hackers were able to simply deploy a Wi-Fi antenna and a laptop in the Minnesota neighborhood. They were able to access incoming transmissions and eavesdrop on the employees logging into the central servers of the company.
Intruders of T.J Maxx took full advantage of the situation. Stolen credit card information was used in almost eight states within the United States. Cases of same credit card numbers used also spread to other countries such as Japan, Mexico, China, and Italy. On one occasion, the hackers were able to perform an eight million dollar transaction with a leading supermarket chain in Florida. This had compromised the confidentiality of customer information.
Legislations Providing the Authority for Intervention
The United States Government has however passed legislation that would assist in securing the cybersecurity. The US faced a terrible terrorist attack on September 11th, 2001. The terrorists had widely used the Internet and other modes of communication to pass information necessary to carry out the attacks. In response, the Bush administration introduced the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act). The United States Department of Justice announced that it would seek legislation that would give powers to state authorities to protect the homeland from such activities and attacks in the future. The proposed legislation was to give federal authorities the ability to monitor Internet use, intercept emails and phone calls as well as wiretapping conversion between citizens and non-citizens. In a sense, the act would allow the federal government to breach the provisions of the right to privacy in the presets of national security. The federal government would access personal information and listen in to several personal conversations in the process. This particular legislation has brought much controversy in the United States, as several public segments find the law intrusive.
The PATRIOTIC act is not the only legislation that guides the government in managing the cyberspace. The current administration under President Obama has been making advances with regard to cybersecurity. In the year 2009, President Obama accepted some key recommendations by the Cyberspace Policy review on the role of an executive in coordination and responding to cyber events. A Cyberspace Policy review further proposed the Executive Branch of federal network to work in close cooperation with the key players and other forms of local or state government in coordination of cybersecurity efforts. The recommendations further argued that response to the cyber threat was to be treated as a national affair just as other types of national security threats. To do this, the policy review stressed the importance of improvement of the Comprehensive National Cyber Security Initiative (CNCI), first introduced by the former administration. The initiative’s goal was, among others:
- To establish a strong a coordinated first-line defense against active threats;
- To create a range of defenses against threats;
- To establish a much safe future for cyberspace.
In order to attain the above-listed objectives, the new policy review proposed some improvements to be enacted. Some of these activities involve:
- Managing the entire federal network as a unitary network, where security measures would be implemented as a whole;
- Developing and installing intrusion detection systems in the entire federal network;
- Considering a unitary installation of intrusion prevention system in the federal network;
- Together with the private sector, the government would coordinate research and development in cybersecurity; and
- Play a more regulatory role in managing and securing cyberinfrastructure in the country.
Impact of Cyber Security on National Security
In a report to Congress in the year 2009, the Congressional Research Service (CRS) estimated the extent and nature to which cybersecurity has a bearing on national security. The CRS argues that, while cyberspace, due to its global nature, is a vast discourse that can never be fully addressed, the importance of cyberspace is extremely fundamental be left to the private sector alone (Congressional Research Service, 2005). Some components of cyberspace ran by private organizations play a critical role in running the day-to-day lives of millions of Americans. The National Strategy for Homeland Security has since singled out some critical units of cyberspace. One of such units is the service and sustenance of the industry, which is composed of services such as public transportation, banking, hospitals, and public health, and, finally, postal and shipping services. The second vital unit is production industries, which include the energy sector, industrial defense bases, food production industries, and chemical industries. The third sector is federal and state units, which are composed of emergency response systems, government databases, communication channels, and intelligence units.
Therefore, it is quite easy to imagine the impacts or consequences, should such systems be intruded or shut down. For instance, intrusion in transport systems that control trains may lead to catastrophic events. A similar case may be experienced if a terrorist or malicious elements were to intrude water treatment plants, food production industries, and gas distribution systems. Without any minimum requirement of computer security for these systems, national security would be at great risk.
However, with minimum requirements met by private businesses chances of threats to national security are significantly reduced. Minimum requirements such as encryptions and firewalls reduce the chances of intrusion by a huge margin.
Real-World Example: IntelsatONE Intrusion - A Threat to National Security
In 2011, IntelsatONE, one of the leading communication satellites companies, reported about 300,000 cases of denial-of-service attacks. The satellite has been used by the military and other key government security agencies in running offshore operations. Other big corporations in the United States have used the IntelsatONE satellites to perform important businesses across the globe. Both the government and industry were taken by surprise by the manner in which the said hackers gained access. The intruders created a highly specialized radio that could transmit control signals from somewhere in Norway. They succeeded to deny any transfer of data packets.
The attack on one of the most secure satellite's systems is sure a wakeup call. In the same respect, a committee, composed of several executives in the industry called U.S. National Security Telecommunications Advisory Committee (NSTAC), was tasked with reporting on threat of cybersecurity at a national level. In the 2009 report, the committee states that unauthorized commanding of network tools such as routers, servers, satellites, and databases would soon be one of the biggest threats the United States and other sensitive organization would be facing. Satellites and other vast networks like integrated transport systems were pointed out as possible targets for hackers. Government has no option other than to actively step in and provide some minimum regulatory measures.
The concept of cybersecurity can be viewed as a technical issue that can only be left to private organizations and industry to drive its determination. However, concerns regarding the importance of cyberspace and its impact on the lives of Americans call for government intervention. The United States Government has the responsibility of coordinating and establishing a response to cyber events. On the other hand, private organizations and the industry have the moral and social obligation to install cybersecurity for the sake of both business and national security. Without a concern to secure the cyberspace as much as possible, much of America’s freedom and lifestyle is under threat. Nothing illustrates this more than the T.J. Maxx and IntelsatONE cases.