The internet has made us more connected than at any time in history. But with that connection comes and increased need to secure cyberspace to protect our way of life, experts insist.
Cyber attackers and criminals exploit vulnerabilities to steal information and money and the number of cyber attacks against United States companies continues to grow in frequency and severity.
Recent cyber attacks include Anthem Blue Cross and Blue Shield, United Airlines and American Airlines. Cyber attacks and hacks cost the average American company $15.4 million per year, double the global average, according to an October 2015 report by Hewlett Packard and the Ponemon Institute.
According to the Department of Homeland Security, cyberspace is difficult to secure due to a number of factors:
• The ability of malicious actors to operate from anywhere.
• The linkages between cyberspace and physical systems.
• The difficulty of reducing vulnerabilities and consequences in complex cyber networks.
In an age where computer hacks are common and the need for privacy is greater than ever, we have found a debate. How do we balance keeping people and businesses secure with also protecting their privacy?
To combat cybercrime, the U.S. Senate passed legislation aimed at strengthening the country’s cyber defenses by protecting companies that share cyber threat data with the government.
The Cybersecurity Information Sharing Act of 2015 (CISA) would expand liability protections to companies that choose to voluntarily share cyber threat data with the government.
Additionally, under consideration in Congress are House-originated bills that include the Protecting Cyber Networks Act and the National CyberSecurity Protection Advancement Act of 2015.
Both modify past legislation. The CISA calls for the director of National Intelligence, the Department of Homeland Security, the Department of Defense and the Department of Justice to develop and communicate procedures for creating information sharing on cyber security threats, said Chuck Matthews the chairman and CEO of WGM Associates, a local provider of consulting, managed IT services, managed security services and application development.
The Senate bill is designed for companies to share cybersecurity threat data with the Department of Homeland Security, who could then pass it on to other agencies like the FBI and NSA, who would use the information to defend the target company and others facing similar attacks.
Advocates claim that sharing threat information can facilitate a more effective protection of information systems. Often, private-sector companies expresses unwillingness to share information due to concerns about legal liability.
The proposed legislation would give businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntary sharing, Matthews said.
“The problem is that no one trusts anybody,” said Russell Smoldon, CEO of B3 Strategies, a government policy and public relations firm. Some feel like it gives the government too much power and strips away people’s privacy, Smoldon said.
Opponents say the legislation does not do enough and could allow the government to snoop even more. They express concerns about the adverse impacts to privacy and civil liberties and potential for misuse of shared information by the government, experts said.
“In theory, information sharing is good,” said Michael Kelly, chair of Jennings Strouss’ intellectual property practice group. “However, consumers are rightfully skeptical of the federal government having an expanding role.”
Privacy advocates and civil liberties groups believe CISA allows companies to monitor users and share their information with the government without a warrant, as well as providing opportunities to circumvent laws that protect users’ privacy.
Another criticism is that government agencies and the private sector already collect too much information about the American public.
What the Senate bill allows is fir companies to turn over information that contains personal data like telephone logs, emails, shopping history, medical history and GPS information, Kelly said.
So how could the bill impact the average person? “In a very stealth manner,” Kelly said.
Everyday people will have their information turned over to the government without a subpoena and without a notice to the consumer from the company, Kelly added.
Rather than just facts — like what health plan someone a person is insured by — the information turned over to the government could go into a lot more detail, Kelly added.
Additionally, many private organizations default to secrecy and confidentiality rather than sharing information, Matthews said, especially when a company’s legal counsel is involved.
Moreover, a majority of these information sharing initiatives are crafted for larger businesses, Matthews added, while small and medium business have little time and resources to devote to sharing initiatives or to act on intelligence they are given.
Balancing security and privacy
“Cyber criminals are notoriously insensitive to legislation,” Kelly said.
Experts believe this type of legislation could work in theory. Information sharing and providing immunity for companies who are cooperating is a positive step, Kelly said, because the government regulatory arm is heavy and companies are reluctant to fully disclose.
But what is more important, your identity being protected or the privacy of your identity is being protected?
It is the sweeping nature of the personalized information that some believe upset the balance between keeping people and businesses secure with protecting privacy. Many agree the proposed legislation does not provide enough regard to consumer privacy.
Before passing the CISA, Senators voted on amendments that sought to reform the bill’s privacy protections. One of the amendments, from Sen. Ron Wyden, D-Oregon, required companies to remove personal data from those cyber threat “indicators” before sharing them, unless that personal information is necessary to describe or identify the threat.
The amendment was rejected. But stripping the individualized nature of the data and keeping it anonymous is what some believe would have kept this legislation balanced in terms of security and privacy.
This year alone, there have been breaches at the Office of Personnel Management, IRS and the White House.
Incentivizing the private sector to lead the way instead of focusing on dealing explicitly with cyber adversaries could be a better approach to cybersecurity, Matthews said.
“Government organizations have not been the models for effective cybersecurity,” Matthews added, “and asking them to lead the way for the private sector will likely fall on skeptical ears.”
Enhancing cyber education
Embry-Riddle Aeronautical University-Prescott and BeyondTrust, a Phoenix-based cyber security company dedicated to eliminating data breaches from insider privilege abuse and external hacking attacks, joined forces to enhance the education and training of future cyber security professionals.
BeyondTrust will provide Embry-Riddle’s College of Security and Intelligence (CSI) with hundreds of hours of videos, covering a wide range of cyber security issues such as firewalls, malware and best practices for securing assets.
The videos are designed to train professionals for the CISSP (Certified Information Systems Security Professional) credential.
Recognizing Embry-Riddle as one of the first universities to offer a cyber security degree, BeyondTrust hopes to provide internships, thought leadership research and potential employment to Embry-Riddle students.