7/24/2019 CSEC620IA1

1/12

IA#1 Cybercrime Law, Regulation, Effects on Innovation

John Doe

CEC !" ection $""

%ote& 'his (a(er was submitte) through originality chec* websites+

7/24/2019 CSEC620IA1

2/12

'able of Contents

1. Introduction............................................................................................3

2. Private Industry & Regulations...................................................................4

3. National Security Concerns........................................................................4

4. Methods..................................................................................................6

. I!"acts o# $overn!ent Regulation.............................................................%

6. Co!"liance.............................................................................................

%. Res"onsi'ility..........................................................................................(

. )he Real *orld.......................................................................................1+

(. Conclusion.............................................................................................11

Re#erences..................................................................................................12

2

7/24/2019 CSEC620IA1

3/12

1. Introduction

Cybersecurity and cybersecurity initiatives are commonplace in all aspects of our digital

lives. Personal computers are still widely used, especially in the workplace, but mobile devices

seem to be the preferred computing choice of the average person. This would include but not be

limited to; smart phones, tablets, and laptops to name a few. Mobile devices have changed the

digital landscape in a manner that could not have been predicted. This is because other than

work or school related activities, most personal computers were used to play a few games, check

email, and browse the internet. These activities eventually transitioned over to the

aforementioned mobile devices. ow we mi! in social media, and a whole new digital cyber"

world has emerged. Talk about getting your head out of the clouds. #e live in the cloud,

literally and figuratively.

#hat does this mean to the average consumer$ Perhaps not much. Most people who

operate in the digital world could probably care less about the underpinnings of cyberspace and

the digital devices that we use from the time we wake up in the morning until we go to sleep at

night. %s with many other aspects of our lives here in the &.'., there needs to be something in

place to try and protect our citi(ens from the pitfalls that await them through the use of these

devices. There is a reason for government intervention in many cases. #e citi(ens need certain

protections to ensure our safety. )egulations put in place to thwart cybercrimes are *ust as

important given the terrible conse+uences that could result. #ith that said, this may seem like a

personal issue. owever, given the threat potential that data breaches carry, this could evolve

from a simple personal issue to a national security issue.

-

7/24/2019 CSEC620IA1

4/12

2. Private Industry & Regulations

There is a large percentage of our population that feels that our government is too

involved in regulating our lives. There is likely an e+ually large percentage of our population

that feels *ust the opposite. s our government *ustified in its efforts to dictate to private industry

the methods in which they choose to setup, maintain, and/or improve their cybersecurity$ That

answer is two"fold. The private industry entities that provide products and services for the

federal government and/or public use in this country need to face at least some regulations. This

is especially true for those industries that service national security, our critical infrastructures, the

military, and perhaps those that have access to our personal and/or financial data. The private

industry entities that do not fall under this category probably should not be bound to such

regulations. 0)ecent trends of globali(ation, outsourcing, offshoring, and cloud computing, have

changed the structure of organi(ations and their cyberspace1, %sllani, #hite, 3 4ttkin, 256-7.

This is why it is essential to have laws and regulations in place to protect organi(ations and their

digital assets. % compromise in the confidentiality, integrity, and availability of these

organi(ations and their systems could lead to a number of different problems for the general

public, and even lead to potential national security issues.

3. National Security Concerns

Putting our nation8s national security at risk is unacceptable. Therefore, the products and

services that the federal government procures from private corporations have to follow certain

guidelines to ensure that they are relatively safe to use. %dherence to 'T ational nstitute of

'tandards 3 Technology7 standards is mandatory for federal organi(ations. 'T is a 0a non"

regulatory agency of the 9epartment of Commerce, to develop a cybersecurity framework to

:

7/24/2019 CSEC620IA1

5/12

help regulators and industry participants identify and mitigate cyber risks that potentially could

affect national and economic security1, ei, 256:7. aws have to be in place to ensure that the

products and services that the government procures meet these standards. #ithout such

regulations, we run the serious risk of ac+uiring products and services from companies that put

profit over +uality. f the bottom line becomes the top priority of a company then the +uality and

integrity of the product or service can come into +uestion. This is especially true as it relates to

national security and cybersecurity.

%ny compromise to the integrity of our classified information and networks puts

everyone at risk. #e honestly cannot control what types of information that is collected on us by

intelligence agencies, although many would argue that we should. ow and why that

information is collected and used is often considered a matter of national security. These

discretionary actions by the three letter agencies '%,

7/24/2019 CSEC620IA1

6/12

e!changes regarding government intervention and regulation of the internet for e!ample. %n

article in the nformation 3 Communications Technology aw *ournal appropriately refers to the

internet as a 0network of networks1 ?ing, 255:7. The internet essentially provides

interconnectivity between organi(ations which can inadvertently e!pose their information and

assets to the cyber"world. 'ince organi(ations operate in both public and private spaces, some

regulation is necessary to ensure that they operate at a standard that protects and safeguards data

that they access. There are different data security laws on the books to do *ust that.

7/24/2019 CSEC620IA1

7/12

security and protection of data are supported by both sides of the isle in congress. The problem

is that when we get past the basic premise that these proposed laws represent, the additional

provisions seem to be the source of opposition between the two ma*or political parties. C'P% is

a good e!ample given that it passed in ouse which held a republican ma*ority, but not the

senate which was dominated by democrats at the time. The part of the legislation that was most

likely the sticking point was the liability protection that both sides would not agree on.

&nfortunately, this is the reality that we face with opposing views on regulation, privati(ation,

and government intervention.

5. I!acts o" #overnent Regulation

The impacts and effects of government regulation being implemented by private industry

are debatable. owever, would argue that these regulations help since they would provide

government oversight to help deal with cyber"threats. Companies like @eneral 9ynamics,

ockheed Martin, and orthrop @rumman to name a few have government regulations that they

have to adhere to in order to do business with our government. 'ince the public sector and

defense industries are their bread and butter, they have to adapt to such regulations. This is

important since actions by cyber"criminals can precede physical attacks on critical

infrastructures, systems, and people. Monitoring terrorist recruitment activities in cyberspace is

a good e!ample of the effects of regulated cooperation between private industry and the

government. This e!ample also has global implications as well given that the internet and

cyberspace are entities that span the globe. Cybersecurity regulations, best practices, and

monitoring all have international implications as well. Thankfully, no large scale acts of

terrorism have succeeded in the &nited 'tates since the 'eptember 66 thattacks back in 2556. #e

E

7/24/2019 CSEC620IA1

8/12

have seen a number of cyber"attacks on private and public systems, but none that have resulted in

a ma*or disaster.

ne could also argue that we have been lucky in a sense. Considering that there are some

regulations in place by the federal government that the private industry must adhere to, there are

several seemingly good cybersecurity bills that never manage to get passed. This in my opinion

has more to do with bipartisan politics than what is good for the country. say this because one

side of the isle favors privati(ation and the other side favors government intervention. % happy

medium would suffice, but does not seem to be much of an option. The Cybersecurity %ct of

2565, The Protecting Cyberspace as a ational %sset %ct of 2565, nternational Cybercrime

)eporting and Cooperation %ct, and The Cybersecurity %ct of 2562 are all e!amples of

legislation that failed to pass, but all proposed good viable options that could not seem to

traverse the bipartisan barrier of &.'. politics, =oulee et al., 256-7.

$. Co!liance

7/24/2019 CSEC620IA1

9/12

cybercriminals bank on the fact that some organi(ations both public and private may try to trim

costs from their computer security budgets. This only increases the probability of a cyber"attack.

This could also serve as an e!ample of how not to actually save a dime if your organi(ation

becomes the victim of a cyber"attack that could have been prevented by simply aiming to e!ceed

the minimum cybersecurity standards and re+uirements. 0'pam, phishing, and computer viruses

are becoming multibillion"dollar problems1, @oodrich 3 Tamassia, 25667. 9epending on what

your organi(ational function and ob*ectives are, the financial implications of these types of

attacks could go a long way towards the ultimate failure of your operations or business.

%. Res!onsiility

The responsibility to protect national security should fall into the hands of our federal

government. owever, both the federal government and private industry have an obligation to

operate in a manner that protects the information and assets of our nation. This includes not only

corporate or public assets and information, but also the assets and information about our citi(ens.

Private industry8s role in protecting national security is an important one, but since regulation of

private industry has limits, the ultimate responsibility needs to fall on our federal government.

9espite the limited federal regulations that private industry is currently bound, there are a few

very important pieces of legislation that provide important protections and accountability

re+uirements that must be adhered to. The 'arbanes !ley %ct of 2552 'H7 re+uires that

corporate management 0assess the effectiveness of internal control measures, including

cybersecurity1 )ishikof 3 unda, 25667 by ensuring accountability, protection, and

safeguarding of financial resources and assets. Biolation of this act can result in government and

criminal sanctions.

7/24/2019 CSEC620IA1

10/12

to safeguarding health related information that is transmitted electronically. %lso, as mentioned

earlier, the @ramm"each"=liley %ct of 6FFF @=%7 enforces and regulates data security

re+uirements to protect financial information. 9espite all of these different laws and regulations,

again private corporations still have additional levels of responsibility when it comes to

cybersecurity and the protection of both public and private information and assets.

'. (he Real )orld

There are a number of large corporations that are allowed to operate with limited

regulations when it comes to cybersecurity and data protection. arge retailers for e!ample have

the means in which to ade+uately protect consumer data and P Personally dentifiable

nformation7. owever, many until recently sort of had a lackadaisical approach to

cybersecurity. t was only after large"scale data breaches that e!ploited millions of customer8s

personal and credit card information, did they bother to take more precautionary measures. The

problem is that the damage was already done.

n a report in the nternal %uditor *ournal it was stated that in 256: alone 0thieves have

targeted customer data at e=ay, ome 9epot, eiman Marcus, and Target1 Py(ik, 256:7. This

would account for millions of customer8s personal and credit card information. @iven the level

of financial ruin that identity theft can cause, more regulation under these circumstances is

needed, and would not leave it up to these large corporations to decide how and when to put

such regulations into effect. would make it mandatory so the only way to achieve that goal is to

put it into law.

65

7/24/2019 CSEC620IA1

11/12

*. Suary and Conclusion

Cybersecurity laws and regulations are a good thing. Mitigating risks that put our

national security and personal information in *eopardy is a good thing.

7/24/2019 CSEC620IA1

12/12

doiI65.65G5/6-D55G-5:25552FD2EE

9ennis, C. M., 3 @oldman, 9. %. 256-7. 9ata 'ecurity aws and the Cybersecurity 9ebate.

cover story7. Aournal of nternet aw, 6E27, 6"66.

=oulee, A., 9avis, #., ?antner, )., Mc9onald, ?., Metcalf, A., 3 Pae(, M. 256-, Auly 2D7. The

cybersecurity debateI Boluntary versus mandatory cooperation between the private

sector and the federal government J e!ology. )etrieved May 2F, 256>, from

httpI//www.le!ology.com/library/detail.asp!$gKE5aE2c-F"-6DG":>c-"FdaD"

>c:baadafF:b

'hackelford, '. A., 3 Craig, %. . 256:7. =eyond The ew L9igital 9ivideLI %naly(ing the

4volving )ole of ational @overnments in nternet @overnance and 4nhancing

Cybersecurity.tanfor! Journal of International Law, "#67, 66F"6G:.

@oodrich, M., 3 Tamassia, ). 25667. ntroduction. n ntroduction to computer security p. -7.

=oston, MassachusettsI Pearson.

)ishikof, ., 3 unda, ?. 4. 25667. Corporate )esponsibility in Cybersecurity. $eorgetown

Journal of International %ffairs, 167, 6E"2:.

Py(ik, ?. 256:7. 'afeguarding Customer 9ata.Internal %u!itor, '1>7, 22"2-.

n.d.7. )etrieved May 2D, 256>, from

httpsI//www.whitehouse.gov/sites/default/files/cybersecurity.pdf

62

http://www.lexology.com/library/detail.aspx?g=70a72c39-3168-45c3-9da6-5c4baadaf94bhttp://www.lexology.com/library/detail.aspx?g=70a72c39-3168-45c3-9da6-5c4baadaf94bhttps://www.whitehouse.gov/sites/default/files/cybersecurity.pdfhttp://www.lexology.com/library/detail.aspx?g=70a72c39-3168-45c3-9da6-5c4baadaf94bhttp://www.lexology.com/library/detail.aspx?g=70a72c39-3168-45c3-9da6-5c4baadaf94bhttps://www.whitehouse.gov/sites/default/files/cybersecurity.pdf