US Faces a Long Road in Implementing New Cyberstrategies

The Internet’s days as a lawless frontier may come to an end. The Obama administration announced two cybersecurity strategies over the past week—one national and one international—that will bring governance to cyberspace. A third cyberstrategy, from the Department of Defense, is also scheduled for release soon.

The three strategies will have an overarching reach, aiming to secure computer networks of the United States and its international partners, while promoting Internet freedom and cracking down on cybercrime. Cyberspace, meanwhile, will be designated a field of warfare on par with any other, and cyber-attacks from foreign regimes will be regarded in a manner similar to a military attack.

All three strategies, however, come at a time when the issues they seek to mend have run rampant for years, and are already happening on a large scale. “This is the start of a very large conversation,” said Andrea Matwyshyn, assistant professor of legal studies and business ethics at the Wharton School, University of Pennsylvania, in a phone interview.

According to Matwyshyn, the next step will need to include discussion with businesses and establishing required standards on cybersecurity. In particular, it will need to change a culture of secrecy and protecting brand image, to one of openness regarding network breaches.

A key problem in network security is that few companies reveal their network breaches, despite being required to do so under federal securities law, according to a Senate Committee on Commerce, Science, and Transportation press release.

“Securing cyberspace is one of the most important and urgent challenges of our time. In light of the growing threat … it is essential that corporate leaders know their responsibility for managing and disclosing security risk,” stated committee Chairman John Rockefeller in a letter to Securities and Exchange Commission (SEC) Chairman Mary Schapiro.

The problem is that corporations can often act as early warning systems for large-scale cyber-attacks. If a company catches an attack and makes it public, it could protect networks that may not have detected it otherwise. Due to the culture of secrecy, however, an attack found by one company may still affect others.

Many of the larger cyber-attacks, particularly those originating from China over the past few years, had long lists of targets. Among them were Operation Aurora that hit Google, Operation Night Dragon that hit energy companies, and GhostNet that was spying on foreign governments and Chinese dissidents living overseas.

According to the Senate committee, companies also have an obligation to reveal network breaches “so that the American public can learn more about when hackers make efforts to penetrate companies’computer systems.”

This was seen most recently in the breach of Sony’s networks, which exposed the personal data of more than 100 million users.

Read the full story here.