- Cybersecurity is a fundamental pillar of national security strategy.
- Online adversaries are advancing in capability and sophistication.
- Legal frameworks for cyberspace are beginning to take shape.
Reality has changed. The physical world in which we live is rapidly merging with the fourth dimension of cyberspace. The geopolitical battleground is no longer just the South China Sea, the oil fields of Arabia, or even the corner of Main and Broad. It’s cyberspace. For all of the opportunities created by the advent of the internet there are corresponding risks. Risk to critical infrastructure. Risk to economic institutions. Risk to national security.
At Breach Memo we will be dealing with cybersecurity at all of these levels and more. We will provide ongoing monitoring and analysis of the international cyber threat landscape, relevant legal frameworks, and incident prevention and response strategies.
Let’s kick off with a synopsis of current circumstances and trends – all of which are certain to have an immediate impact on governments, businesses, and individuals.
Cybersecurity is National Security
Fears about intrusions into military databases and U.S. critical infrastructure are making cybersecurity a central facet of national security strategy. Governments and international institutions are re-calibrating policy objectives to account for changes in the digital threat landscape. In this vein, the Department of Homeland Security (DHS) chose to hire RAND Corporation to open a new research center to assist the U.S. government combat cyberterrorism.
There is a heightened awareness of the importance of strategic collaboration among countries on cybersecurity issues. Case in point, the Center for Strategic and International Studies (CSIS), hosted a meeting last year with Australian prime minister Malcolm Turnbull and U.S. Secretary of Homeland Security Jeh Johnson to discuss how the two countries could cooperate to further secure both countries’ digital infrastructures. Australia, after implementation of its new cybersecurity strategy, established itself as a leader in cybersecurity issues and could play a key regional role in combating cybercrime, cyberterrorism, and state sponsored hacking in the Asia-Pacific region.
The role of cybersecurity into geopolitical strategy is likely to increase at a rapid pace. A newly directed U.S. foreign policy portends the increased use of cyberspace to express policy and posture. More on this in an upcoming memo.
Networks are Still Vulnerable
As online adversaries continue to advance in their ability to deploy damaging cyberweapons, corporate stakeholders are being urged to do what they can to increase baseline security standards for their networks. Both the public and private sector have built out intricate network structures over the years. All of them are inherently vulnerable. Data breaches are now so common, that one in four of all adults in America were notified about a data breach by companies or services with which they do business. The advice from CSIS to U.S. policymakers to prevent ongoing security breaches from becoming “the new norm” is to increase the baseline security standards for all networks, and to raise the “cost” incurred by hackers to get into systems. Look to upcoming Breach Memos for more discussion on the CSIS recommendations as well as other related strategies.
Adversaries are Increasing Capabilities
This past year saw a dramatic increase in the quantity and complexity of government and state-sponsored hacking.
Public discourse has been dominated by Russian cyber capability and deployment. Despite all of the talk about Russia, it is the Chinese government that engaged in last year’s most impressive show of force in cyberspace. The Chinese hack of the Office of Personnel Management (OPM), where over 5.6 million fingerprint records of U.S. federal employees were stolen, was one of the biggest government sponsored cyber intrusions in history.
Chinese hackers were also responsible for the hack of a separate background check database, gaining access to what’s known as SF-86 data of people that have applied for U.S. government jobs. This intrusion exposed applicants financial histories, investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends.
Legal Frameworks are Still Evolving
Legal frameworks for governing cyberspace have been slow to develop but are beginning to take shape. These new frameworks will have a significant impact on the cybersecurity landscape both here and abroad.
In the United States, the Supreme Court issued a landmark privacy opinion, Spokeo, Inc. v. Robin, where the Court considered the nature of the injury required for a plaintiff to sue in federal court. The decision in Spokeo signaled that for privacy litigants that a statutory violation alone is not all that is constitutionally required for standing, limiting plaintiff’s ability to rely on the Fair Credit and Reporting Act, Telephone Consumer Protections Act or Wiretap Act as a basis for litigation. This decision limits the ability of class action litigants, who may not have suffered a concrete injury, to sue for damages and redress.
Internationally, the Chinese government implemented a cybersecurity law which requires internet operators to cooperate with investigations involving crime and national security, and imposes mandatory testing and certification of computer equipment. Under this new Chinese law, Silicon Valley tech firms and other American enterprises must consider the consequences that will accompany Beijing’s unfettered access to corporate intellectual property and proprietary data.
Individual states are beginning to develop regulatory frameworks in order to address the new cybersecurity landscape. New York State’s first-in-the-nation cybersecurity regulations are set to take effect March 1.
A Brave New World
It’s a new world out there – one filled with opportunity but also with a new kind of threat – a threat more ubiquitous than any we’ve ever known and with repercussions we can only imagine. With that ubiquitous threat comes a new found responsibility for us all.
We’re here to help. Welcome to Breach Memo.
Author: Josh Rittenberg
Josh Rittenberg is the Founder and Editor of Breach Memo. He is an attorney in New York City who first became interested in emerging threats while working as an analyst at the Center for Strategic and International Studies (CSIS) Transnational Threats Program in Washington, DC. He has been published by NPR, The American Lawyer, Corporate Counsel, and the CSIS Transnational Threats Update. The views expressed in this blog are his personally and not those of any other person, organization, or other entity.