National defense is one of a government's core responsibilities. The pursuit traditionally has played out on land, over water and, since the 20th century, in air and space. But today, cyberspace is emerging as the latest theater of national defense as governments around the world take more of their critical functions and day-to-day operations online. And the internet is such a recent phenomenon that, unlike the other theaters of defense, it lacks international agreements and institutions to govern it.
At least for now. To address the pitfalls in the current regulatory system (or lack thereof) New York State's Department of Financial Services will begin enforcing a new set of cybersecurity regulations Aug. 28. Financial services firms in New York by that time will have had 180 days to bring their operations into compliance with the new measures, which first took effect in March. The regulations are broad, requiring companies to have a cybersecurity program with policies on protecting data, restricting access, maintaining awareness of attacks and responding to them — all things that require a chief information security officer to oversee their implementation. By adopting the new rules, the State of New York has joined a growing movement among governmental entities to start holding companies and private citizens more accountable for their own cybersecurity. The wave of regulation promises to usher in a new era in the internet's development — and in the age-old debate over how far the government should go to advance national security interests.
Sticking to the Rules
For better or worse, thousands of regulations at the federal, state and local levels exist to limit what commercial and private interests can do. The U.S. government regulates vehicle specifications and promotes best practices through the National Highway Traffic Safety Administration (NHTSA), while state governments set minimum safety requirements for vehicles driving on public roads. The Food and Drug Administration (FDA) approves new drugs and medical devices. And the Securities and Exchange Commission (SEC) punishes financial institutions that do business with the United States' political enemies.
In the realm of cyberspace, however, Washington has fewer regulatory tools at its disposal. Companies such as Verizon and AT&T Inc. control much of the infrastructure that makes the internet possible in the United States. Tech giants such as Amazon, Facebook and Google, own the centers that store and share data. And firms such as Apple Inc., Microsoft Corp. and Lenovo Group Ltd. produce much of the physical hardware that supports networks. So though the U.S. government owns and operates networks and the hardware components necessary to maintain them, it is hardly the predominant force in the field. Because cyberspace is so heavily diversified, moreover, its oversight is diffuse. No single body is responsible for policing the internet in the same way that the Federal Aviation Adminstration, Coast Guard, or Customs and Border Protection secure the air, sea and land.
That's not to say that the U.S. government isn't invested in cybersecurity. The Defense and Homeland Security departments have prioritized shoring up government networks against attacks, staying on top of emerging threats and developing offensive capabilities. Even so, Washington recognizes that it can't control the internet as it does other theaters of defense. To fill in the gaps, government agencies work with private companies and individuals to keep the growing role of cyberspace in nearly all aspects of daily life from becoming a crippling liability.
Better Regulate Than Never?
But their efforts have sometimes fallen short in the absence of regulatory oversight. In October 2016, for example, a distributed denial of service (DDoS) attack hijacked over 100,000 devices, ranging from digital video recorders to baby monitors, to try to incapacitate Dyn Inc., which handles internet traffic for such companies as Netflix and Twitter. Most of the devices co-opted during the attack were poorly protected because their manufacturers had neglected to provide — or their users had disregarded — basic security features, including unique password requirements and regular software updates. Without these safeguards in place, the aggressors had little trouble mustering their botnet army. Many of the companies that manufactured the hijacked devices responded by recalling the products and bolstering security features. Still, their actions may not be enough to stave off similar cyberattacks in the future. The Federal Communications Commission, after all, has yet to issue a regulation specifying what features manufacturers must include to prevent intruders from gaining unauthorized access to internet-capable devices or how often they must release software updates. As thousands more "smart" machines and appliances come online each day, the internet of things will pose an even greater security risk, so long as its component devices are vulnerable.
To mitigate the threat and firm up cybersecurity practices, governmental entities are adapting their regulations and guidelines. Law enforcement agencies are working to build a body of case law to determine the limits of acceptable behavior in cyberspace, a field that lies within their jurisdiction even if it's beyond their control. The U.S. legislature, meanwhile, is drafting new laws and amending existing statutes to accommodate the rapidly changing landscape of the internet. As computers proliferate and make their way into more and more consumer goods, the bureaucracy in charge of cybersecurity will grow in turn, at least in the United States. The country, built as it was around the rule of law, tends to take a legalistic approach to issues like cybersecurity. Nations such as China and Russia, by contrast, prefer a heavier hand to keep internet users in line with their political systems.
At the same time, cyberspace is increasingly encroaching into areas that are already heavily regulated, such as the automotive, health care and financial sectors. In the wake of the DDoS attack in October 2016, the NHTSA issued guidance encouraging car manufacturers to prioritize cybersecurity in their vehicles and to establish standard cybersecurity practices. The more passenger vehicles incorporate computers into their basic operations, the greater the opportunity to exploit weaknesses in the technology, perhaps to deadly effect. (A car becomes a much more dangerous weapon in a cyberattack than, say, a DVR.) In April, the FDA threatened to take adverse action against an unnamed health care company unless the firm addressed known vulnerabilities in its devices. The SEC, likewise, fined a company $1 million in 2016 after one of its employees mishandled customer data that a hacker then compromised. The hacker appears to have stopped short of using the data for criminal ends, but the SEC nevertheless found the firm at fault for failing to prevent the breach.
A Brave New World
The mounting legal precedents and thickening rule books seem to herald the end of the internet's freewheeling era and the start of a new chapter. The transition will bring advantages as well as disadvantages. On the one hand, fortifying the United States' ecosystem of computer networks will help protect companies and consumers against cyberattacks that can lead to devastating disruptions and financial loss. Increased regulation, moreover, will help distinguish the responsibilities of the state from those of a company or individual, thereby enabling firms and citizens to focus their resources accordingly.
On the other hand, complying with regulations is a costly endeavor and one that can stifle small companies, such as the start-ups that drive innovation in the tech sector. Furthermore, based on the SEC's and FDA's recent actions, the threat of litigation against companies over information breaches appears to be rising; in time, a firm may even face charges if it is the victim of a cyberattack. And then there's the risk of complacency. Many companies, particularly in the tech sector, are worried that working within prescribed cybersecurity regulations will blunt the competitive edge they cultivated during the lawless days of the early internet.
With each new attack that affects U.S. companies and individuals, however, the calls for enhanced cybersecurity will grow louder. Regulators will respond by setting minimum security requirements for the rapidly expanding web of consumer products with microchips embedded in them. The cybersecurity bureaucracy will mature, and as it does, it will start to look more like the other entities tasked with ensuring national security. The United States will amass a stockpile of cyber weapons, ramp up its intelligence gathering and become more assertive in controlling conflicts in cyberspace. For now, the internet is still the playground of engineers and entrepreneurs. But they will have to yield to lawyers, compliance officers and auditors soon enough.