Abstract
Cybersecurity is increasingly growing as a strategic problem of the state, comprehensively affecting the country’s economy. This, of course, includes the interaction between national developers of software and control systems, and manufacturers of equipment and components for the provision of IT infrastructure. For the national cybersecurity to match the highly needed level of information protection, it requires consistent actions of the state aimed at improving the efficiency and development of the system of interaction between participants in the IT industry.
The Cybersecurity Act of 2015
To establish a legal regulation of public and private cybersecurity partnerships, the Cybersecurity Act was passed by the President Obama in 2015. The main concept of the strategy expressed the government’s intention to play a leading role in ensuring national cybersecurity, including a propensity to possess the capability to conduct large-scale reconnaissance, offensive and defensive cyber operations. It should also be noted that at the moment, the adoption of the Strategy for the development of cyber capabilities in the armed forces was relatively inconsistent. Moreover, each division of the U.S. Department of Defense built its platforms and tools for scheduling cyber operations separately. Still, the document did provide additional protection for companies that would voluntarily decide to share cyber threat data with government agencies.
According to the Act, the DHS National Cybersecurity and Communications Integration Center (NCCIC) was obliged then to share the information about every aspect of national cybersecurity. The risks it experienced, threats, incidents, cross-sector and multidimensional analysis – everything became increasingly more public, as the NCCIC shared the data with private sector companies. Out of all the information the NCCIC provided for private companies, the analysis of risks and threats, as well as the reports of the cybersecurity incidents were to be the most useful for these companies. Subsequently, it allowed them to effectively review and improve their cybersecurity protocols, develop new tools and means to ensure more security for the data they held and still hold. Yang et al. (2020) claim that “the introduction of this law is a huge step forward for the cybersecurity industry as it is the first strong step to combat cybersecurity threats – bringing them within an information sharing strategy” (p. 1778). Following the changes, a rapid rise of new technologies in the field of cybersecurity occurred.
In exchange, private sector companies were offered to voluntarily submit their data about cybersecurity threats they collected and held. The Act even went out of its way to protect business representatives from possible lawsuits from users of information on cyber threats transmitted to the authorities contained their data. However, the legislation was vehemently opposed by supporters of limited government control over activity in the cyber environment, as well as by most influencing American corporations of IT sector such as Apple, Google, Amazon, Facebook and Dropbox. In their opinion, the Act served more as a tool of destabilization of partnership between private companies and their companies due to the fact that it could not specifically prevent the possible data leaks.
However, the legislation stated that the data sharing was not mandatory, which had been wise. If the Act proclaimed the companies to be obliged to share their information, it could potentially lead to countermeasures from the private sector, sabotaging the legislation in all the ways possible. Moreover, it would also raise public discontent, as the potential for the customers’ data to be leaked would increase significantly, were the data sharing an obligation for every company.
Regarding the customers’ private data, there was also another issue – the Act did jeopardize the security of confidential data and civil liberties. Moreover, it still has the potential of weakening national cybersecurity. Jasper (2017) states that “throughout the entire process of sharing information, there is the challenge of preserving privacy of both individuals and organizations that may participate in sharing communities, but want their contributions to remain anonymous” (p. 60). To provide more safety for the confidential data of the people of America, the Act needs to be updated – first and foremost, the federal agencies have to develop and employ better cybersecurity measures. The incidents with massive confidential personal data leaks indicate a huge vulnerability in the current federal cybersecurity system. Potential counter-measures would include a decentralized network for sharing information, more elaborate and secure encryption methods and servers protection.
General Data Protection Regulation – a Possibility of Implementation in the United States
The General Data Protection Regulation provides residents of the European Union with the opportunity to manage their data. For example, it allows the customers to ask about the purposes of processing their confidential information, the place of its storage, and employ the right to delete it. The GDPR is not an amendment to previous laws – it is a complete revision of the attitude towards personal data and its protection. New Internet of Things startups should think through all the points related to customers’ personal information at the stage of product development, and not after release, as was often the case before. Due to that, the adoption of the GDPR was called a revolution in IT – because it changed the hierarchy of values in the cybersecurity sector.
For a private sector organization, a U.S. analogue of GDPR would certainly pose more issues than benefits. In most cases, all personal data of the company’s customers are already protected through authorization or access verification in various ways. Even if the information is entered manually by the operator, the process would also require the use of special software and an authorization procedure. However, the GDPR has made its amendments to this procedure, providing for an increase in liability for organizations that are custodians and distributors of personal data of citizens of the European Union.
The perimeter of responsibility of the data controller and data processor extends to the personal communication of company employees, if, during the operations, any information regarding the personal data of customers can be mentioned. Tikkinen-Piri (2018) et al. supply that “data privacy implementation deals with a complex whole, covering different aspects, including company-level awareness raising and training, adoption of organisational and technological data protection measures, and documentation of processing operations” (p. 55). Also, this regulation makes a strict control over the potentially possible location of information obligatory – even if the databases and servers contain it only hypothetically. This also includes temporary storages, databases and others.
Of course, all these warnings are aimed at preventing fraud, hacker attacks and harm to a customer in form of an economic, moral or physical type. The concepts of “privacy by default” and “privacy by design” provide for complete security of personal information without any double-valued and unreasonable actions on the part of the organization that stores or distributes personal data. This kind of legislation, if implemented in the U.S., would make it exponentially harder for the companies to gather and use the personal data of their customers. Paired with EULA, the law has the potential to make some organizations’ approach to personal data illegal, causing them to either get eliminated or rebuild their cybersecurity protocols entirely. Both outcomes are unfavorable to business, therefore, a private sector would have to actively object against the passing of such legislation.
References
Jasper, S. E. (2017). U.S. Cyber Threat Intelligence Sharing Frameworks. International Journal of Intelligence and CounterIntelligence, 30(1), 53–65.
Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134–153.
Yang, A., Kwon, Y. J., & Lee, S.-Y. T. (2020). The impact of information sharing legislation on cybersecurity industry. Industrial Management & Data Systems, 120(9), 1777–1794.