.png)
WASHINGTON, DC -- MAY 16: Howard Schmidt (L), special assistant to the president and cybersecurity coordinator, and Deputy Secretary of Defense William Lynn participate in event to launch the U.S. International Strategy for Cyberspace. Foreign ambassadors, technology industry leaders, foreign policy experts, human rights and civil liberties advocates, and leadership from throughout the U.S. Government participated in the event. (Photo by Chip Somodevilla/Getty Images)
The Internet’s days as a lawless frontier may come to an end. The Obama administration announced two cybersecurity strategies over the past week—one national and one international—that will bring governance to cyberspace. A third cyberstrategy, from the Department of Defense, is also scheduled for release soon.
The three strategies will have an overarching reach, aiming to secure computer networks of the United States and its international partners, while promoting Internet freedom and cracking down on cybercrime. Cyberspace, meanwhile, will be designated a field of warfare on par with any other, and cyber-attacks from foreign regimes will be regarded in a manner similar to a military attack.
All three strategies, however, come at a time when the issues they seek to mend have run rampant for years, and are already happening on a large scale. “This is the start of a very large conversation,” said Andrea Matwyshyn, assistant professor of legal studies and business ethics at the Wharton School, University of Pennsylvania, in a phone interview.
According to Matwyshyn, the next step will need to include discussion with businesses and establishing required standards on cybersecurity. In particular, it will need to change a culture of secrecy and protecting brand image, to one of openness regarding network breaches.
A key problem in network security is that few companies reveal their network breaches, despite being required to do so under federal securities law, according to a Senate Committee on Commerce, Science, and Transportation press release.
“Securing cyberspace is one of the most important and urgent challenges of our time. In light of the growing threat … it is essential that corporate leaders know their responsibility for managing and disclosing security risk,” stated committee Chairman John Rockefeller in a letter to Securities and Exchange Commission (SEC) Chairman Mary Schapiro.
The problem is that corporations can often act as early warning systems for large-scale cyber-attacks. If a company catches an attack and makes it public, it could protect networks that may not have detected it otherwise. Due to the culture of secrecy, however, an attack found by one company may still affect others.
Many of the larger cyber-attacks, particularly those originating from China over the past few years, had long lists of targets. Among them were Operation Aurora that hit Google, Operation Night Dragon that hit energy companies, and GhostNet that was spying on foreign governments and Chinese dissidents living overseas.
According to the Senate committee, companies also have an obligation to reveal network breaches “so that the American public can learn more about when hackers make efforts to penetrate companies’ computer systems.”
This was seen most recently in the breach of Sony’s networks, which exposed the personal data of more than 100 million users.
According to Matwyshyn, as the United States rolls out the new cybersecurity strategies, it will need to address the gaps in the business sector, since “security is only as strong as the weakest link.”
Similar discussions will also need to be held in regard to international cyberwarfare, as the definition of a military target becomes less clear in cyberspace.
Part of the issue is that cyber-attacks often strike both public and private enterprises, and key government services and the military still rely on public infrastructures. Thus, in cyberspace, “The definition of what it means to be at war is clearly ambiguous in this situation, as well as who is a government target,” Matwyshyn said.
The United States will likely begin holding international talks on this issue, as it begins confronting countries regularly engaged in cyber-attacks. The new international strategy states such acts will no longer be tolerated, and may even warrant military retaliation.
It states that countries “have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace."
“When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country,” it states, adding however that the United States will "exhaust all options before military force whenever we can."
Currently, state-driven cyber-attacks are highly common. How the new strategy plays out, and the actual affect it will have, is yet to be seen.
A classified report from the State Department, released by WikiLeaks stated that the Chinese regime’s military has launched continuous cyber-attacks against U.S. business and government networks since 2002, and the intensity of the attacks is growing.
A 2007 Federal Computer Weekly article, citing a naval network warfare command official, stated that Chinese hackers are the “predominant threat” to Defense Department networks and have almost continuously launched attacks.
