national security cyber

National Security Implications of Cyber Security Policy

The cyber security posture of the United States Government and corporations has national security implications.  Cyber attacks threaten business and the national security of the United States.  Lawmakers draft legislation to counter these cyber threats. The Declaration of Independence outlines life, liberty, and the pursuit of happiness as unalienable rights.  Further, owners, proprietors, and investors are free to develop, market, and sell their goods with little intervention by the government.  Supply and demand determine prices in a free market economy. In a socialist government, the state owns everything.  A socialist government determines product development, quantity, and price.

The Constitution guides United States’ law.  Citizens of the United States elect leaders who craft legislation based on the needs of the country.  The Founding Fathers recognized that a government with limited powers would provide greater freedom to its citizens.  In addition, James Madison (1788) states, “The powers delegated by the proposed Constitution to the federal government, are few and defined.”

Do Government Regulations Affect Business?

Business and government have remained separate. However, there are occasions when government regulates certain activities of business.  Enron, WorldCom, AIG, and Madoff Securities are examples of what happens when businesses do not regulate themselves.  Investors and employees lost billions of dollars in these companies.  Corporate accounting scandals compelled Congress to craft new legislation for accountability and transparency.

national security commerce

The Commerce Clause of the Constitution

The commerce clause is an enumerated power given directly to Congress by the United States Constitution.  As a result, Congress intervenes in the affairs of private business by exercising their power under the commerce clause. David Walter Brown (1904) stated:

The power of Congress, under the Constitution, to regulate commerce among the several                      States and with foreign nations, covers a field of legislation of vast extent.  The power                            extends to the regulation not only of the transaction per se, but all of its incidents,                                the commodity or passenger which is its subject, the instrument by which it is effected,                          the personal agent who performs it.  It is a power complete in itself, may be exercised to its                  fullest extent and acknowledges no limitations, other than prescribed by the Constitution. The              dual nature of our national system, as composed of States possessing attributes of sovereignty            within the Union, imposes no restraints upon Congress when legislating pursuant to its                          commercial power…(p. 490).

Congress regulates commerce activities for private industry.  In her blog, Mary Dudziak discusses commerce power and its national security implications.  Privacy violations, identity theft, and the security of Personally Identifiable Information (PII) are several reasons why government intervenes.  As a result, Facebook and Google marketing practices have drawn the attention of Congress.

Do I Need a Privacy Policy?

Corporations, health care providers, and government agencies collect, retain, and maintain personally identifiable information (PII) such as name, address, birth date, social security number, driver’s license number, driving record, criminal history, etc.  The United States Department of Homeland Security (DHS) has categories for personally identifiable information (PII) and sensitive personally identifiable information.  DHS defines PII as elements of information that when combined directly or indirectly identify an individual. (DHS, 2011, p. 6).

DHS defines sensitive PII as “personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual” (DHS, 2011, p. 7).  As a result, social security numbers, birth dates, driver’s license numbers, alien registration numbers, traffic violations history, and criminal histories are examples of sensitive PII. NIST Special Publication 800-122 is a Guide to Protecting the Confidentiality of Personally Identifiable Information.

In the past, companies collected sensitive information on paper forms.  Companies employed physical security measures to guard information.  For instance, safes stored sensitive information inside buildings protected by alarms and armed guards.  Access to the information would require an attacker to be physically present. The attacker would have to defeat the physical security measures used to guard the information. The attacker would need to copy the information if they were able to gain access. Therefore, physical security measures made it more difficult for attackers to steal sensitive information.

HIPAA Privacy and Security Rules

The Health Insurance and Portability Accountability Act (HIPAA) of 1996 codified requirements for the privacy and security of health information at the federal level. Therefore, security controls standardized the electronic transmission of health information. The privacy rule and security rule are technical measures and administrative measures established by HIPAA for the protection of PII.

General (Ret.) Michael Hayden had a distinguished career in the United States Air Force.  General Hayden managed the National Security Agency during and after the terrorist attacks on September 11, 2001.  His next assignment was Director of the Central Intelligence (DCI).  General Hayden stated the following during a PBS (2010) interview, “We have created this new domain, this new space called cyber, and, frankly, it is lawless.  There are no technical barriers up there to protect information” (para. 7).

Why Cyber Security Policy?

Computer servers connected to the Internet store information previously held in safes. Data breaches occur daily.  The recent Marriott data breach is an excellent example.  The security of personally identifiable information is critical to business operations.  Identity theft could result from the mishandling of personally identifiable information.  It could also subject a company to civil litigation and punitive judgments.  The Chronology of Data Breaches report from the Privacy Rights Clearinghouse (2011) “shows more than a half billion sensitive records breached since 2005, leaving Americans vulnerable to identity theft” (para. 1).

The Privacy Rights Clearinghouse (2011) tracks breaches from a) unintended disclosure, b) hacking or malware, c) payment card fraud, d) insiders, e) physical loss, f) portable devices, such as USB flash drives, g) stationary devices, such as servers and hard drives, and h) and a category for unknown.  Are you cyber secure?

Critical Sectors and Data Breaches

In the 21st Century, computer systems touch every aspect of our lives.  Most companies now carry some form of cyber insurance to hedge against the cost of a data breach.  The cyber security posture of an organization is critical to its bottom line.  The following examples show the collection and retention of critical information in computer systems.  Each of these sectors can have national security implications.

  • Banking – online money management, wire transfers, etc.
  • e-Commerce – Business-to-business trading partners, personal purchases, etc.
  • Trading – securities, stocks, futures, international markets, etc.
  • Critical Infrastructure – Utilities, power plants, etc.
  • Transportation – airlines, railways, ground transportation
  • Supply Chain Logistics – shipping, manufacturing, etc.
  • Public Safety Systems – police, fire, emergency medical services, etc.

A speaker at a cyber security conference recently asked the attendees how much cash they had in their pockets.  The follow-up question was, “If electronic banking and e-commerce were disrupted for several days, would you have enough cash to survive?”  Trillions of dollars in financial instruments flow through the financial markets of the United States.  United States’ financial markets directly connect to international markets.  The cyber security posture of financial markets can have a significant impact on the national security of the United States and its international trading partners.  Therefore, a domino effect could occur if the electronic trading of securities, stocks, bonds, or futures should come under cyber attack.  Encryption is an integral part of securing financial markets.  Cyber security news and cyber threat intelligence are key components for maintaining situational awareness of the attack landscape.

How Privacy is Addressed Under Cyber Law

Statutes and regulations are the primary method that Congress uses to address the operation of each of these sectors.  Statutes are broad laws published as United States Code (USC).  The Code of Federal Regulations (CFR) is the fine-grained interpretation of the statute normally written by sector specialists and enforced by an agency with authority for a given sector.  In addition, several federal laws are written to address the specific nature of electronic offenses and cyber-offenses:  a) Electronic Communications Privacy Act, b) Computer Security Act of 1987, c) Information Technology Management Reform Act, d) Sarbanes-Oxley Act of 2002, and e) Federal Information Security Management Act (FISMA) of 2002 (Waleski, 2011, p. 52).

How to Protect Critical Infrastructure

According to Article I, Section 8 of the United States Constitution, Congress is empowered to “provide for the common Defence [sic] and general Welfare of the United States.”  Common defense and general welfare are two compelling reasons why Congress may justify regulating cyber security within the private sector.

Two critical events occurred within the electric power industry in 2003.  In January 2003, the SQL Slammer worm made it onto the Supervisory Control and Data Acquisition (SCADA) network of a large utility.  In August 2003, one of the largest blackouts in history occurred. The North American Electric Reliability Council (NERC) was concerned that a cyber attack may have caused the August 2003 blackout. Just seven months earlier in January 2003, the electric power sector was hit by the SQL Slammer worm. Many Supervisory Control and Data Acquisition (SCADA) systems were vulnerable because they had not been patched.  NERC identified two primary causes, listed below, for the impact of the SQL Slammer worm.  The cyber security posture of the national electric grid is a key concern for national security.

SQL Slammer and SCADA Systems

First, patches for Microsoft SQL Server had not been applied.  The SQL Slammer worm vulnerability had not been mitigated on key control systems.  Although key SCADA systems were not directly connected to the Internet, the worm reached the internal SCADA network by propagating itself through a remote Virtual Private Network (VPN).  Once the worm made it onto the internal SCADA network, it blocked key command and control communication creating a denial of service inside the SCADA network.

Secondly, the command and control network traffic from the SQL Slammer worm overwhelmed the frame relay.  Fortunately, no mission-critical control systems went down.  Systems Administrators and Network Engineers quickly quarantined the worm and mitigated the vulnerabilities without a loss of service.

Cyber breaches within the critical infrastructure sector can have a significant impact on national security. For example, the blackout in August 2003 affected millions of Americans and every sector of business.  Many people think of the electric power grid when they think of SCADA systems.  Yet, SCADA systems control passenger and commercial transportation systems, natural gas pipeline distribution, oil pipeline distribution, utilities, and nuclear power subsystems.  Attacks on SCADA systems can have national impact.  In December 2011, hackers disrupted signals on passenger railway systems.

Investigators examining the incident believe that foreign hackers may have been responsible for the cyber attacks.  For the December 1st attack, investigators found three IP addresses associated with the attack.  Investigators did not disclose where the attack originated (Homeland Security Newswire, 2012, para.9).

Disrupting SCADA systems used for passenger railway transportation could cause significant loss of life. Disrupting SCADA systems used for commercial railway transportation could cause propane tankers to explode or hazardous materials tankers to breach if the train were to derail.

How the Internet has Facilitated Cyber Espionage 

Companies in the private sector have a duty to protect their intellectual property by implementing good cyber controls. Therefore, failure to comply with cyber regulations or just meeting the minimum requirements can be devastating.  The theft of intellectual property can completely eliminate a company’s competitive advantage.  CBS News (2012) reported that United States companies lost over     $ 13 billion in trade secrets to China and other countries.  As a result, it may cost a company millions of dollars to research and develop a product only to have it stolen.  Many companies never recover from the loss.  Some businesses fail because foreign competitors with stolen designs can produce, market, and distribute products with little to no overhead and zero research and development (R&D) costs. 

The Theft of Trade Secrets Within the Defense Industrial Base

The loss of national defense information can have a devastating impact on military readiness and national security. Foreign intelligence services routinely target the United States military and its Cleared Defense Contractors.  In December 2009, the Federal Bureau of Investigation (FBI) and the Defense Security Service (DSS) conducted a security seminar for Cleared Defense Contractors (CDC). One FBI agent noted:

The Chinese have saved billions of dollars in research and development by stealing U.S. technology. The Chinese replicated the Aegis Battle Management System. The entire ship was replicated by the PRC down to the number of No Smoking signs and the distance between the signs. Over 100 defense contractors worked on the Aegis ship. The collection plan employed by the PRC was multi-faceted spanning all defense contractors.

The Chinese military could not physically compromise the work locations of 100 CDCs.  They did not have to.  Corporate servers, connected to the Internet, contained all the information they needed.  For instance, all it takes is one employee to open a well-crafted spear-phishing e-mail. The attackers drop a malicious payload on the employee’s computer.  With one computer compromised, the attackers establish a beach head and begin to conduct reconnaissance of the host network.  As a result, the national security of the United States is dependent on the cyber security of government systems and defense contractor systems.

Conclusion

In conclusion, banking, utilities, e-commerce, transportation, public safety services, and other vital sectors of our critical infrastructure are accessible from any access point on the Internet.  State-sponsored groups, foreign intelligence services, and criminals operate within the critical infrastructure of the United States daily.  For instance, cyber criminals steal record amounts of money from banks and other financial institutions.  Threat actors probe utilities, power plants, and pumping stations for vulnerabilities.  Cyber espionage attackers besiege defense contractors.

Cyber attacks threaten business and the national security of the United States.  Therefore, numerous calls have been made for legislation to counter these cyber threats. Congress provides for the common defense and the general welfare of the country.  They have statutory authority to intervene in the private sector under the Commerce clause of the United States Constitution.  The government has intervened in the private sector to regulate certain aspects of business that threaten the general welfare of United States citizens.  If the private sector cannot secure its own infrastructure, Congress may need to intervene further.

References

Brown, D.W. (1904). The exclusive power of Congress to regulate interstate and foreign commerce. Columbia Law Review. 4(7), 490-501. Retrieved from
https://www.jstor.org/stable/pdf/1110766.pdf

Grow, B., Epstein, K., & Tschang, C. (2008). The new E-spionage threat. Business Week.
Retrieved from https://www.bloomberg.com/news/articles/2008-04-09/the-new-e-spionage-threat

Hilt, D.W. (2006). Northeast blackout impact and actions and the Energy Policy Act of 2005. North American Electric Reliability Corporation. Retrieved from
https://www.nerc.com/docs/docs/blackout/ISPE%20Annual%20Conf%20-%20August%2014%20Blackout%20EPA%20of%202005.pdf

Homeland Security News. (2012). Hackers attack U.S. railways. Retrieved from
http://www.homelandsecuritynewswire.com/dr20120125-hackers-attack-u-s-railways

Lehrer, J. (2010, August 10). Hayden: Hackers Force Internet Users to Learn Self-Defense/
Interviewer: Spencer Michels. PBS Newshour. Retrieved from
https://www.pbs.org/newshour/show/hayden-hackers-force-internet-users-to-learn-self-defense

Madison, J. (1788, January 26). Alleged danger from the powers of the Union to the State
Governments considered. Independent Journal. Retrieved from
https://www.constitution.org/fed/federa45.htm

Miller, J. (2012). FBI fighting two-front war on growing enemy-cyber-espionage. CBS News.
Retrieved from https://www.cbsnews.com/news/fbi-fighting-two-front-war-on-growing-enemy-cyber-espionage/

Privacy Rights Clearinghouse. (2010). 500 million sensitive records breached since 2005.
Retrieved from https://www.privacyrights.org/blog/500-million-sensitive-records-breached-2005 The cyber threat to control systems: stronger regulations are necessary to secure the electric grid. Hearing before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the Committee on Homeland Security, 110th Cong. 1(2007). (opening remarks of Hon. James R. Langevin, chairman of the subcommittee).

United States Department of Health and Human Services (2011). Summary of the HIPAA Rule.
Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

United States Department of Homeland Security (2011). Handbook for safeguarding sensitive personally identifiable information. Retrieved from
https://www.dhs.gov/publication/dhs-handbook-safeguarding-sensitive-pii