This paper explores the role of government for establishing an appropriate legal, social, and ethical framework to enhance cyber security. Previous doctrines of cyber security are briefly analyzed, and the concept of cybersecurity as a public good is explored. To better understand public cybersecurity, the paper compares it with safety, another public good. Similar to public safety, cybersecurity requires that federal, state, and local government, organizations, and individuals implement good cybersecurity controls that result in to the protection of national security. The paper concludes with a set of examples that illustrate the role of government to enhance cybersecurity and to mitigate cyber insecurities.
The use of computers and information technology by organizations and individuals has grown drastically over the last few decades. Recent trends of globalization, outsourcing, offshoring, and cloud computing, have changed the structure of organizations and their cyberspace. Information is no longer confined within the walls of the organization (UMUC, 201 1). Today's organizations are constantly allowing their customers and suppliers to access their supply chain management systems. Customers can retrieve product information from their Electronic Commerce systems, and suppliers need to schedule data and their own employees to log on into the organizations' intranet. Trust is a key element of supply chain operations. Individuals have become more and more dependent on information technology. As employees, they use their computers and mobile devices to remotely access their organizational networks and connect to their friends and families through social networks. Professionals expand their connections and communicate with their colleagues through professional networks, such as Linkedln.
The global reach of information systems at both the organizational and individual level has raised concerns over security and has made organizations and individuals more vulnerable to security threats. Organizations must pay special attention to cybersecurity. For example, a recent study about software vendors indicated that organizations lose around 0.6 percent in stock price when vulnerability is reported, and the impact is more severe when the cybersecurity flaws are not addressed in advance (Telang & Wattal, 2007). However, while most organizations consider cybersecurity management as critical to their operations, fewer than 25% of them have security measures as an integrated part of their operations (Bosen, 2006).
There is an even darker side of computer systems. They are used to program weapons of mass destruction, biologic and chemical weapons, military applications, and financial applications where trillions of dollars are transferred every day. If these applications fall into the wrong hands, they can have a devastating impact on organizations and the lives of individuals. Because of this dependence on information systems, cybersecurity concerns have grown in parallel with the development of computer technology itself (Bosworth & Jacobson, 2009). As a result, organizations and computer professionals have developed new technologies for improving cybersecurity. But technological solutions must be deployed carefully and best practices must protect them from being circumvented by attackers. In addition, cybersecurity policy should create incentives for system developers, operators, and users to act in ways that enhance rather than weaken cybersecurity (Mulligany & Schneider, 201 1).
Preparing an appropriate legal environment to deal with enhanced cybersecurity and mitigate cyber insecurities requires, among other things, a comprehensive legal framework. At the federal level, the legal framework in cybercrime is currently provided by US Code & 1030 section 1030(a), which includes seven actions considered to be federal offenses, as follows: access computer without authorization; access digital financial records; access a computer used by a federal agency; access a computer and benefit more than $5000 per year; create and use a computer program to do any of the above; cause physical or medical damage via a computer or computer program; and transmit a virus intending to benefit financially (Brenner, 2006). This framework is supplemented by the copyright and child pornography laws (Brenner, 2006).
The above legal framework is not adequate. Cybercrime is a unique type of crime, a crime which involves the use of computers or computer expertise. Cyberspace and cybersecurity are always dependent on technology, and the fast pace of technology changes require fast changes in the cybersecurity legal framework. The rapid changes in computer technology make it a formidable task for the U.S. legal system to develop laws related to the security of technology (UMUC, 2011). Another challenge toward creating a workable framework for cybersecurity is the "transnational nature" of cybercrime. International jurisdictional issues must be solved through international cooperation among law enforcement agencies. Policies or agreements designed to overcome the challenges of the international nature of cybercrime include mutual legal assistance treaties (MLAT), extradition treaties, and letter rogatories.
There is a compelling need for a cybersecurity doctrine. This paper explores the concept of cybersecurity as a public good. This examination will help to address important questions with regard to the role of government in enhancing cybersecurity. For example, should U.S. taxpayer money be used to enhance the security in cyberspace? Can government intervene and mandate private industries to set up or improve their cybersecurity? What authority gives Congress or the Executive branch the right to regulate this area? Finally, do private organizations have a responsibility to protect national security and comply with cybersecurity regulations and guidelines?
PREVIOUS CYBERSECURITY DOCTRINES
Cybersecurity approaches have evolved as technology has changed over time. The focus of the early cybersecurity doctrine was on developing security technologies (Mulligany & Schneider, 201 1). Physical access controls and maintaining proper security protocols were the main focus of security in an environment where here were no online users, no passwords, and no user IDs (Bosworth & Jacobson, 2009).
Subsequent cybersecurity doctrines focused on policy to leverage those technological solutions that were at hand. During the 1980s, mainframes were gradually replaced by local area networks (LANs), and security policies changed accordingly. While mainframes were kept in separate rooms with good physical controls, the typical LAN server had a higher risk of tampering, sabotage, or theft.
In the 1990s, the introduction of wide area networks and the Internet made it easy for anyone (legitimate users or hackers) to access remote data. Computers and Risk (National Research Council, 1991) was an important publication by the System Security Study Committee of the National Research Council and was used as a reference to address cybersecurity concerns. In addition, at this time, security standards were influenced by government initiatives, such as the InfraGard program aimed at protection of the U.S. critical infrastructure (Bosworth & Jacobson, 2009).
Currently, there are two major developments that have raised security concerns: wireless computing and international operations of mafia-like rings of computer criminals. A recent collusion between these two developments resulted in over 41 million stolen credit and debit card records from TJX. The ring consisted of eleven hackers from five countries: the U.S., Estonia, Ukraine, Belarus, and China (Department of Justice, 2008). In addition, distributed denial of service (DDoS) attacks, copyright infringements, child pornography, fraud, and theft identity are ongoing security threats, and no perfect defense measures have been implemented (Bosworth & Jacobson, 2009).
CYBERSECURITY AS A PUBLIC GOOD
Approaching cybersecurity as a public good represents a sensitive starting point toward creating an appropriate legal framework (Mulligany & Schneider, 2011). It justifies the role of federal, state, and local governments to implement policies and initiatives that improve the cybersecurity of individuals and organizations. The definition of "public good" is provided in many mainstream microeconomics textbooks (Varían, 1992; Gravelle & Rees, 2004). These sources define public good as one that is non-rival and non-excludable. Non-rival means that consumption of the good by one individual does not reduce availability of the good for consumption by others. Non-excludability means that individuals cannot be easily excluded from using the good.
Public safety is an example of a public good (Cooter & Siegel, 2010). It is non-rival, because having the population safe implies a lower prevalence of crimes, which in turn decreases the chances any member can be in danger. It is also non-excludable, because nobody can limit an individual's ability to benefit from a safe environment. The essential characteristics of public safety laws are focused on the safety of the population as a whole and the responsibility of government to enhance their safety.
The federal government discharges this responsibility through various government agencies, private organizations, and individuals. Government agencies, for example, are responsible for enforcing laws and standards on food safety, urban safety, air, and water-quality safety. For example, government can impose private organizations to be responsible for safety in the workplace. Government can also require individuals to follow road safety laws. Mulligany & Schnieder (2011) provide a compelling argument that cybersecurity is a public good. The authors argue that cybersecurity is non-rival, because when an individual benefits from good security measures in a computer system, this benefit does not diminish the ability of other users to benefit from the security of the same system. Similarly, the security from a cyber attack enjoyed by one individual does not detract from the security enjoyed by another individual. Further, protecting the digital rights, patents, copyrights, and trademarks of one group of professionals should not diminish the same rights to another group of professionals.
Cybersecurity is also non-excludable, because individual users of a secure system cannot be easily excluded from benefits that this security brings. For example, if the government enhances security measures against a cyber attack, everyone will be able to benefit from these measures. Excluding individuals from enjoying the benefits of cybersecurity is infeasible or uneconomical. For example, all residents of the U.S. are able to enjoy the existing benefits of cybersecurity with no additional cost.
GOVERNMENT AND CYBERSECURITY
The doctrine of cybersecurity as a public good necessitates the financing of cybersecurity through taxes and justifies the role of government in its attempt to enhance cybersecurity. The doctrine demands that federal, state, and local governments provide a comprehensive legal, social, ethical, regulatory, and liability framework to protect individuals and organizations from the threat of cybercrime or cyberterrorism. The framework will also protect the digital rights, patents, copyrights, trademarks, and other intellectual property rights of individuals and organizations.
Creating of this comprehensive network is a daunting task. The challenges arise because of the ever-changing nature of information technology, the international nature of cybersecurity threats, and the high level of expertise required enhancing cybersecurity. Approaching cybersecurity as a public good allows government agencies to specify goals and means to achieve those goals. Cybersecurity goals include some agreed-upon kinds and levels of cybersecurity, characterizing who is to be secured, at what costs, and against what kinds of threats. Means might involve technological, educational, and regulatory measures. Some examples of the role of government justified by the doctrine of public cybersecurity include the following:
Enhance Public Education about Cybersecurity
Knowledgeable developers are less likely to build systems that have vulnerabilities. They are also better able and thus more likely to embrace leading-edge preventions and mitigations. As cybercrime cases are generally difficult to investigate and prosecute (Brenner, 2006) government can create incentives to focus on prevention of cybercrime through better education and technical training.
Improve Criminal Justice System to Fight Cybercrime
There is a need for a better legal framework of crime, a framework which includes the tendency of cybercrime to cross borders, especially national borders (Brenner & Schwerha, 2002). Congress must introduce and approve new laws that are designed to deal with the novel ways criminal activity can manifest itself in the online world.
Fight and Prosecute Cyberterrorism
A long struggle with cyberterrorism may be just beginning (Jaeger, 2006). Governments can sponsor agencies that promote cybersecurity and safe behavior online. For example, the National Cyber Security Alliance (NCSA) is a partnership which issues guidelines about operating systems' upgrades and patches, antivirus software, password protocols, and other safeguards that most individuals, organizations, and businesses can apply to prevent a cyberterrorist attack.
Enforce Regulatory Compliance for Information Security
Today, many organizations are storing sensitive corporate and personal information in electronic form in local or remote servers. These organizations have the obligation to maintain the security of these data. Based on the premise that cybersecurity is a public good, government has the right to impose regulatory compliance and potential liability in the event of a security breach. During the last few years, the government has approved several regulatory standards, such as HIPPA (Privacy Individual Identifiable Health Information) in the healthcare industry, FERPA (Family Educational Rights and Privacy Act) in education, Consumer Protection Law as enforced by the FTCA (Federal Trade Commission Act), and the Sarbanes-Oxley Act (SOX), which applies to companies organized in the U.S. or elsewhere (Waleski, 2006).
Regulate Legal, Social, and Ethical Aspects of the Internet
The doctrine of public cybersecurity requires that government must create a regulatory and legal framework that balances the benefits from the technology and detriments of security and freedom rights. The Internet, for example, has empowered ordinary citizens in novel ways but also has created a number of legal, social, and ethical problems. The government protects these rights through such laws as Copyright law, Electronic Speech, Internet Censorship, Privacy law and the Internet, and Secure Electronic Voting Protocols (Himma, 2006).
Protect the Digital Rights, Patents, Copyright, and Trademark Laws on the Internet
As the Internet becomes a critical channel to reach customers, suppliers, and other business partners, the value of digital rights, patents, copyrights, and trademarks has never been higher. Just as in the case of ethical and social rights of individuals, the government must ensure that security concerns are addressed to protect the rights of professionals, inventors, knowledge workers, and business innovators.
This paper argues that cyber security should be considered a public good provided by the government. Such an approach to cyber security takes a utilitarian view of preventing cyber crime (Starr, 1983). Taking such a view can have a potential negative effect on general business in that businesses generally compete by differentiating their products or services (Porter, 1985). Differentiating products or services prevents firms from selling their goods as a commodity which, in turn, allows for price differentials. In effect differentiating products allows firms to charge a "price premium" (Porter, 1985) which increases profit. Differentiating products can occur in many different ways ranging from attributes of the product (more bells and whistles) to better sales service. Organizations dealing with information distribution via the web would not be able to differentiate of security if the government successfully assumed overall responsibility for cyber security.
Conversely, free-market capitalism in a laissez faire environment would enable a particular company to better protect its data and communications relative to other firms. By increasing its overall level of data protection (cyber security), a company could differentiate its service relative to other firms. For example, a firm could advertise that its customers have less to fear because of the firm's investment in security. This is especially true if the government did not provide adequate security.
Organizations would likely prefer the utilitarian approach because it would provide a better cost structure for the firm since government would pay for all cyber security as well as a more benevolent information transfer environment. Were total cyber security to be assured to an economy, companies would gain cost savings albeit at the expense of potential gains in competitive advantage.
Unfortunately, in the foreseeable future, the possibility of governments creating a complete guarantee of cyber security is remote at best. Therefore, a blended approach is advisable; that is, government provides the base level of security while companies can differentiate themselves on the basis of going the extra mile for in-house security. Thus giving customers the opportunity to track information, see new products they might enjoy, and pay fees by using their smart devices. This will enhance innovation and competition.
Creating an appropriate social, legal, and ethical framework for cybersecurity is difficult. Cyberspace and cybersecurity are based on fast-changing information technology across state and national borders. Previous doctrines in cybersecurity address computer security concerns through physical controls and technological solutions. Cybersecurity is mainly supported by associations of IT professionals and private and public organizations. This paper explores the concept of cyber security as a public good. Such examination can be used to justify the role of government to enhance public cybersecurity. Similar to other public goods, such as health and safety, cybersecurity requires that federal, state, and local government organizations; and private organizations and individuals to implement good cybersecurity controls that lead to the protection of national security.
In order to understand cybersecurity as a public good, the paper compares cybersecurity to another established public good: public safety. Cybersecurity satisfies both characteristics of public goods: non-rival and non-excludable. The non-rival characteristic means that the security from a cyber attack enjoyed by one citizen does not detract from the security enjoyed by another citizen. The non-excludable characteristic means that excluding individuals from enjoying the benefits of cybersecurity is infeasible or uneconomical. For example, all residents of the U.S. are able to enjoy the existing benefits of cybersecurity with no additional cost.
These above two characteristics necessitate the financing of cybersecurity by taxes and justify the role of government in its attempt to enhance cybersecurity. The paper illustrates the role of government to enhance cybersecurity and mitigate cyber insecurities. This role includes, but is not limited to enhancing public education about cybersecurity, fighting and prosecuting cyberterrorism, improving the criminal justice system to fight cybercrime, enforcing regulatory compliance for information security, regulating legal, social, and ethical aspects of the Internet, and protecting the digital rights, patents, copyright, and trademark laws on the Internet.
Bosworth, S., & Jacobson, R. V. (2009). Brief history and mission of information system security. In S. Bosworth, M. E. Kabay, & E. Whyne, Computer Security Handbook (5th Ed, . 1, 1.1-1.20). Hoboken, New Jersey: John Wiley & Sons, Inc.
Brenner, S. W. (2006). Cybercrime and the U.S. criminal justice system. In B. Hussein, Handbook of Information Security (Vol. I, pp. 1-15). Hoboken, New Jersey: John Wiley & Sons, Inc.
Brenner, S. W., & Schwerha, J. J. (2002). Transnational evidence gathering and local prosecution of international cybercrime. John Marshall Journal of Computer and Information Law, 20, 347-394.
Cooter, R. D., & Siegel, ?. S. (2010). Collective action federalism: A general theory of article I, section 8. Stanford Law Review, 63 (1), 112-185.
Department of Justice. (2008, August 8). Press release. Retrieved September 13, 2011, from Department of Justice Website: http://www.justice.gov/opa/pr/2008/August/08-ag-689.html
Gravelle, H., & Rees, R. (2004). Microeconomics. Harlow : FT Pearson Education.
Himma, K. E. (2006). Legal, social, and ethical issues of the Internet. In B. Hussein, Handbook of Information Security (Vol. I, pp. 65-82). Hoboken, New Jersey: John Wiley & Sons, Inc.
Jaeger, C. (2006). Cyberterrorism and information security. In B. Hussein, Handbook of Information Security (Vol. I, pp. 16-39). Hoboken, New Jersey: John Wiley & Sons, Inc.
Mulligany, D. K., & Schneider, F. B. (2011, May 15). Doctrine for cybersecurity. Retrieved August 17, 2011, from eCommons@Comell: http://hdl.handle.net/1813/22739
National Research Council. (1991). Computers at risk: Safe computing in the information age. Washington D.C.: National Academy Press.
Porter, M.E. (1985). Competitive Advantage, Free Press, New York, 1985.
Starr, W. (1983). Codes of Ethics: Towards a Rule-Utilitarian Justification, Journal of Business Ethics. 2(2), 99106.
Telang, R., & Wattal, S. (2007). An emprical analysis of the impact of software vulnerability announcement on form stock price. IEEE Transactions on Software Engineering, 33 (8), 544-557.
UMUC. (20U).Cybercrime awareness. Retrieved September 6, 2011, from CSEC620: Module 1: http://tychousal.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.pl?class=1109: CSEC620: 9045 & fs_project_id=343&xload&tmpl=CSECfixed&moduleSelected=csec620_01
UMUC. (2011). The vulnerability of organizational networks and the internet (course content module 2). Retrieved February 7, 2011, from http://tychousa5.umuc.edu/cgi-bin/id/FlashSubmit/ fs_link.pl?class=1102: CSEC610:9044&fs_project_id=304&xload&tmpl=CSEC610fixed&moduleSelected=csec610_02
Varían, H. (1992). Microeconomic analysis. New York: Norton.
Waleski, B. D. (2006). The Legal Implications of Information Security: Regulatory Compliance and Liability. In B. Hussein, Handbook of Information Security ( I, 38-64). Hoboken, New Jersey: John Wiley & Sons, Inc.
Arben Asllani, The University of Tennessee at Chattanooga
Charles Stephen White, The University of Tennessee at Chattanooga
Lawrence Ettkin, The University of Tennessee at Chattanooga…