Academic journal article Policy Review

State - Level Cybersecurity

Academic journal article Policy Review

State - Level Cybersecurity

Article excerpt

THE PARADE OF horribles potentially set to march by a cyberattack is by now familiar: No air traffic controllers or airport check-ins; no electronically regulated rail traffic; no computer-dependent overnight deliveries of packages or mail; no paychecks for millions of workers whose employers depend on payroll software; no financial records of funds on deposit and no ATMs; no reliable digital records in hospitals and health centers; no electrical power, resulting in no light, no heat, no operating oil refineries or heating fuel or gasoline; no traffic signals, and no telephone or internet service or effective police protection--such is the list of what could be disabled by an attack on America's computer networks.

Addressing this threat has been assumed to be the task of the federal government. But the dangers posed clearly implicate the police powers traditionally exercised by the states--and the states' interests are significant. As the authors of one recent study noted, states hold the most comprehensive collection of personally identifiable information about their residents, and states routinely rely upon the internet to serve those residents. Health and driving records, educational and criminal records, professional licenses and tax information all are held by state governments.

What role, then, might states play in promoting cybersecurity? Just how great is the threat from cyberattacks? What, indeed, is a cyberattack? How effective are federal and international safeguards? Isn't cybersecurity the proper domain of federal law and international law, rather than the states?

Let's begin with the gravity of the threat. So far as we are aware, as James Lewis has pointed out, in only two incidents have actions taken in cyberspace thus far caused serious damage to critical infrastructure. Neither occurred in the United States. (The first involved the disruption of Syrian air defenses by the Israeli Air Force during the destruction of a Syrian nuclear reactor. The second involved the so-called Stuxnet attacks on Iranian nuclear reactors.) These operations were appropriately termed cyberattacks. They involved destruction or disruption of the sort associated with war; they are thus regulated--to a point--by the international law of armed conflict. Cyber-espionage, on the other hand, involves no destruction or disruption but is aimed at the surreptitious extraction of data. The term cybercrime has been used broadly to describe a wide range of activities, from illegal interference and illegal access to the misuse of devices and content-related offenses. Each of these terms refers as much to the perpetrators as to the act itself. Espionage conducted by other nations has been regarded as a matter for the federal government, whereas theft, the destruction of property, and related offenses committed by individuals and criminal organizations are thought to be the purview of both state and federal governments.

While these distinctions provide a bit of analytic clarity, cyberattacks, cybercrimes, and cyber-espionage do not fit well into existing categories. For one thing, they're usually not easily distinguishable from one another until well after their initiation, if then. All exploit vulnerabilities in computer networks and use similar techniques. Malware that has been downloaded surreptitiously and sits silently on a computer may be intended simply to monitor keystrokes--or it may await the command of a distant operator to erase data, freeze the operating system, or participate in a botnet attack (explained below). Experts often cannot be sure what's afoot without time-consuming and painstaking forensic analysis. Given the instantaneity of strike and counterstrikc in cyberspace, this can be impractical. Further, the anonymity of cyberspace and the current state of information technology make it extremely difficult to identify transgressors and to attribute attacks. The absence of attributability severely complicates the application of any legal regime to individual acts. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.