Viewing Cybersecurity as a Public Good: The Role of Governments, Businesses, and Individuals
Asllani, Arben, White, Charles Stephen, Ettkin, Lawrence, Journal of Legal, Ethical and Regulatory Issues
This paper explores the role of government for establishing an appropriate legal, social, and ethical framework to enhance cyber security. Previous doctrines of cyber security are briefly analyzed, and the concept of cybersecurity as a public good is explored. To better understand public cybersecurity, the paper compares it with safety, another public good. Similar to public safety, cybersecurity requires that federal, state, and local government, organizations, and individuals implement good cybersecurity controls that result in to the protection of national security. The paper concludes with a set of examples that illustrate the role of government to enhance cybersecurity and to mitigate cyber insecurities.
The use of computers and information technology by organizations and individuals has grown drastically over the last few decades. Recent trends of globalization, outsourcing, offshoring, and cloud computing, have changed the structure of organizations and their cyberspace. Information is no longer confined within the walls of the organization (UMUC, 201 1). Today's organizations are constantly allowing their customers and suppliers to access their supply chain management systems. Customers can retrieve product information from their Electronic Commerce systems, and suppliers need to schedule data and their own employees to log on into the organizations' intranet. Trust is a key element of supply chain operations. Individuals have become more and more dependent on information technology. As employees, they use their computers and mobile devices to remotely access their organizational networks and connect to their friends and families through social networks. Professionals expand their connections and communicate with their colleagues through professional networks, such as Linkedln.
The global reach of information systems at both the organizational and individual level has raised concerns over security and has made organizations and individuals more vulnerable to security threats. Organizations must pay special attention to cybersecurity. For example, a recent study about software vendors indicated that organizations lose around 0.6 percent in stock price when vulnerability is reported, and the impact is more severe when the cybersecurity flaws are not addressed in advance (Telang & Wattal, 2007). However, while most organizations consider cybersecurity management as critical to their operations, fewer than 25% of them have security measures as an integrated part of their operations (Bosen, 2006).
There is an even darker side of computer systems. They are used to program weapons of mass destruction, biologic and chemical weapons, military applications, and financial applications where trillions of dollars are transferred every day. If these applications fall into the wrong hands, they can have a devastating impact on organizations and the lives of individuals. Because of this dependence on information systems, cybersecurity concerns have grown in parallel with the development of computer technology itself (Bosworth & Jacobson, 2009). As a result, organizations and computer professionals have developed new technologies for improving cybersecurity. But technological solutions must be deployed carefully and best practices must protect them from being circumvented by attackers. In addition, cybersecurity policy should create incentives for system developers, operators, and users to act in ways that enhance rather than weaken cybersecurity (Mulligany & Schneider, 201 1).
Preparing an appropriate legal environment to deal with enhanced cybersecurity and mitigate cyber insecurities requires, among other things, a comprehensive legal framework. At the federal level, the legal framework in cybercrime is currently provided by US Code & 1030 section 1030(a), which includes seven actions considered to be federal offenses, as follows: access computer without authorization; access digital financial records; access a computer used by a federal agency; access a computer and benefit more than $5000 per year; create and use a computer program to do any of the above; cause physical or medical damage via a computer or computer program; and transmit a virus intending to benefit financially (Brenner, 2006). …