No threat facing America has grown as fast, or in a manner as difficult to understand, as the danger from cyberattacks. While the cyber threats to U.S. interests are real, the digital sky is not falling. As such, the U.S. must do more to secure its networks—but first, it must do no harm.
While prior Administrations have taken some steps to improve the overall security of the nation’s networks, it has not been enough. Add to this the constantly changing threats and vulnerabilities in the cyber domain, and the U.S. remains unprepared.
There have been several legislative fights over cyber bills. While some have characterized these as partisan battles that have left America exposed to a growing variety of cyber threats, this is not generally true. Many cyber bills have had bipartisan support as well as bipartisan opposition. The fight is not over aneedfor appropriate cyber legislation; the fight is over how to define “appropriate.”
One of the main points of contention is the degree to which federal regulatory powers should play a role in cybersecurity. Many seem to think reflexively that this 19th-century solution is the answer. Those with a little more understanding of the dynamic and fast-moving nature of cyber threats see regulation as far too slow and clumsy, and recognize that it might actually hinder security by building a culture of mere compliance with regulations and a false sense of security against enemies who are agile, motivated, and clever.
In terms of the threats the U.S. faces, nation-state hackers are the most serious. Russia presents the most sophisticated cyber threat, with China as a close second. The U.S. has implicated Russia in efforts to hack U.S. political entities such as the Democratic National Committee. Russian hackers are also believed to be behind multiple cyberattacks that took down portions of Ukraine’s electric grid.
China has a strong desire to jump-start its economic efforts by rampant theft of commercial intellectual property. The cybersecurity breach of the Office of Personnel Management (OPM), a campaign believed to be undertaken by the Chinese government, resulted in compromised information of at least 20 million federal employees. Iran and North Korea are much less sophisticated than the two giants, but what they lack in expertise they make up for in malice. The 2012 “Shamoon” virus unleashed on the Saudi ARAMCO oil production company, for instance, was a brute-force attack that destroyed 30,000 computers.
North Korea has also conducted high-profile cyberattacks against the U.S., the most notable being the one launched against Sony Entertainment, allegedly over a movie depicting North Korea in a negative light. The hackers took terabytes of private data and released confidential information, including fiveundistributed Sony movies, to the public. In addition to these nation-states, cyber criminals, hacktivists, and terrorists all seek to use cyberspace for their own ends.
To address this growing threat, the U.S. should leverage the forces of the market, motivating the private sector to make the sort of continual and dynamic investment needed to secure the country’s diverse cyber networks. The Heritage Foundation has developed legislative policy proposals to begin making sorely needed improvements.
FACT: Cyberattacks and espionage are costly to the U.S. and global economy.
- Cyber breaches are projected to cost the global economy $2.1 trillion by 2019, more than quadrupling the cost since 2015.
- IBM’s 2016 Cyber Security Intelligence Index says that health care, financial services, and manufacturing are the top three sectors targeted by hackers due to of the vast quantity of personal information and potential monetary gain that exist in those fields.
- Multiple firms project that by 2020, 30 billion devices will be connected to the “Internet of things,” a huge growth in devices that connects ever more of daily life to the Web.
- The cyber-insurance industry is already estimated to be worth well over $3 billion, and will provide a market mechanism for quantifying cyber risks and encouraging companies to improve their security.
To read more on this issue see Solutions: The Policy Briefing Book