Cybersecurity Law and Policy: Privacy and Security
The proceeding research on cybersecurity laws and policies examines concepts within the discipline that can assist cybersecurity professionals with identifying methods of how to improve privacy and security on home and professional networks. The practical information can be used as a resource for cybersecurity professionals to implement during computer forensics and threat detection. The theoretical information is an assertion that suggests that the development of international security policies and peace treaties can make cyberspace safer along with governments, organizations and internet users around the world. Overall, the creation of cybersecurity law and policies is a global issue that becomes more important as technology and threat agents continue to evolve.
Privacy for Internet Users and Law Enforcement
After reviewing the course materials, it becomes apparent that the study of cybersecurity law and policy leads to a debate on privacy vs. security. Both concepts are needed for effective cybersecurity operations across many disciplines, but the implementation is never even; computer users will have to make the decision if privacy or security is more important to them when deciding on what technologies to use (Schwartz & Solove, 2018). The same is true for government operations, but with federal entities much more is at stake. When governments make decisions on privacy vs. security they can result in having an effect on law enforcement operations, national and international security. When cybersecurity professionals make decisions regarding privacy and security they have the ability to impact the daily lives of the people they serve.
The Importance of Security
The concept of security refers to an entities or department’s ability to ensure the protection of information, systems and networks. The use of security is an ongoing process, especially in developed countries like the United States that have a wide number of internet service providers (ISPs) to depend upon for the transmission and storage of information, as well as maintaining the operations of the country’s critical infrastructures. Security is implemented in technology in a variety of ways. Individual computer users have the opportunity to use software that will protect their systems and networks from malicious activities and increasing the security of a home network. Law enforcement and cybersecurity forensic examiners also need to make decisions regarding the types of technology they will use in order to discover evidence of a cybercriminal’s illegal activities. Corporations and governments have the responsibility to ensure that their cybersecurity departments have the most up-to-date software and physical devices like firewalls, intrusion detection prevention systems (IDPS) and other forms of hardware that can keep the organizations safe.
The Importance of Privacy. Privacy, on the other hand, refers to user’s ability to store data and prevent it from being accessed by unauthorized parties. Privacy is an issue at a variety of stages throughout the process of using technology. It can be an issue for consumers when they are deciding on the types of smartphones, computers and other devices to purchase. Some brands have the reputation of making products that ensure user security, they may be a little more expensive but in the long-run it can be a good investment for a home network. When it comes to privacy regarding corporations and governments it makes the concept more complex. Many other components are considered when a business or government department decides what their technical needs are and how they will maintain privacy. A strong encryption method and strategy for business and government is essential for ensuring privacy of the organization (Menders, 2019). Also, the creation of security policies within organizations should establish a framework through which all staff can become aware of the things they need to do to maintain an adequate level of privacy.
How Cybersecurity Effects Privacy and Security
Things get significantly more challenging when the two concepts need to work together. For example, during law enforcement and cybersecurity forensic examiner monitoring and collecting of intelligence and evidence, they have to make judgement calls on both privacy and security in order to know when is the appropriate time to comfiscate evidence and what kinds of examinations are needed after the evidence has been collected (Schwartz & Solove, 2018). It is important for them to be familiar with the nuances of law and policy in order to conduct professional behavior that is not a risk to the organization. In a best-case scenario, both privacy and security will be maintained at a high level; however, in the majority of cases inequalities between privacy and security must be addressed in order for investigations, monitoring and surveillance efforts to occur ethically and efficiently.
Features of Cybersecurity Laws and Policies
Effective cybersecurity policies feature the following four components: security, privacy, fairness and accountability. Each category has a specific reason for implementation that would benefit governments and organizations (Poel, 2020). These four categories have an impact on individual internet users, employees, people in public and those responsible for managing critical infrastructures (CIs). In order to create an effective policy each category should have its own space and they should not be in conflict with each other. Conflicts are noted by cybersecurity personnel and discussed with a supervisor or manager who can provide ideas on how to mitigate technical and non-technical aspects of cybersecurity policies.
Security is also an important feature of cybersecurity policies. It is important for cybersecurity to implement local and cloud backups on a regular basis. When companies and government fail to have a backup strategy it usually is a detriment for the organization (Henning, 2018). It is good policy to backup all devices that are used at an organization, including the internet of things (IOT). When implementing both local and cloud backup strategies it reduces the risk of vulnerabilities and other threat agents. Using cloud services for backups is now considered a best cybersecurity strategy. A part of a good policy has a section on how to handle lost or stolen devices. It is also important to explain to staff how not to fall for phishing or any other social engineering techniques while using technology. Policy should also educate users on the dangers of public Wi-Fi, passwords and authentication, identity theft and data breaches.
Funding and Department of Homeland Security
The U.S. invests time and budgets each year to fund programs that protect CIs. The Cybersecurity National Action Plan (CNAPS) is currently operating through the Department of Homeland Security (DHS) (Skeath, 2016). The program’s purpose is to protect citizens, resources and CIs from being cyberattacked by threat agents. This program is about being prepared to prevent or respond to acts of cybercrime, cyberterrorism and cyberwar. In order to ensure that government systems and networks are protected, the program calls for the collaboration with private sector companies in order for DHS to reach its privacy and security goals. This public-private partnership gives the government much more flexibility to deploy offensive and defensive cybersecurity operations through DHS. One of the key areas is the National Information Infrastructure part of DHS that handles cybersecurity issues regarding CIs. The goal is to prevent CIs from having vulnerabilities from threat agents or insider threats. It is a part of the overall strategy to promote the safe operations of CIs within the U.S.
Resources and Department of Defense. Most of the U.S.’s cybersecurity resources are allocated to the DoD as it has a responsibility to protect CIs and the entire country from cyberattacks by foreign adversaries. Even though the DoD is a part of the National Action Plan, many operations occur independently from DHS. DoD has its computing resources that it can allocate through cyberspace to reach other territories around the world. Most of the planning regarding the DoD concerns the implementing of offensive cybersecurity measures that promote the privacy and security of the U.S. Emerging threats are evolving throughout cyberspace and it is realistic to assert that the DoD will almost exclusively focus on the strategies needed to protect the U.S. and its CIs with their strategies on an ongoing basis. DHS, on the other hand, will have the opportunity to collaborate with other government agencies and private corporations in order to meet its goals. However, it is important to not view the DoD as a completely separate entity within U.S. cybersecurity laws and policies. Cybersecurity lacks international peace treaties, if such diplomacy is to be made valid between two countries or a collection of them, part of the negotiations will be based on what each state actor implements throughout cyberspace. DoD would be the most appropriate government organization to provide metrics and analytics on the details of cybersecurity operations conducted by the DoD and the actions of other countries that the U.S. has collected intelligence on.
Cybersecurity has become a global issue; all developing nations need to have a cybersecurity plan in order to protect individuals, organizations and government within territories (Ryan, 2017). With the goal of promoting privacy and security, the U.S. and other state actors should commit to providing computing resources to cybersecurity departments on an ongoing basis. Some critics fail to understand that cybersecurity is something that should be appropriated by government budgets at least annually in order for DHS and the DoD to have enough resources to protect the U.S. This commitment to implement cybersecurity measures also has a direct impact on CIs, which need to operate without disruptions in order to prevent cyberattacks that could cause devastation.
The Impact of the Fourth Amendment
An essential component of the privacy vs. security debate is the use of the Fourth Amendment, which gives the people to right to be protected from unreasonable searches (“Fourth Amendment,” 2021). It is important for law enforcement and cybersecurity personnel to examine the applicability of the Four Amendment. Law enforcement and cybersecurity has the constant need to figure out if evidence or the seizure of an individual is protected under the Fourth Amendment. Law enforcement needs to look at the laws, the specific statues, they can use to justify the search and seizure of individuals and their property and possessions that may have led to criminal activity. Without these statues, law enforcement and cybersecurity are at risk if they choose to search and seizure individuals that are protected by the Fourth Amendment. Next the investigating agencies need to know if the search and seizure is reasonable. This typically means that they will need a search warrant before having the authority to search and seizure a suspect. They will also need to understand how the Fourth Amendment is enforced. It happens frequently in the courts that some evidence will be off limits for examination because someone will be protected by the Fourth Amendment and not required to introduce certain pieces of potential evidence into court. Law enforcement in particular will be looking for “reasonable” suspicion that will supersede Fourth Amendment rights and give them the authority for search and seizure. The ideal circumstance is for the police to acquire a warrant and have probable cause on their side simultaneously; during these scenarios the Fourth Amendment no long applies.
Cybercrime is one of the most serious problems in the electronic age (Ryan, 2017). One of the reasons for this is that cybercriminal activity is diverse. Cybercrimes may be cyberattacking or gaining unauthorized access to networks, and being a possibility to threats through social engineering techniques. These types of problems make it more difficult to support privacy and security. The Fourth Amendment may apply to criminal activities that occurs on any technical device. The law is evolving in order to correspond with emerging threats. Fourth Amendment has many applications including plain view, inevitable discovery and exigent circumstances. The goal is to protect the person’s Fourth Amendment rights at all times, especially due to cybercrimes like fraud, and illegal search and seizure.
Even though cybersecurity laws and policies change over time, the Fourth Amendment consistently remains a safeguard against search and seizure. The creation of digital storing devices is making the Fourth Amendment appear in cases with emerging forms of technology: servers, tablets, smart watches, smote phones, IOT devices and traditional computers and laptops. Each form of information and data that is stored on these devices, the Fourth Amendment applies should they be needed for search and seizure during investigations and lawsuits. Since many user’s password-protect their information, it can be difficult for law enforcement to retrieve data on a piece of technology that is considered evidence. When users apply some form of encryption to their information, it is protected by the Fourth Amendment and increases privacy and security for the user.
The U.S. manages CIs through national and international laws and policies. Since technology is constantly evolving it is imperative for cybersecurity personnel to remain updated with the latest practical information on emerging threats. The key area that cybersecurity laws and policies will affect are the supervisory control and data acquisition (SCADA) which is used to manage CIs through networks. Since SCADA is now connected to the internet for remote access they can be cyberattacked like other components of a computer (Brook, 2018). It has been stated that the U.S. is one of the most vulnerable countries due to its dependency on networks. Due to interdependency, the U.S. works with other countries for implementing cybersecurity laws and policies for the protection of CIs and internet users.
The U.S.’s vulnerability is largely due to the fact that they have to work with privately owned ISPs that are capable of being cyberattacked. Cyberattacks at governments and organizations can result in either’s reputation being damaged. Government has a way of improving its reputation by developing and implementing new cybersecurity laws and policies that reflect current emerging threats. Companies, on the other hand, that cannot ensure the privacy and security of information may have their reputation damaged so much that they can no longer operate as a business; this occurs frequently with new and existing technology companies. International policies should inform countries on how to mitigate cyberattacks, collect intelligence and share the information with allies.
CIs are now interdependent with each other, which requires state actors to collaborate with others in order to implement effective cybersecurity laws and policies (Petit & Lewis, 2021). International policies and peace treaties are used to manage CIs, networks and systems in multiple territories with each participant willing to assist the other in offensive and defensive cybersecurity operations. These laws and policies make it easier for intelligence gathering to occur as well as the sharing of information with allies.
The Reasonable Expectation of Privacy Test
In most cases law enforcement will find reasonable suspicion, search and seizure. However, in cases like Winston v. Lee that deemed it irresponsible to introduce a bullet lodged in someone chest as a reasonable cause for search and seizure. Another area of key importance is the scope of warrants. Law enforcement and cybersecurity professionals can only use search and seizure on the locations and items outlined on the warrant. All other areas are subject to Fourth Amendment rights. The federal and state governments are required to follow the same law and policies procedures as law enforcement. Another key area is Reasonable Expectation of Privacy Test, where a person who is a suspect can provide a reasonable expectation of privacy based on if people in society would most likely deem it reasonable as well.
The Use of Surveillance Techniques
The use of surveillance techniques also requires reasonable suspicion, a warrant or court order. One of the most frequent areas where surveillance takes place is through wiretapping, where someone is able to intercept messages through any telecommunications services. In Olmstead v. United States the government intercepted the suspects communications and discovered that he was harboring and selling intoxicants during the prohibition. This case set the standard for giving government the opportunity to provide surveillance, specifically through intercepting communications, as a lawful way of intelligence gathering and introducing their findings as evidence in court.
Information Gathering and the First and Fourth Amendment
Surveillance Law
It is important to note the existence of two types of electronic surveillance law: one that occurs on the state level and the other on the federal level. In some cases, the state law offers more protection than the federal version. For example, state surveillance laws often require the consent of all parties before law enforcement and cybersecurity can use their information and devices for gathering intelligence without negating the First and Fourth Amendments. The federal surveillance laws typically give law enforcement the capability to conduct offensive cybersecurity operations without the consent of the person with the data and devices that are potential pieces of evidence.
The state laws are often stricter than the federal ones. For example, Linda Tripp made recorded conversations with Monica Lewinsky in regarding to her affair with President Clinton available to the news media. Within the state of Maryland it is possible to get up to 10 years in prison and a fine for releasing the evidence without the consent of all parties. Fortunately, she was granted immunity by the federal government; however, the majority of cases within Maryland will not be with high profile defendants, it can be assumed that the average citizen will not be granted immunity and face harsh penalties from the judicial branch. In regards to surveillance law, it can have a direct impact on both privacy and security.
Search and Seizures
Defendants should be very careful about the potential evidence that may be available for search and seizure (“Failing to Keep Pace,” 2018). A good defense attorney will try to narrow the scope of the technologies and other items that are available to be searched and seized during the discovery process of a lawsuit. In the United States, defendants have a difficult time getting judges to deny prosecution from collecting their computers, smartphones and IOT devices. These technologies can be collected even if the entire product is not the subject of the court proceeding. In United States v. Lacy, a warrant was sent to Lacy that indicated that his computer hard drive needed to be searched and seized; however, he made a counter claim that it is unreasonable to turn over his entire computer systems when they are only looking for the hard drive. The court found that the assertion lacked a sufficient reason for being withheld and he was forced to introduce his entire computer system as evidence in the case.
The search and seizure principals are complex in nature in regards to technology. One of the biggest questions is that if the entire computer itself is a container or are each individual components of the computer considered to be containers? Also, at what point does the Fourth Amendment provide protection against search and seizure. In United States v. Gorshkov, computer evidence went through the search and seizure process because the Fourth Amendment did not apply as it did not interrupt the defendant’s possessory interest (Attfield, 2006). Search and seizure are two more concepts that directly impact privacy and security.
Treaties and Regulations Recommendations
A lack of treaties and recommendations exists in regards to cybersecurity law and policy. Many different scenarios exist that have an influence on law enforcement and cybersecurity’s ability to search and seizure technology that holds potential evidence. However, it is accurate to assert that the current laws and policies are more useful to law enforcement than dependents. Since many of the laws and policies lack specification with specific areas of computer systems that can be collected, all of a defendant’s computer system can be made available for search and seizure, decreasing their privacy and security.
In some cases defendants use password protection on their devices. The courts have to wonder if it is appropriate for the prosecution to request access to the devices and to ask the defendant for any password-protected files or encrypted data. In many cases, the entire computer system must be submitted as evidence, and defendants that refuse to give access to information the fact would be introduced in a court proceeding as an indication of them not playing by the rules or an indication of guilt. A good cybersecurity solution is to use treaties and regulations that protect the defendant from providing access to password-protected information and encrypted data for files that are beyond the scope of investigation, instead of taking an entire machine that will mostly be comprised of data that has no relation to the case. Levels of privacy and security will differ from case to case, but it is safe to assert that privacy and security will be impacted on some level throughout these court cases.
Many cybersecurity analyst believe that defendants should be given a right to delete content that has been used within an investigation and has been deemed to not be directly correlated with the other collected evidence of the trial. Since the information is admissible they would have the right to delete the information. A good treaty or regulation would give people the ability to remove or delete information that turns out to have nothing to do with the case. Although it may appear that deleting information during the investigation period of a court proceeding as getting rid of the evidence, that may not be true in all circumstances. Perhaps the defendant has personal information on their system that they do not want to appear in court data, which would make it appropriate for them to remove or delete such information.
Right now the Supreme Court and other judicial entities have the right to search and seizure technology on the border without a warrant or any other legal document. This is actually a policy that does not need a new recommendation. I believe that laptops, IOT devices and others that have a threat of crossing state lines should be prevented by the judicial system. It would be nice if authorities were to acquire a warrant first before search and seizure of these technologies, but it does seem appropriate to collect evidence before it flees the state.
In Microsoft v. United States, federal attorneys wanted to gain access to information stored on a Microsoft server in Ireland (Schwartz & Solove, 2018). The judge decided that since the information is outside the United States, it can not demand Microsoft to make the information available. Federal attorneys argued that Microsoft has the ability to access the information within the country and would not need to go to Ireland to do so. Since the information on the server is available in the U.S. it is not a problem with retrieving it. The courts ultimately decided that the information on the server in Ireland was off limits as it would violate laws within that country. This occurred even though the government obtained and wanted to conduct search and seizure under the Stored Communications Act (SCA). The SCA could be amended to include the ability to search and seizure technology that is owned by American companies but is stored around the world. As cloud computing becomes more popular each year, the chances that a cybercriminal will store evidence in cloud computing resources will increase, making changes to SCA could help investigators gain more access to pertinent information, even when they are stored in servers outside of the United States.
The Fourth Amendment Framework
The Fourth Amendment Framework is a constitutional protection for all Americans. The Constitution explains it as a protection from unreasonable searches and seizures by government. However, the protection is not guaranteed in every circumstance, it is only for those that are deemed unreasonable according to law. In order to find out if something is reasonable or not depends upon if the technology or information infringes upon Fourth Amendment rights or if it has violated government interest like public safety. Searches and seizures that take place inside a home without a warrant are usually considered unreasonable. Any person can be searched if law enforcement believes that they are engaging in criminal activity. School officials can search a student without a warrant if they consider their behavior criminal or unusual. Any officer with probable cause can search any vehicle.
Foreign Intelligence Gathering
The Foreign Intelligence Surveillance Act (FISA) of 1978 is the standard law that impacts what kind of information will be collected from foreign sources. FISA exists by balancing Fourth Amendment rights against a nation’s need to acquire foreign intelligence. It gives entities the ability to bring forth a lawsuit against foreign adversaries in similar fashion as domestic cases, although they are more difficult to enforce. It is somewhat a controversial act as some critics have suggested to remove the law and policy and put in place a warrantless structure in regards to collecting foreign intelligence. Many cybersecurity analyst prefer that FISA stays the way it is and make minor updates to the law and policy over time.
NSA Surveillance
The National Security Agency (NSA) is now a part of the Department of Defense (DoD). It was created by President Truman in 1952 in order to discover ways to intercept and decode adversary’s encrypted communication and data (Glass, 2010). The responsibilities of the organization have increased over time and it is now responsible for large-scale information gathering. The NSA’s findings can assist the other government investigating entities for domestic cybersecurity cases.
While DHS and DoD will manage much of the cybersecurity operations in certain circumstances the NSA will provide additional support. According to the NSA’s government website, the department is responsible for providing Cybersecurity Advisories & Technical Guidance (“Cybersecurity”,” 2021). This objective of the NSA is involved in constantly researching emerging threats and developing a framework through which to mitigate them. The NSA’s official website provides open-source documents on the cybersecurity threat agents they conduct research on, as well as common threat agents to telecommunications. The NSA provides Threat Intelligence and Assessments; it publishes its research and makes it available in the open source. The NSA provides Cybersecurity Products and Services, which is a list of organizations and technologies that are best cybersecurity practices that promote both privacy and security. One of the most important roles that the NSA plays is through Cybersecurity Education. They provide a list of training opportunities for students, employees and employers looking to sharpen their cybersecurity skills with technology used to identify and mitigate threat agents. In addition to providing a careers section, it features a partnership section that informs users on the various departments the NSA collaborates with on an ongoing basis. Lastly, it provides a section for Press and Public Engagements where users can submit queries and discover which government departments are doing the best at promoting privacy and security by recognizing them with an award.
Policy Recommendations
Changes to Law and Policies
It is important for all state actors to have the capability to respond to cyberattacks. Cybersecurity professionals should constantly study the emerging threat agents and current viruses just in case they will need to know how to mitigate such malicious code at a later time. Identifying and collecting intelligence on emerging threats is the best way to keep government departments and organizations from experiencing cyberattacks. A good strategy is to have an open line of communication between public and private organizations regarding intelligence collection as this can reduce the prospect of all parties being compromised by cyberattacks. Both private and public organizations should ensure that their cybersecurity departments have updated software and information that explains the possibility of emerging threats and recommendations for them to conduct a vulnerability assessment in order to discover how likely it is for them to experience a cyberattack. Strong network security is a great way to promote privacy and security for its users.
Due to emerging technologies the need for research and development will always be something to learn and implement relating to cybersecurity laws and policies. Establishing public-private partnerships is a recommended strategy for keeping all governments and organizations up-to-date on the best cybersecurity strategies. Cybersecurity staff should be constantly monitoring networks, using vulnerability assessments and in some cases penetration testing in order to find areas of a network that may need to be patched in order to maintain the organization’s privacy and security. It is a best strategy to have a cybersecurity staff that is capable of providing accurate information through monitoring networks and its traffic rather than hiring third-party organizations to do the work for only a set period of time. Cybersecurity professionals should also maintain the monitoring on networks connected to CIs in addition to other network traffic. The most common threats come from rogue insider employees (or former employees who feel that they have experienced unfair dismissal) and human error.
It is also significant to remain up-to-date on security software applications. Many of these programs have a feature that will allow the user to determine when it is an appropriate time to scan systems and networks for viruses and other threat agents. Many security programs are available today for both personal and professional use. It is important to note that these programs may not identify all vulnerabilities within networks. It is recommended to use other cybersecurity tools in addition to software in order to make sure entire computer infrastructures are free of viruses. Also, frequently backing up the information on an operating system will allow cybersecurity professionals to set the computer’s settings to a previous date and time prior to it experiencing a cyberattack and it most likely will eliminate the threat agent and return the operating system to a point without the presence of threat agents.
Cybersecurity laws and policies can change in two areas: the rules and regulations regarding search seizure and the ability to use them to prevent cyberwar. The law and policy should evolve over time and give individuals their protection by the Fourth Amendment wherever possible. By upholding Fourth Amendment rights, and committing to only search and seizing information that is pertinent to active cases, more individuals and companies will be comfortable during legal proceedings where their technology is considered evidence.
The major area that laws and policies can change is in regard to national and international security. The most crucial aspect of national and international security is the protection of critical infrastructures (CIs). The targeting of CIs by cybercriminals and cyberterrorist is one of the most important reasons why state actors need effective cybersecurity laws and policies. During the course activities this semester, a critic asserted in a video from Module 8 that an act of cyberwar has yet to happen. However, I would disagree with this assertion particularly because cyberattacks on CIs can have a negative impact on national and international security, and also puts citizen’s lives at risk.
The most significant changes to cybersecurity laws and policies should take place in regard to the protection of critical infrastructures. No universal standard exists for the protection of CIs. It is up to each individual state actor to derive their own laws and policies. Cyberattacks on critical infrastructures occur on a frequent basis and using laws and policies is the best way of protecting them. Many cybersecurity analysts assert that the United States’ CIs are extremely vulnerable. Since cyberattacks on CIs is a global problem, it is important to note that no international law and policy that protects CIs from participating countries occur within a uniform framework.
Since today’s CIs are connected to the internet, it is safe to assert that the U.S. depends upon networks from a variety of internet service providers (ISPs) as well as those owned by the private sector. It is the responsibility of the Department of Homeland Security (DHS) to examine the domestic needs of the U.S. in regards to protecting its CIs. Equally as important is the effective operation of the Department of Defense (DoD), which handles international cybersecurity efforts with US Cybercommand. At this point it is important to note the complexity of cybersecurity laws and policies relating to CIs. Since the U.S. has a department for domestic cybersecurity and another for international issues, the process of developing sound laws and policies will be more complex than state actors that only have one agency to implement their cybersecurity laws and policies. It can also be seen as a strength; the U.S. has both domestic and international security goals, having more than one agency to handle the implementation is ideal because they can work collaboratively on developing laws and policies, which will keep more people safe and deter future instances of cybercrime and cyberwar. Protecting CIs will increase both the security and privacy of internet users within a territory.
When managing critical infrastructures it is important to note that government or the private sector may be the ones responsible for cybersecurity laws and policies. Cybersecurity capabilities within the U.S. are usually carried out by DHS and DoD. Even though it is difficult to craft cybersecurity laws and policies, the two-department approach works extremely well for the U.S. Many other governments only have one agency that handles all of is cybersecurity matters. Developing policy is something that never stops when working in cybersecurity; it will always be some new information or threat agent that needs intelligence and submission for inclusion within company or government policies.
Recommending International Peace Treaties and Richard A Clarke
The privacy vs. security debate effects internet users in different ways. The two concepts apply when people use their home networks, work computers, and in public spaces that have Wi-Fi internet connections. In all of these areas, privacy and security are constantly changing because users are mobile and enterprises are constantly updating their technologies in order to remain competitive against other corporations. The diversity of types of technology to use also plays a key role.
IOT is a key area in need of solid cybersecurity laws and policies, as it is still relatively new and cybersecurity forensic personnel should always remain familiar with it in order to know how to copy information from one IOT device to a company computer for examination. From a micro perspective, it would seem that internet users are constantly finding themselves in situations where both their privacy and security are at risk. However, from a macro perspective, it can be asserted that internet users’ privacy and security are protected by the defensive and offensive cybersecurity operations from DHS and DoD that protect CIs and strengthen networks, which means that every internet user’s privacy and security is made stronger.
In order to maintain an adequate level of privacy and security on behalf of populations, it is important for state actors to engage in international treaties that will make their citizen’s internet use more private and secure. In his book entitled Cyberwar, Richard Clarke (the U.S. first Cybersecurity Czar) states that the creation of international peace treaties are the most efficient way of developing cybersecurity laws and policies that will directly promote privacy and security for all participating territories (Clarke & Knake, 2011). Many cybersecurity professionals believe in his assertion and others are skeptical of it.
Many benefits to developing international laws and policies exist for all internet users. These collaborative pieces of legislation can prevent cybercrime and cyberterrorism. It also establishes jurisdiction between law enforcement, DHS and DoD in regards to the response of cybercriminal activity. It is important to note that the United Nations has yet to develop a cybersecurity framework that can be implemented to many countries simultaneously, improving the privacy and security of all participates. It is now up to governments within state actors to develop their own laws and policies and decide if they want to keep them for themselves or implement them with allies or adversaries in exchange for political or economic benefit.
In order to create international treaties it is important to assess the role of technology in today’s world. It is important to note that it has never been more people connected to the internet through various devices like what exists today. Literally billions of internet users are connected to networks all over the world. To make things more complex, it has never been more applications available to internet users today. It is also important to keep Moore’s law in mind, that processing speeds for technology double roughly every 18 months. The presence of so many different types of technology may seem to be overwhelming. They also present a challenge to governments and organizations who try to develop international treaties and policies. It is a significant challenge to develop policies when prospective participates will require bandwidth, security application and other resources in order for the policies to be effective. The need for international policies will increase as the technology continues to grow in terms of its use, hardware and software. Also, the protection of CIs will continue to be challenging as technology develops.
Due to the increase in the number of people using technology that is connected to networks, state actors should constantly research and develop new ways of making cybersecurity laws and policies that relate to international treaties. Since all major countries and territories have ISPs, it will also lead to the prospect of a cyberwar taking place in cyberspace. Hackers can send their malicious code to systems that may be thousands of miles a way from their terminals. Cybersecurity issues are no longer restricted to home network use; they are global and the effective use of laws and policies can go a long way with making cyberspace safer for many people. The lack of new laws and policies, on the other hand, is a detriment to internet users all over the world. If international treaties are going to exist, the state actors that are going to be responsible for the creation of laws and policies need to have a meeting and decide which territories are going to take the lead in the research and development of international policies. This process should be undertaken with the goal of promoting privacy and security for all internet users. It should also have a commitment to identify and mitigate acts of cybercrime and cyberterrorism. However, in order for this to work the leading state actors need to develop a cybersecurity law and policy framework that is realistic and hopefully not excessively resource intensive so that all developing countries will have the opportunity to join the coalition should they desire.
While most countries will look for the United States to take the lead in this process, the framework may come out better if it is handled by the United Nations (UN). The UN handles many international laws and policies already; however, if the organization can develop a cybersecurity framework that ensures privacy and security then the organization will reduce the prospect of cyberwar occurring between developing nations and their cybersecurity operations.
Nothing close to a global framework exists today. However, some countries will enter into international policies with their neighbors and allies. For example, the U.S.and Canada have an agreement regarding critical infrastructures should they be cyberattacked and taken down in one country; it would then be the responsibility of the country to assist in bringing the affected territory back online. One way that the two countries demonstrate their treaty is by Canada using some of its electric grid to power U.S. homes and businesses and vice versa. This way even if a cyberattack occurs on the electric grid, neither country will be fully without energy. The principles apply for the water system, transportation, defense systems and others.
The majority of the activities that takes place in order to enact the laws and policies occurs on the Canadian border because that is where all of the country’s critical infrastructure are housed, including their defense system. Their geography is different than the U.S. where the CIs are more spread throughout the country. Nevertheless, the two countries have an international treaty that is beneficial to both parties (Graham, 2012) . It is up to cybersecurity analyst in both countries to decide if it is possible to invite other countries to become a part of their treaty. Some resource sharing occurs with Mexico because they are all a part of North America, but is it possible to expand the treaty eastward and maybe include the UK or Ireland, or maybe even southern with Central and South America? Introducing new countries into existing international policies may be a way that can increase privacy and security in many territories on a consistent basis.
In order for such treaties to exist, it would require the U.S. to do some diplomacy that many analyst would deem almost impossible. Since they would be engaging in the creation of laws and policies with the basic principle that all internet users should have privacy and security, the U.S. could attempt to influence other nations and territories to develop national and international laws and policies similar to the Fourth Amendment (Clarke & Knake, 2011). If the policy creation does not start, then citizens in many of these participating countries are going to reliably ensure privacy and security to their citizens. Unfortunately, it’s unrealistic to think that a coalition of 20 or 30 countries will adopt policies similar to the Fourth Amendment and then accept a role within an international policy to protect all parties. It’s far more realistic that a few countries will come together to develop policies on CIs and then try to invite other countries to join their coalition one-by-one. This would be a slow process, but it may be the only route to developing something that can ensure privacy and security for as many internet users as possible.
Another roadblock during the process of developing international treaties are the rogue nations that use their cybersecurity efforts for cybercrime and cyberterrorism. China, which probably conducts more espionage than any other country, would be highly unlikely to want to participate in an international peace treaty. Many reasons exist as to why they would refrain, perhaps they do not want to be in the same coalition with the countries they are currently conducting espionage on (Bing & Satter, 2020). China is typically politically moderate, which is fine, but they would be unlikely to take any kind of a stance on laws and policies that enforce them to refrain from conducting espionage and industrial espionage.
Russia likes to use its cybersecurity resources for terrorism on smaller nations in Eastern Europe. They would be unlikely to join a treaty that would prevent from cyberattacking Ukraine and other surrounding territories, as well as their desire to get involved in elections around the world in a negative way with their misuse of social media and other forms of technology.
North Korea would not join the international treaty because their primary focus is to use ransomware to steal currency for which the country uses to fund its nuclear program; it would be impossible to convince them to stop building nuclear weapons and join the peace treaty.
Iran, who is no longer under the restrictions of the Iran Nuclear deal with the U.S., will not stop its quest to develop a nuclear weapon and its cybersecurity capability to destabilize the Middle East. These major state actors are more interested in their rogue usage of cybersecurity capabilities than to join others in international treaties that can bring a level of peace to all participating countries.
Due to all major state actors having different usage for cybersecurity, many critics believe that Richard Clarke’s peace treaty ideas can not be implemented. Clarke understands the challenges, but he continues to make the assertion because he wants cybersecurity to be safe for all internet users. Also, it is important to make the distinction that Clarke isn’t suggesting that all countries will join a peace treaty within the same time, he argues that it is more possible for a collection of a few countries to collaborate in order to make peace treaties and hopefully their work will influence others around the world.
In the absence of these policies, a state actor can do many things to get prepared for ensuring privacy and security. One of the most frequent is to look out for insiders within government and organizations that may be motivated to destroy networks and systems. Sometimes this occurs through human error and others when an employee wants to cause damage to the government or organization. Ensuring that cybersecurity personnel are providing everyone at the government or organization with updated security software is an essential component. It is also vital to ensure the CIs are protected with their supervisory control and data acquisition (SCADA) and its programmable logic controllers (PLCs). It is also important for cybersecurity to identify and mitigate vulnerabilities wherever possible. Cybersecurity can offer staff training to get employees more familiar with their policies and reducing the prospect of an insider threat or human error.
As more people use the internet, the need for international policies will increase. Cybersecurity laws and policies are the building blocks and foundation through which cybersecurity can ensure the protection of networks and systems, as well as promote privacy and security. International peace treaties for cybersecurity are a good idea that does not occur often enough. Since we have established how difficult it can be to create an international policy and get countries to participate, it is important to assert that Richard Clarke’s ideas are not simply dreams but rather ideals state actors should strive to complete.
Conclusion
All internet users want both privacy and security when using their technology or storing data. Today, many software options are available to choose from that can increase the privacy and security settings of technology simultaneously. Internet users must understand that privacy and security is not entirely in their hands. At some point they will need a third-party software or cloud solution to help them with their privacy and security needs. This puts a lot of responsibility on cybersecurity firms, because if they are breached then potentially millions of people’s data will be made available and the credibility of the organization will be damaged. Unfortunately, these organizations can only do so much to mitigate a data breach; once the information is out on the web it is no way of knowing completely that the information has not been collected and used by hackers. Even though the internet and third-party organizations can be risky, it really is not a way of preventing cyberattacks that affect internet user’s privacy and security in all circumstances.
The dichotomy between privacy and security constantly grows widens as internet users continue to use a variety of technologies for their personal and professional use. The explosion in popularity of IOT devices further widens the difference between privacy and security. More importantly, the use of government defense systems has reached a level of sophistication that they can promote privacy and security or inadvertently be a detriment to it in much the same way as a data breach. As innovations in software and hardware continue to develop, they require more computing resources that may or may not add to the user’s privacy and security; it depends on the types of devices they use and what settings they use the most. While innovations can increase productivity and user interaction, it makes it challenging to discover which is more important: privacy vs. security.
Following NIST protocols can be a way of promoting both privacy and security. NIST Special Publication 800–53, Revision 5, outlines the specific settings required to ensure that technology has an adequate level of privacy and security. This publication has been updated through Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The newer publication NIST Special Publication 800–37, Revision 2, provides users with more security and privacy controls, it also provides a Cybersecurity Framework for government and organizations (Scherer, 2020). Even with more control settings it may be difficult for users to determine which (privacy and security) is best for their technology.
Based on research as well as personal and professional use of technology, it would be safe to assert that security is more important than privacy, and that cybersecurity laws and policies should first seek to uphold as much security as possible. Even though privacy is extremely important, without security information in transmission or storage will be subject to hackers. In certain situations internet users will need to sacrifice some of their privacy settings in favor of more security, which is the stronger approach. The ideal scenario is to have adequate privacy and security; however, it will be no way to equally distribute computing resources to each concept. The best solutions offer a little bit more computing resources for security rather than privacy as this will make the technology safer over time.
References
Attfield, P. (2006, January 13). United States v Gorshkov Detailed Forensics and Case Study; Expert Witness Perspective. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1592518
Bing, C., & Satter, R. (2020, March 25). U.S. cybersecurity experts see recent spike in Chinese digital espionage. https://www.reuters.com/article/us-usa-china-cyber/u-s-cybersecurity-experts-see-recent-spike-in-chinese-digital-espionage-idUSKBN21C1T8
Brook, C. (2018, December 5). What is SCADA Security? https://digitalguardian.com/blog/what-scada-security
Clarke, R. A., & Knake, R. (2011). Cyber War: The Next Threat to National Security and What to Do About It. New York, NY: HarperCollins. doi:https://www.amazon.com/Cyber-War-Threat-National-Security/dp/0061962244
Cybersecurity. (2021, January 1). https://www.nsa.gov/what-we-do/cybersecurity/
Failing to Keep Pace: The Cyber Threat and Its Implications for Our Privacy Laws. (2018, May 23). https://www.nsa.gov/news-features/speeches-testimonies/Article/1608850/failing-to-keep-pace-the-cyber-threat-and-its-implications-for-our-privacy-laws/
Glass, A. (2010, November 4). The National Security Agency is established, Nov. 4, 1952. https://www.politico.com/story/2010/11/the-national-security-agency-is-established-nov-4-1952-044671
Graham, A. (2012, February 1). CANADA’S CRITICAL INFRASTRUCTURE When is Safe Enough Safe Enough? Retrieved from https://www.macdonaldlaurier.ca/files/pdf/Canadas-Critical-Infrastructure-When-is-safe-enough-safe-enough-December-2011.pdf
Henning, N. (2018). Privacy and Security Online: Best Practices for Cybersecurity. Library Technology Reports, 54(3), 8–19. doi:https://journals.ala.org/index.php/ltr/issue/download/677/439
Menders, D. (2019, October 3). The Importance of Data Encryption in Cybersecurity. https://www.techwell.com/techwell-insights/2019/10/importance-data-encryption-cybersecurity
Petit, F., & Lewis, L. P. (2021, January 1). Critical Infrastructure Interdependency Analysis: Operationalising Resilience Strategies. https://www.preventionweb.net/files/66506_f415finallewisandpetitcriticalinfra.pdf
Poel, I. V. (2020). Core Values and Value Conflicts in Cybersecurity: Beyond Privacy Versus Security. In The Ethics of Cybersecurity (Vol. 21, pp. 45–50). Cham, Switzerland: Springer. doi:https://library.oapen.org/bitstream/handle/20.500.12657/22489/1007696.pdf?sequence=1#page=61
Ryan, L. (2017, October 17). CYBER SECURITY IN THE DIGITAL AGE: THE THREATS ARE REAL, KEEP YOURSELF SAFE. https://sofrep.com/news/cyber-security-in-the-digital-age-the-threats-are-real-keep-yourself-safe/
Scherer, T. (2020, April 23). What is NIST Special Publication 800–37 Revision 2? https://reciprocitylabs.com/what-is-nist-special-publication-800-37-revision-2/
Schwartz, P. M., & Solove, D. J. (2018). Privacy, Law Enforcement and National Security (2nd ed.). Fredrick, MD: Wolters Kluwer. doi:https://www.amazon.com/Privacy-Enforcement-National-Security-Publishing/dp/1454861533
Skeath, C. (2016, February 9). White House’s Cybersecurity National Action Plan (CNAP) Includes Cybersecurity Awareness Campaign, Creation of Federal Privacy Council. https://www.insideprivacy.com/data-security/cybersecurity/white-houses-cybersecurity-national-action-plan-cnap-includes-cybersecurity-awareness-campaign-creation-of-federal-privacy-council/Dominic Richardson
I am a writer and cybersecurity professional