Most national level policy is complicated. Each policy proving difficult to create and implement simply because our nation is made of up of so many different types of people who all have been a voice to express their wants. However, creating policy to address cyber crime in the United States has been the toughest and most complicated policy issue to date. This is primarily for three different reasons, our massive dependence on cyberspace, the rapid pace that technologies are being introduced and evolving in cyberspace and the disparity between the average level of knowledge and the required level of knowledge needed to create policies that will adequately and legally address the crime and issue.
Throughout American history, policies have swung on a pendulum powered by election seasons but motivated by current events. The recent series of violent crimes involving high powered guns has tilted gun policy more to the restrictive side. However, it will only take time and another series of events where it can be justified that citizens need to be heavily armed to protect themselves to swing it back to the other side. The difference between gun policy and cyber policy is our everyday dependence on it in almost every factor of our lives. Inevitably any policy created to provide security in cyber space against cyber criminal will infringe on the rights and freedoms (or perceived rights and freedoms) of the innocent utilizing cyberspace. A prime example of this is how the Cybersecurity act of 2012 did not pass due to the concern of it being used for surveillance on innocent citizens rather than cyber criminals. This concept of the “Internet of Things” where every single thing we interact with has an IP and is connected to cyberspace frightens those who are privacy conscious.(2011) This issue is compounded by the rapid pace that technologies are being introduced and evolving and becoming available to the consumer before being fully considered for security. Companies are rushing to push the use of cyber space into the next frontier, providing new ways to do everything, consumers are jumping on it as soon as possible in efforts to be on the edge of innovation and criminals are right behind them looking to exploit it before the companies or consumers can catch on. One day we are using credit cards to make transactions, the next day we are using our phones as wallets to make those same transactions. This trend renders public demand as an effective means to counter cyber crime useless; it complicates things for policy makers who cannot realistically keep up with the pace at which things are growing and do what it takes to make effective policy. This gap between how fast policymakers are learning about cyberspace and the speed of policy vs. the speed of new technologies in cyberspace is leaving a door wide open for cyber criminals.
In the end, we have cybersecurity policies that do not adequately address the nation’s cybercrime concerns. Homeland Security Presidential Directives like HSPD-7 have been the main pieces of policy being helping to defend against cybercrime. However, it is more national security focused and there is still a need for a major policy that addresses cyber crime in a way that can be applied in every instance, state and appliance. As Susan Brenner highlights in “Cyber crime and the U.S. Criminal Justice System”, factors like whether the cyber criminal is a juvenile, the definition of “force” and inflammatory charges like child pornography makes it hard to prosecute against cyber crime, especially in a nation that has varying definitions of basic concepts like cyber space or cyber crime. (2006) However, the recently released Critical Infrastructure Security and Resilience Presidential Policy Directive 21 and Executive Order for Improving Critical Infrastructure Cybersecurity is set change our government’s stance on how much the private sector defends the national critical infrastructure. Presidential Policy 21 is set to assess, redefine and improve the relationship between the government and the private sector, update the NIPP and clearly identify who has a hand in protecting the nation’s critical infrastructure from the federal government. The Executive Order for Improving Critical Infrastructure Cybersecurity is accompanies the presidential directive, but provides much more verbiage for understanding how the nation’s stance on cyber security in the private sector will change and how it will include the owners and operator of critical infrastructure and the sector specific agencies who are already assisting them in defending themselves in cyberspace. This presidential order is the most important directive to date that makes it clear that the government will tell the private sector how to improve and their cybersecurity.
While Presidential Policy Directive 21 may be a landmark policy clearly stating how the government will interact with the privacy industry to secure the nation’s critical infrastructure, it does not have any verbiage clearly outlining how much the private industry should be responsible for protecting national security of the critical infrastructure that owns and operates. Consequently, this executive order is the most feared order to be released since the inception of cyberspace. There are varying opinions about how much the private industry should be responsible for protecting national security, all agreeing that they should be responsible on some level but no consensus on how much. Essentially, as the Department of Homeland Security and the government as a whole tackles the deliverables tasked to them by the Presidential Policy Directive, they must develop recommendations for determining how much each sector and each operator and owner should be responsible for protecting national security.
–Marcus Stallworth 02/28/2013
Brenner, S. W. (2006). Cybercrime and the U.S. criminal justice system. In H. Bidgoli (Ed.), Handbook of information security (Vol. 2). New York, NY: John Wiley & Sons
Lopez, J., Najera, P., Roman, R. (2011). Securing the Internet of things. IEEE Computer. Vol. 44, no. 9, pp. 51-58, Septermber
Homeland Security Presidential Directive 7 (HSPD-7), (Dec. 17, 2003) Critical Infrastructure Identification, Prioritization, and Protection.