The US Cybersecurity Policy Environmental Scan: Cyber-Culture, Economy, and Jurisprudence

Today, cybersecurity is one of the biggest categories of threat faced by governments, business entities, and consumers. According to a report, in 2013 people lost $84 million to online romance and dating scams, 51 million to scams relating to online auto theft, and about 18 million to real estate and rental scams. By 2014 a known 317 million pieces of malware were released to the cyberspace to perpetrate malicious and illicit activities. Following this, in 2015, over 159 million sensitive records were compromised. At the global scale, it is estimated that by 2020 about 200 billion Internet of Things devices could need some form of security.

Though in the US, cybercrimes have always constituted a significant number of financial fraud since the 1960s, the dramatic increase in successful cyber-attacks on major scales within the last decade have resulted in changes in the discussion on cybersecurity. For the most part, the global community agrees that cybersecurity is a critical component of both national and economic security.

Government across continents, and in different approaches, develop policies, laws, and regulations to strengthen their country’s or region’s cybersecurity defense against all forms of cyber actors. It is shown that public awareness is a major factor hindering the implementation and success of guidelines and standards developed as a tool for executive these policies and laws. Consumers and business entities have a huge role to play in their government’s cybersecurity vision. They must be aware of their role in this vision, and government must promote a strong platform for the dissemination of information regarding policies and standards.

What is the country’s cyberspace and cybersecurity Culture

The US recognize that cybersecurity is an important and sensitive issue in today’s technological world. The Obama administration commissioned the Cyberspace Policy Review initiated to analyze the current state of government cybersecurity programs and policies, and proffer appropriate recommendations as needed. The recommendations brought about three major changes in the country’s cybersecurity culture; the crucial near-term recommendations, the Cybersecurity Strategy and Implementation Plan (CSIP); and the strengthening of Federal Agencies cybersecurity standards.

However, there are certain unique characteristics of the country’s cyberspace culture.

1. The government system. The country is a federation where powers and responsibilities are shared between the federal, state, and county government. Policies on cybersecurity, and all other areas of public interest, are initiated by the federal government and implemented most at the state and county levels. That is why it is always important to provide necessary resources for the state and county governments.
2. The wide use of the internet both domestic and industrial. Public and private enterprises in the country heavily rely on the internet and other offline computer applications for processing and storing data. As much as the need for new computer solutions for processing and storing data as grown over the years, so has vulnerabilities and new ways for stealing information assets.
3. The constant threat from foreign adversaries. The country is a world leader and the pioneer of the internet of things. Because of its economic and political leadership in the world, the country constantly faces threats from cyberterrorists and cyber espionage sponsored by state actors. This trend is expected to continue through the next decade as these adversaries are still active in their enmity towards the country.

Change in Cybersecurity Trend: An Economic Perspective

Evaluating cybersecurity insurance might be an important angle to look at the economic perspective of cybersecurity in the US. Over the years, the U.S cyber risk insurance market continues to grow as small, medium, and multi-billion-dollar firms consider coverage a strategic tool in mitigating the loss and liability associated with successful cyber-attack and data breach. I found that several questions need to be answered, and some factors need to be in place in order to evaluate whether buying an insurance policy will be an effective tool to mitigating cyber-attack liability by a particular would-be insured organization. 

So, is it profitable – or at least cost-effective – for a firm to invest in cyber risk insurance? We should assess the extent of the cyber threat to the private sector including retailers and financial services providers. Successful cyber-attacks cost firms reputational and financial losses, including legal liability to customers. Ideally, I maintain the point that for cyber risk insurers to provide adequate coverage, they must determine five key information from the would-be insured, namely;

1. Accurate details of the attack methods being used by cybercriminal in the would-be insured line of business.
2. Details of the would-be insured IT assets and their value to the business.
3. Reliability of the security controls deployed by the would-be insured.
4. likelihood of the would-be insured being targeted by cyber-attackers, and
5. the maturity of the organization’s security processes

From the criminality perspective, does the country do enough in the cyberspace area?

In the US, there is a relationship between criminal and civil cases as applicable to cybersecurity policy. The same action; like non-compliance, can constitute both a crime – which can result in punishment – and a wrongful act to third parties which can result in compensation or reward.

Compliance constitutes a cycle of actions, procedures, and policies that ensures an organization implements applicable laws, regulations, and best practices. An organization must ensure that it complies with applicable laws in other to promote its security plans and procedures. Failure of doing this often leads to legal action with government agencies for non-compliance. This outcome can tarnish the image of the brand, and it is usually a risk management can’t afford to accommodate.

In most cases, organizational cultures reflect the cultural and ethical values of senior management. Unethical behavior flows, with acceptance, from senior management to midlevel employees. Therefore, if management wants to ensure that there is honesty; integrity; transparency; and a compliance culture in all facets of the organization, it must display those practices while carrying out its daily duties and responsibilities. After this, management must actively engage in compliance by promoting a concrete enterprise computer security strategies, plan, technology, and policies.

Suggestion and Policy Recommendations

In the light of the above discussion, what follows are recommended snap-shot of policy parameters that could further aid decision makers in the unending fight against cybercrime and cyberterrorism:

1. Increase awareness about changing threats due to the growing technical skills of extremists and terrorist groups;
2. Develop more accurate methods for measuring the effects of cybercrime and help to determine appropriate responses by DOD to a cyberattack;
3. Examine the incentives for state and county personnel for achieving the goals of the National Strategy to Secure Cyberspace;
4. Search for ways to improve the security of commercial software products in the private sector;
5. Explore ways to increase security education and awareness for businesses and home PC users;
6. Find ways for private industry and government to coordinate to protect against cyberattack.
7. Congress may also wish to consider ways to harmonize existing federal and state laws that require notice to persons when their personal information has been affected by a computer security breach, and that impose obligations on businesses and owners of that restricted information