In the aftermath of the Sony Pictures attack and now the hacking of the Pentagon’s social media accounts, the introduction of tougher cyber security laws has been inevitable. The main points to take from these new laws is that it will no longer be only the attacker liable for prosecution, but also anyone who accesses the stolen data, in what is known as a ‘racketeering’ law. Also, we can expect changes to laws firstly in America but potentially around the globe, giving governments more power to intercept online communications.
There has already been some precedence in the US for unusual legal cases bordering on racketeering charges; a prosecution for the download of a customer list and one for copying a URL for stolen information between chatrooms. The new laws due to be introduced will basically ratify this tougher approach.
In the State of the Union address delivered by President Obama on 20 January “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” Obama said. “We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.”
What these laws are doing is widening the net for those who can be linked to cybercrime and making way for increased surveillance. Simply associating with cyber criminals will also now be punishable, regardless of no specific act being committed. The message is a strong one; anyone can be guilty of cyber offences simply by association.
He is also pushing for increased information sharing between the government and corporations. A White House statement released in advance of the speech said it “encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center”.
This agency will in turn share real-time information on hacking with other federal agencies and private-sector bodies known as Information Sharing and Analysis Organizations (ISAOs) who are being set up to help monitor and disrupt attacks.
Finally, and this is the most important action point for businesses, Obama is pushing for a new federal law, called the Personal Data Notification and Protection Act, that will force companies to notify customers of a data breach within 30 days.
Obama’s proposals come from a feeling in Washington D.C. that more needs to be done about hacking following the massive data breaches occurring in the last couple of years. In documents about the NSA recently released by Edward Snowden, there’s evidence that some cyber conduct of the US government is already tantamount to spying and cyber warfare beyond the extent the public were aware of. Setting such conduct as law will give such agencies the green light to continue these activities on a greater scale.
In the wake of both the Sony hack and the Charlie Hebdo attack in Paris, Obama also met with UK Prime Minister David Cameron to discuss matters of cyber security. They both cited the importance of being able to intercept terrorist communications online through social media sites such as Facebook and Google. The two leaders also agreed on increased information sharing between American and British intelligence agencies, educational exchanges between scholars and continued ‘war games’ to test defences of high profile targets in both countries.
Where these new plans might struggle is in the cooperation of corporations such as Facebook, Apple and Google, which will be essential if these measures of interception are to be taken. Apple have previously stated that this issue should be solely between users and law enforcement, that it’s not the responsibility of technology providers to monitor and share user data. There is also a perception that Cameron and Obama are asking internet companies to engineer their products with weaker security, which in the current cyber security climate would not be a popular move.
Time will tell whether increased surveillance and harsher punishments will have any impact on cybercrime but if these laws go through, any company which is breached will have to reveal it publicly, which can seriously damage any reputation. Therefore, as predicted, cyber security is of mounting importance going forward. Any weaknesses in security need to be addressed, sooner rather than later.