By Avery Leake and Madison Lockett
Security in the twenty-first century will undoubtedly look different than any other in history. The onset of the digital age signaled a departure from the norms of warfare, conflict, and crime in an increasingly interconnected world. The contract of government in the United States historically stipulated sacrificing individual freedoms in exchange for federally-assured safety. However, cybercrime has personalized national security threats and put the US Government in a tenuous position with regard to securing the state.
So far, the US Government has failed to communicate a set of universal goals and procedures for governing the digital era, but requires a cohesive cybersecurity policy that is neither universal nor entirely absent. This federal cybersecurity policy will have two primary constituencies: individual Americans and American-based businesses. The issues facing these two constituencies are drastically different, as is the legal basis for such security measures.
Establishing cohesive federal cybersecurity policy for individuals addresses the delicate balance of privacy and security. The Patriot Act of 2001 gave the US Government access to significant amounts of Americans’ personal information, data, and metadata. Following the 9/11 attacks, it expanded government surveillance powers in the name of counterterrorism, removing significant legal hurdles to wiretapping and other surveillance technologies.
This power proved increasingly seductive as digital technologies developed well beyond anybody’s wildest expectations and offered a treasure trove of personal data for a newly empowered surveillance apparatus. The newfound access to personal data effectively obligated the US Government to protect that personal data. This precedent of government protection is bolstered by HIPAA, FERPA, and other long standing consumer protection statutes.
Herein lies the tension of a potential federal cybersecurity policy: the US Government seized ownership of too much of the private lives and data of Americans to entirely abdicate responsibility for its cybersecurity. However, comprehensive security in each of these sectors would require complete government access and control over citizen’s personal data, further eroding the right to privacy among Americans.
The internet is an increasingly dangerous avenue for individual financial, political, physical, and psychological attacks. Any federal cybersecurity policy will go a long way not only in providing basic protections to Americans, but to encouraging effective digital hygiene that will dramatically reduce cybercrime.
However, federal cybersecurity policy will be limited to technical measures. Online platforms and individual accounts remain vulnerable to a variety of hacks, many of them attributable to social engineering rather than technical breaches. The US Government is not able to guarantee the sanctity of your Facebook account (which might also provide access to your primary email, bank account, the accounts of your friends and family, and important personal data) if your password is password—still the fourth most common password in 2020.
The US Government is facing the reality that a federal cybersecurity policy is required to reaffirm individual privacy rights. To ensure every American’s right to cybersecurity, Congress must define the parameters and pitfalls of introducing a cybersecurity policy covering both individuals and institutions from potential national security threats.
American-based businesses present a different set of complications to establishing federal cybersecurity policy. Multinational corporations and a globally dependent economy make it difficult for the federal government to enforce strict cybersecurity standards if they are imposed on any company headquartered in the United States. An opt-in program appears the most promising way to establish a cybersecurity policy applicable to all US businesses.
While most large corporations likely have robust internal cybersecurity regulations, many small- and medium-sized businesses lack the resources to invest in much more than a very basic plan. For these firms, a baseline cybersecurity policy offered by the US Government would almost certainly help their ability to effectively run their businesses without fear of intrusion, theft, or other cybercrime. Such a program could be offered upon incorporation and designed to accommodate different corporate sizes and structures.
A final consideration for policymakers must be the importance of various American industries to national security. In the past, this might only concern defense contractors or industries that interacted with espionage or conflict in some form. However, in the digital age, any industry that is critical to the operation of our country and the wellbeing of Americans falls under the umbrella of critical infrastructure potentially requiring heightened security. These include healthcare, agriculture, transportation and airfare, and even finance in addition to the defense and energy industries that already receive additional security measures from the US Government.
The concerns of businesses provide fewer legal and ethical considerations than the concerns of citizens, but are no less complex nor demanding of effective policy. Until the US Government has established guidelines for security and action in times of digital crises, cybersecurity will remain a private institution that is only available to those who seek it out. Potentially, such action will open the floodgates to new considerations regarding governance in the twenty-first century as legislators seek answers to new questions posed in the realms of enterprise, information, and security in the digital age.