Technology is as dangerous as it is necessary. Data leaks from organizations such as Solar Winds and, more recently, AT&T have made the need for defined security measures evident. American citizens’ data can be weaponized by foreign enemies and domestic criminals alike, yet the United States has minimal cybersecurity regulations. The Department of Defense (DoD) has requirements for contractors and subcontractors who provide technology to the government, but outside of this agency, little has been done.
Any type of regulation is slow going because of an ongoing debate between government agencies and private companies about who to hold responsible for data leaks and cybersecurity.
Those opposed to government involvement believe it will discourage technological innovation since technology producers fear the inability to shoulder the burden of any monetary cost that comes from meeting and keeping the requirements. If the U.S. imposes regulations, it risks declining as a technology powerhouse due to decreased efficacy.
Those in favor of regulation cite that car manufacturers are responsible for keeping their customers safe and technology producers should provide customers with similar protection.
Operative Definitions
- Sunset Law: A law that terminates after an appointed time unless further action is taken to extend it. A sunset law allows the government to reflect on a law’s success and decide if it’s appropriate to proceed or terminate it.
- Cybersecurity Maturity Model Certification (CMMC): A certification given to government contractors and subcontractors when they successfully meet and maintain the requirements of the enforcement program that protects sensitive information developed by the DoD.
- Social Engineering: The tactic of manipulating a targeted victim through deception or influence to gain control of their sensitive online information, whether that be a computer system or their financial information.
Important Facts and Statistics
- 45% of experts cited fear of cyber incidents as their top concern for business interruptions. The attacks included tactics like compromising passwords with each incident estimated to cost around $384,598 in 2019.
- According to a study conducted by Apple in 2023, the cost of cybercrime damage is projected to grow to $10.5 trillion by 2024.
- 98% of cyberattacks rely on social engineering.
- The FBI Internet Crime Report indicates that over 300,497 complaints were filed about phishing schemes in 2023.
5-Step Plan
- Establish a security expectation baseline
A security standard that is both effective and manageable must be implemented. The best course of action is to utilize the system already in place but modify it for nongovernmental companies. The Cybersecurity Maturity Model Certification (CMMC) has three levels of protection depending on what type of information a contractor is handling. For companies operating outside of the government sphere, level one, the minimal requirement, will suffice. The only difference required is that instead of protecting Federal Contract Information (FCI), the focus will shift to user information.
2. Implement Subsidies
In order to incentivize producers to obtain a CMMC level, the government should implement subsidies in the form of a tax break.
3. Mandate information distribution
All technology-producing companies that sell to customers should be required to educate customers about the nuances of implementing two-factor authentication, changing passwords yearly, social engineering and general email phishing scams. The method of distributing this information is not fixed. Companies are not responsible for ensuring that customers follow the information, however, they are required to present it. Compliance will be monitored by a third-party government contractor.
4. Create a Failure to Comply Penalty
It is important to impose a fitting punishment for failing to comply with the information distribution mandate. Should the third-party contractor find that an organization fails to comply, civil or criminal enforcement will be introduced.
5. Evaluate Competitive Technology Production.
A four-year sunset law will ensure that the policy is reviewed again. Implementing the law will allow the government to assess the mandate’s outcome and see if the minimal requirement needs to be raised, dropped or extended. The policy’s success will be measured against the most recent phishing scheme number available from the FBI’s Internet Crime Report this year. Following the end of the policy’s four-year period, the number must have dropped by 5% to be considered effective.
Why This Initiative Is Important
Allowing companies to create without production limitations is important to keep the U.S. technologically advanced. However, it is vital that users are informed about basic security measures and know how to protect themselves, mandating behavior and not technology. Additionally, incentivizing organizations to increase cybersecurity measures will raise the standard of cybersecurity on a national level.
Cybersecurity is a national threat actor, and regulation in this sector shouldn’t be overlooked in the wake of political unrest. The policy, with its expiration date, leaves room for improvement, which during current global unrest and Russia’s attacks, is crucial. Finally, the policy meets the operating goal, to maintain the U.S.’s goal to stay technologically competitive, and does not force organizations to comply with unrealistic or difficult standards.
Acknowledgment: The opinions expressed in this piece are those of the individual author.