top of page

Tired of all the hyper-partisanship?
Let's do something about it!

Our National Conversation

Add paragraph text. Click “Edit Text” to update the font, size and more. To change and reuse text themes, go to Site Styles.

Writer's pictureAlexis Berridge

Cybercrime: Who Should be Held Responsible?

Cybercrime is a pressing issue. Stolen information results in money loss, identity theft and sensitive material compromisation on both the personal and governmental levels. Cybercrime is using information communication technology (ICT)  to unlawfully access sites, networks or technology. 


Cybersecurity is an expanding field projected to grow 32% from 2022 to 2032 in the United States. Society has become hyper-aware of its susceptibility to cyber-attacks. At the same time, it’s impossible to claim cybercrime awareness as new. It surfaced as a recognized problem in the early 2000s when “Mafiaboy,” a 15-year-old hacker named Michael, attacked big-name commercial websites. Sites globally were down for hours, costing companies such as Amazon, CNN, Yahoo and even eBay copious amounts of money.

 

The Mafiaboy incident arguably showed America the importance of cybersecurity, simultaneously ushering in a mass wave of distrust. Was there any way to truly make cyberspace safe? If a 15-year-old can hack into major companies on a random Monday, what does that mean for all its users?


While Mafiaboy increased security awareness and measures publically, this awareness reached a national level as a result of the 2020 SolarWinds incident. In 2019, the Russian Foreign Intelligence Service penetrated SolarWinds, a software management company.  The federal government’s involvement with SolarWinds and the resulting sensitive material obtained from it made this a national security issue.

 

Cybercrime’s increasing frequency and consequential effects have left many searching for a responsible party. The government or the organizations that sell the software?

 

Chris Inglis, former U.S. National Cyber Director, supports enacting policy to enforce safety practices. He maintains that software distributors should be held to the same standards as other companies (such as car manufacturers) regarding user safety. Additionally, Inglis outlines that users are ill-informed of the risks software poses to them, preyed on by greedy corporations.


Those opposed to enacting cybersecurity policies believe that this enforcement would do more harm than good. For Daniel Castro, Vice President of Information and Technology, imposing penalties will discourage innovation. Castro sees these regulations as redundant since companies are already raising their security budgets to increase reliability following the SolarWinds incident. To end, he states that companies cannot be responsible for user error.


President Biden issued an Executive Order Improving the Nation’s Cybersecurity” on May 12, 2021. Chief among the order’s focus include edicts establishing a cyber safety review board, improving security by creating standards for developing government software and creating a standard playbook for cybersecurity incident response. These rules only apply to contractors that seek to do business with the federal government. 


It’s important to allow the private sector to remain distinct from the government, however, there are no policies that mediate basic safety practices. Enacting a policy that involves a minimum security budget for the private sector would benefit users. While some companies implement security on their own, others must be held to the same standard. Creating a government task force that operates separately from companies is unrealistic. 


The key lies in effectively developing a policy. Companies not meeting standards should be held liable, but determining that standard is difficult. Requiring Microsoft to invest 30% of its budget towards cybersecurity is an entirely different manner than requiring a startup to invest in the same number. The government should work together with companies to develop a fair framework that considers software type and company yields,  correlating that to an expected budget. Drastically limiting companies is not the answer as that would limit innovation. The solution is to minimize risks by creating a minimum baseline. If a company falls below the baseline it should not be selling software to users. 


Acknowledgment: The opinions expressed in this article are those of the individual author.

2 Comments


Alexis, I liked your points about this topic, and I definitely agree that cybersecurity is an evolving concern for the United States. I also would like to add that even though domestic private companies could be obeying domestic legislation, they are still susceptible to foreign attacks. This was evident in the recent cyberattack against Arup, a private U.S. company, in which an employee was tricked by an AI-generated CFO and convinced to transfer $25 million to an offshore bank. The Arup case also highlights the role of artificial intelligence and generative AI in future cybersecurity concerns.

Like

Great article Alexis! I think another issue that you briefly mentioned is the constant innovation of cyber-attacks, especially when it is about international relations. You mentioned Russia, but it is not an isolated case, there were many cyber-attacks done by foreign countries that were almost impossible to prevent. With the constant innovation of cyber-attack strategies, it is difficult to block 100% of them, so is the best way to protect ourselves is really through legislation? It surely can, but foreign companies may be able to surpass the software's capacity limited by the legislation. Is the best defence the offense in that issue? It is a concerning yet interesting issue!

Like
bottom of page