Many of the world’s conflicts are born out of disputes over resources. Since the earliest days of civilization, physical battles have been waged over land and the goods therein. Nowadays, with countless resources critical to finance, health care, national security, agriculture and technology living on the web, the theater of war has moved to the digital realm as well. The stakes behind cyberwarfare can be just as high as those for armed conflicts occurring in the real world.
This past year, our nation has been on the wrong end of a flurry of cyberattacks. Viruses originating on foreign soil have caused stoppages to our food and energy supply chains. Domestically, curious civilians and so-called “hacktivists” have launched cyberattacks of their own, resulting in the leaking of private IRS tax data numerous times over the past five years. In response, investigations are ongoing into the potential sources of foreign cyberattacks, longtime domestic hacker Christopher Doyon was recently arrested, and the Senate is currently deliberating on new cybersecurity legislation. Now more than ever, we must understand our cybersecurity apparatus, the public-private partnership that operates it, and the legal structure it lives within.
Cybersecurity has many laws, regulations and initiatives, but three of the most important cybersecurity regulations are the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act (GLBA) and the 2002 Homeland Security Act’s Federal Information Security Management Act (FISMA). These three acts represent our cybersecurity laws that protect health information, financial data and maintain national security.
Health Insurance Portability and Accountability Act (HIPAA)
The 1996 HIPAA Security Rule ensures the safety of personal health information. HIPAA’s Privacy Rule defines proper uses and disclosures of personal health information. Combined, these rules help health care entities protect Electronic Protected Health Information (ePHI). HIPAA Security Rule specifies that said entities MUST build safeguards to protect ePHI in certain, specific ways:
- All health data sent, stored, received or produced has strong confidentiality, and can only be accessed by authorized individuals
- Public and private entities both have a legal mandate to safeguard their HIPAA-protected information from threats
- It must be ensured that authorized individuals on the workforce take special precautions with the data themselves
These HIPAA mandates typically manifest in the form of the following safeguards: access control (automatic logoff, emergency access procedures, encryption/decryption and unique user identification), device and media controls (accountability, data backup, disposal, media re-use and storage), facility access controls (limitations on physical access, maintenance records and validation procedure), information access management (access authorization, access establishment and modification), security management process (information system activity review, risk analysis and risk management), and workforce security awareness and training (login monitoring, password management, protection from malicious software and security reminders). These cybersecurity safeguards are now commonplace in all industries whenever sensitive data is involved.
Gramm-Leach-Bliley Act (GLBA)
The 1999 GLBA requires financial institutions to show the government and their customers their information-sharing practices and requires those institutions to safeguard sensitive data. Financial institutions can be defined as companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.
GLBA also requires the Federal Trade Commission (FTC) and the Security Exchange Commission (SEC) to implement standards, while other agencies have the option of issuing guidance. The SEC released the Procedures to Safeguard Customer Records and Information (the SEC Safeguard Rule) and the FTC Safeguard Rules. Both Safeguard Rules require financial institutions to develop, implement and maintain a comprehensive information security program.
Homeland Security Act (HSA)
The 2002 HSA establishes what is now known as the Cybersecurity and Infrastructure Security Agency (CISA). The HSA directs CISA to: enable real-time, integrated, and operational actions across federal and non-federal entities; facilitate cross-sector coordination to address risks and incidents that may be related or could have consequential impacts across multiple sectors; conduct and share analysis; and provide technical assistance, risk management and security recommendations.
CISA deploys assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners and coordinates the national response to significant cyberattacks.
As the capabilities of technology and software expand throughout the 21st Century, so must cybersecurity protections. In 2016, President Obama announced the Cybersecurity National Action Plan (CNAP). CNAP has four main tenets.
- Establish the “Commission on Enhancing National Cybersecurity” to make recommendations on actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sectors.
- Modernize government information technology (IT) and security.
- Empower Americans to secure their online accounts through a new National Cybersecurity Awareness Campaign.
- Invest more than $19 billion to address cybersecurity deficiencies.
Most cybersecurity vulnerabilities are considered to be the result of a lack of enterprise-wide processes and governance and a reluctance to share intelligence between private companies and the government. To solve this problem, we need a strengthened partnership and mutual understanding between private companies and U.S. Department of Defense to keep our online assets safe and our nation secure. To prepare yourself, IDB offers courses on Cyber Risk Management Program in a National Security Context and Governing Spaces in the Information Age to help you learn the current state of U.S. cybersecurity and ready your organization for the future.
About The Institute for Defense and Business
The Institute for Defense and Business (IDB) delivers educational programs and research to teach, challenge and inspire leaders who work with and within the defense enterprise to achieve next-level results for their organization. IDB features curriculum in Logistics, Supply Chain and Life Cycle Management, Complex Industrial Leadership, Strategic Studies, Global Business and Defense Studies, Continuous Process Improvement, and Stabilization and Economic Reconstruction. Visit www.IDB.org or contact us on our website for more information.