How Our Government Secures Internet
On October 21, 2016, the Internet of Things was turned into a large botnet for a DDoS attack, and as it stands, the best way to fix the issue may be to implement security measures and promulgate more regulation. There are already multiple state and federal laws. Also, several executive orders were issued by the president. So, what are these executive orders? What are some of the relevant statutes? What do these laws prohibit?
First, there are the executive orders that were signed under the Obama Administration. As it stands, these may be overturned depending on the actions of the new president. For the most part, these executive orders have focused on the creation of committees to better secure the nation's network systems. In addition to programs like CNAP, committees have been formed to tackle issues of national security, with some help from pre-existing federal agencies. These committees involve not only the government, but also business enterprises like Microsoft, Apple, Google, AT&T, Time Warner Cable, or Verizon to help enhance security measures.
However, of most importance has been the shift towards a collaborative approach towards cybersecurity. In fact, in recent executive orders there are guidelines to promote sharing information for cybersecurity incidents. For example, Executive Order 13636 focuses on information sharing, privacy, and adoption of cybersecurity practices. Executive Order 13691 states that public, private, and governmental entities must be able to share cybersecurity risk information. It also focuses on developing Information Sharing and Analysis Organizations (ISAOs). Executive Order 13694 allows sanctions on individuals responsible for malicious cyber-enabled activities that harm national security, foreign policy, economic health, or financial stability. Also, Executive Order 13718 directs the National Institute of Standards and Technology (NIST) to provide the commission with expertise, services, funds, facilities, staff, equipment, and support services to carry out its mission.
This new approach encourages sharing information about cybersecurity risks. The thought process is akin to the premise behind vaccination. Upon gaining awareness of this new gap in security, individuals in the market will team up with the government to "patch" the hole. With more individuals involved, the mass can work together to inoculate ourselves and prevent the spread of the exploits.
Now, there are laws that were promulgated by Congress. However, these laws are less protective of the nation's network systems, and more protective of personally identifiable information, especially those under the government's control. For example, the Federal Information Security Management Act of 2002, in addition to funding more protective measures, requires the new security measures to respect privacy laws. Other federal privacy laws include the E-Government Act and Privacy Act.
The future of executive orders is still unknown due to the new election. However, it may entail further regulations for smart devices to require easier updating procedures and extensive security measures. There are some measures in place through the FCC regulations prohibiting the sale or sharing of consumer information gathered by products or services (e.g., health trackers). This gives further latitude to the FCC to implement new measures. However, it may raise concerns over the extent of the government's authority.
At our law firm, we guide clients in legal matters involving business, technology, and constitutional rights by using our knowledge and skills to create innovative solutions. You may contact us today to set up a confidential consultation.