Information and Cyber Security Essay Example

order to protect its intellectual property, personally identifiable information, and IT infrastructures.

Even though there are challenges in enforcing and regulating cybercrimes, governments and industries can strengthen and improve its cybersecurity and IT infrastructures through the implementation of cybersecurity standards and procedures to better protect intellectual property, personally identifiable information, and assets from cybercrimes.

Background

The basis of this paper is influenced by the attacks against the U.S. Office of Personnel Management (OPM). The OPM is a civil service agency that recruits applicants seeking employment in the U.S. government. In addition to recruitment, the OPM is responsible for the security clearances of government employees, and, therefore, the OPM handles the investigations and background checks into government employees.

In June 2015, the OPM had found that there was a breach in the background investigation records of current, former, and potential federal employees and contractors. According to the U.S. Office of Personnel Management (2016) report, 21.5 million Social Security Numbers (SSNs), which included 19.7 million people who applied for a background investigation, as well as, 1.8 million non-applicants that were spouses, partners, or co-habitants. In addition to the stolen SSNs, the attackers obtained around 5.6 million fingerprint records of applicants, as well as, the usernames and passwords of the applicants (U.S.

Office of Personnel Management, 2016). Before this incident occurred, another breach of the OPM’s IT infrastructure was reported. During this breach, attackers took the personnel data (full name, birth date, addresses, and SSNs) of current and former government employees (U.S. Office of Personnel Management, 2016). The OPM neglected to take simple steps to secure its IT infrastructure that may have prevented the breaches. According to the Office of the

Inspector General (OIG), the OPM has had a long history of negligent security and has continually ignored the recommendations of the OIG (Davidson, 2015).

As a result of the insufficient cybersecurity in place at the OPM, millions of current, former, and prospective government employees’ careers have been impacted and their personally identifiable information has been taken.

Regulations and Enforcement Challenges

Because the Internet transcends borders and allows for anonymity, it is very difficult to enforce and regulate cyber attacks. Laws and regulations are exceedingly hard to enforce because the attacks can come from any person from anywhere in the world and the different perspectives of cyber crime and enforcement in each sovereignty. The European Convention on Cybercrime (ECC) is the first and only international accord that addresses the problems of cyber attacks and the need for cooperation between state actors to enforce and regulate cyber crime within each nation’s borders (Introduction and Overview – Legal & Law Enforcement Challenges).

This agreement indicates the policies and standards that each signatory must adopt. The ECC also indicates the duty each state has in preventing cyber attacks of non-state actors on other signatories in its jurisdictions and that each signatory adopts the responsibility to criminalize culprits of cyber crime (Introduction and Overview – Legal & Law Enforcement Challenges). Without cooperation and consensus on cyber crime between nations, the enforcement and implementation of regulations against cyber crime and criminals would be nearly impossible. Due to the different viewpoints and regulations adopted in each nation, consensus and cooperation in the enforcement and regulation of cyber crimes has been insufficient.

This cooperation and consensus can also be beneficial within a nation between the private

and public sectors. Because many government agencies rely on contractors and other private industries, it is important that both the private and public sectors work together to secure its IT infrastructures. According to the Cyberspace Policy Review by the Department of Homeland Security (DHS) (2015), there needs to be shared information between the private and public sectors on cybersecurity, detection methods of threats, breaches and attack methods, remediation practices, and digital forensic capabilities. Information sharing between the private and public sectors could greatly improve the cybersecurity of the U.S. However, there are some challenges faced by a private-public sector partnership. Industry is concerned that some federal laws may prevent a complete collaboration due to the perceived collusion between industry and the government, fear of releasing proprietary information, and the reputational harm resulting from publicized attacks, as well as, the lack of trust in sharing information by the federal government and the necessity to maintain secrecy on intelligence sources and methods used by the federal government (Department of Homeland Security, 2015).

These barriers create a lack of full commitment to partake in the private-public sector partnership. As a result of the concealment of a cyber attack, it is difficult for individuals, businesses, and governments to determine who was the perpetrator of the attack. This is also known as technical attribution, which can be extremely challenging with more sophisticated, state sponsored attacks that can piggyback off of other Internet protocol (IP) addresses in order to conduct the attack (Introduction and Overview – Legal & Law Enforcement Challenges). Although there is no current technology to discern the false IP addresses from the actual culprit, digital forensics may help identify

certain attributes of the attacker that can aid in technical attribution (Introduction and Overview – Legal & Law Enforcement Challenges).

Without sufficient evidence on the attacker, it is still extremely difficult to catch and prosecute cyber criminals. This effort is made more difficult when the suspected culprit is a state actor.

Enforcement Procedures and Industry Standards

After the massive intrusions into the OPM, the OPM created a multi-level strategy that would improve and strengthen its cybersecurity. In order to improve its information security, the OPM introduced a two factor strong authentication for network users, restricted remote access for administration functions, reviewed all business connections with access to its Internet, implemented anti-malware software to protect the network, and employed continuous monitoring of the system by a 24/7 Security Operations Center among many other policies put in place to improve and strengthen its information security (U.S. Office of Personnel Management, 2015).

Because the OPM was unable to protect the millions of individuals who lost private, personal information in the data breaches, these aforementioned steps are the principal phases of the plan to bolster cybersecurity at the OPM. In addition, the OPM has invested millions more into the budget to modernize its IT systems and collaborated with the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) to develop best practices and information security policies to implement at the OPM (U.S. Office of Personnel Management, 2015). The OPM possesses more personally identifiable information and other private, personal records than most federal government agencies, so it is crucial that the OPM implements these procedures and standards to safeguard its information by strengthening and updating its

cybersecurity policies and practices. These efforts are also important to implement into industry standards and procedures.

Because many government agencies rely on contractors and industries to provide services and equipment, industries need to bolster and update its cybersecurity systems. For example, the Cyber Information Sharing and Collaboration Program (CISCP) was developed by DHS to encourage cyber threat information sharing to the private sector so that industries may be able to recognize and identify threats to its IT infrastructures (The White House, Office of the Press Secretary, 2015). Public and private sector collaboration is key to improving cybersecurity efforts in the U.S. As a result of the effort of CISCP, the DHS has provided the private sector with over 28,000 indicators of cyber threats (The White House, Office of the Press Secretary, 2015). Information sharing and collaboration between the private and public sectors will ensure that best practices and standards are in place.

In addition to the standards and practices being put in place, the government has developed new ways to respond to and enforce cyber crimes. President Obama enacted Executive Order 1694, which gives the Secretary of Treasury, the Attorney General, and the Secretary of State the ability to enforce financial sanctions on individuals and groups that have contributed to any cyber threats impacting national security, foreign policy, or economic health or stability of the U.S. (The White House, Office of the Press Secretary, 2015). This order allows the government to impose economic sanctions against those that commit cyber threats, as well as, those involved in supporting, assisting, or ordering the cyber attack.

The Department of Justice has collaborated with international authorities to dismantle cyber criminals on the

dark web and bring these cyber criminals to the U.S. for justice (The White House, Office of the Press Secretary, 2015). International collaboration is crucial in the enforcement procedures of cyber crimes. Without consensus, it is challenging to enforce regulations related to cyber crimes, especially when the perpetrator is a state actor.

The Impact of Cybercrime

The data breaches on the OPM caused reputational damage and leaked sensitive, personal information. The OPM is responsible for conducting the investigations behind federal employment and security clearances. The cyber attacks resulted in the theft of over 20 million personally identifiable information of current, former, and prospective federal employees, as well as, the personal information of non-applicants. One year after the data breaches, 6,800 incidents of identity or credit theft have been reported, but there is no way to prove that these incidents are a result of the OPM cyber attacks (Davidson, 2016).

The OPM is extending its identity and credit monitoring services from three to 10 years, as well as, increase the identity theft insurance to $5 million (Davidson, 2016). As a result of these cyber attacks, the OPM is required to improve and implement policies and standards, as well as, modernize and restructure its IT infrastructure. The OPM is not the only agency to be effected by cybercrime; there are many government agencies, industries, and individuals who have been impacted by cybercrimes. In fact, it is estimated that cybercrimes result in a cost of anywhere from $375-$500 billion annually (Intel, 2014).

The cyber attacks on banks have resulted in billions of dollars lost worldwide. A cyber theft of $45 million was carried out on two banks in the Persian Gulf,

and $1.3 billion was stolen in a cyber attack on a British company (Intel, 2014). The economic damage caused by cyber attacks harm the economic and financial stability of a nation, as well as, individuals and industries within that nation. Because of the subsequent reputational harm that a cyber attack can incur, many incidents of cybercrime go unreported or denied publicly. Monetary losses are not the only costs of cybercrimes.

In 2013, the theft of personally identifiable information was more than 40 million in the U.S., 54 million in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China (Intel, 2014). Luckily, not all cyber criminals are able to take this personal information and profit from it, but this cyber theft of personal information may still impact industries, economies, and national security for each of these nations. In the case of the OPM data breaches, the personal information stolen may impact national security and the sensitive information of government agencies. The theft of intellectual property has also become a serious issue of cybercrime. Countries that depend on cutting edge technology and innovation may be impacted greatly when intellectual property is stolen.

The cyber theft of intellectual property can result in the loss of competitiveness with other nations, which may result in the loss of jobs, trade, and income (Intel, 2014). According to a report from the U.S. Department of Commerce, the U.S. loses $200 to $250 billion each year from intellectual property cyber theft (Intel, 2014). Countries with wealthier economies and reliance on technology and innovation suffer the greatest losses to cybercrime. For example, the U.S., China, and Germany lost more

than $200 billion to cybercrimes (Intel, 2014).

These losses to cybercrimes can have an immense impact on the commercial interests and national security of these nations.

Conclusion

Although cybercrime presents many challenges in its enforcement and regulation, industries and governments can improve and bolster its cybersecurity by employing standards and procedures to safeguard the intellectual property, personally identifiable information, and assets from cybercrimes. The Inspector General had reported that the OPM failed to take simple steps and follow standards and procedures to strengthen its cybersecurity (Davidson, 2015). As a result, over 20 million Americans had personal information stolen in the data breaches.

These data breaches impacted the information security of these individuals and the government agencies these Americans work for, as well as, U.S. national security. Although it is nearly impossible to completely shield IT infrastructures and data from cyber threats, industries and governments can employ cybersecurity practices that make intrusion much more difficult or do not enable the attacker to remain anonymous. More and more industries, governments, and individuals are moving activities and functions to the Internet. Therefore, it has become absolutely essential to implement cybersecurity to try and defend intellectual property, personally identifiable information, and financial assets. Without these cybersecurity standards and procedures, countries are at great risk of losing its competitiveness, damaging its economy, and harming its national security.

Cybercrime is not going to diminish over time. Because cybercrime results in little risk and great incentives, cybercrime is going to continue to flourish as more and more industries, governments, and individuals rely on the Internet. Without consensus and cooperation among nations and within the private and public sectors of each nation, cyber criminals will continue

to attack networks and IT infrastructures with little to no repercussions. In order for the regulation and enforcement of cybercrime to occur, countries and industries will need to work together to implement cybersecurity standards and procedures, as well as, make an effort to share information. The efforts of countries and industries to work together to prevent or minimize cyber attacks will have a lasting impact on national security and commercial interests of each nation.

Bibliography

1. Davidson, J. (2015, July 7). ‘Failure’ is the theme in the battering of the Office of Personnel Management. The Washington Post. Retrieved from https://www.washingtonpost.com/politics/federal_government/failure-is-the-theme-in-the-battering-of-the-office-of-personnel-management/2015/07/07/a4b92674-24f1-11e5-b72c-2b7d516e1e0e_story.html
2. Davidson, J. (2016, June 8). One year after OPM cybertheft hit 22 million: Are you safer now? The Washington Post. Retrieved from https://www.washingtonpost.com/news/powerpost/wp/2016/06/08/one-year-after-opm-cybertheft-hit-22-million-are-you-safer-now/
3. Department of Homeland Security. (2015, August 10).

   Cyberspace Policy Review. Retrieved from https://www.dhs.gov/publication/2009-cyberspace-policy-review

4. Intel. (2014, June). Net Losses: Estimating the Global Cost of Cybercrime.

   Retrieved from http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf

5. Introduction and Overview – Legal & Law Enforcement Challenges. Kent State Blackboard. Retrieved from https://learn.kent.edu/webapps/blackboard/content/listContent.jsp?course_id=_155735_1&content_id=_5492236_1
6. U.S. Office of Personnel Management.

   (2015, June). Actions to Strengthen Cybersecurity and Protect Critical IT Systems. Retrieved from https://www.opm.gov/cybersecurity/cybersecurity-incidents/opm-cybersecurity-action-report.pdf

7. U.S. Office of Personnel Management.

   (2016). Cybersecurity Incidents. Retrieved from https://www.opm.gov/cybersecurity/cybersecurity-incidents/

8. The White House, Office of the Press Secretary. (2015, July 9). FACT SHEET: Administration Cybersecurity Efforts 2015 Press Release.

   Retrieved from https://www.whitehouse.gov/the-press-office/2015/07/09/fact-sheet-administration-cybersecurity-efforts-2015