A while back, we wrote an article about whether or not you should add fear to risk management. We discussed how fear can be the inspiration your employees and the C-suite need to get on board with cybersecurity policies and tech. But, what if we think on a larger scale? Should we let fear guide local, state and federal cybersecurity laws?
It doesn’t matter what procedural law enforcement show you watch or news channel you tune into, the story is always the same – cyber terrorism is going to be the end of us.
Just think of the last crime drama you watched. Chances are that they blatantly misrepresented how cybersecurity works. In a recent episode of Hawaii 5-O, Nick Jonas (Yep. Of the Jonas Brothers.) hacked a commercial airplane with ease and after all the drama that is Hawaii 5-O, a click of a button saved a plane full of passengers.
Now think about the typical news cycle. To fill airtime, news stations come up with some of the most dramatic, fear-instilling, lack-of-context stories you can imagine. We all know that one person who refuses to drink anything but bottled water after seeing a story about tap water on the nightly news; now think about the fact that most of what these people know about cyber terrorism comes from the news. And that they may vote for what cyber laws go into place.
If we are being honest, we are not innocent in this case. We tend to share the scary stats on our blog and social media channels to help the IT professionals get their teams ready for action, but we rarely touch on how this information should be handled in terms of government oversight.
Cybersecurity and the law
We are not law experts, but here is a very high-level break down of two areas of the law having to do with cybersecurity:
This act covers way more than most people know about. Dark Matters has a nice summary of the two main ways this law affects cyber terrorism:
“It increased the minimum prison terms for unauthorized access to a computer system, regardless of activity once in the system i.e. mixing criminal activity and cyberterrorism under a cyberterrorism section heading (§ 814.a.4).
Additionally, the law amended ‘the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment’ (§ 814.f).”
We have heard it many times before, but President Obama was very serious in his 2015 State of the Union Address when he declared cybersecurity a threat that we must defend against. On April 1, 2015, an executive order was signed that authorizes a set of new sanctions against those whose cyber attacks result in substantial threats to national security or economic health. As ZDnet explains, “it gives authorities the power to freeze assets, and also allows sanctions to be applied against companies that knowingly use stolen trade secrets.”
What can you do?
There is a lot of grey area. A majority of these laws are not created, reviewed, approved or enforced by those of us who live cybersecurity day in and day out. Those of us who understand “good” versus bad hacking. Those of us who know what businesses need to everyone safe.
Talk to your congress person(s). You, or a group of like-minded individuals, need to speak up. You need to write letters, make phone call, make office visits and lobby. You can hold cybersecurity education events and invite (and strongly encourage) your representatives and fellow voters to attend. Professionals, like you, educating those in charge on the reality of cybersecurity is going to lead to more effective laws than relying on the media to educate them.
It’s a topic that is full of opinions, insight and new discussions every day. What are your thoughts on the state of cyberterrorism and the laws (new and old) associated with it?