Cybersecurity Laws- Over the past two decades, technology has advanced at a breakneck speed. With each passing year, we continue to reap the benefits of technology while also increasing our reliance on it. Our lives have been revolutionised by web applications, drones, mobile apps, industrial automation, machine learning applications, and other technology. However, these technologies pose significant risks to humanity. As a result, cybersecurity legislation has been enacted by our governments.
The Scale of the Cyber Threat
The US government spends almost $19 billion on cybersecurity each year. Cyber-attacks, on the other hand, are increasing at a rapid rate every year.
Cybersecurity efforts aim to address three key threats:
- Cybercrime is defined as a single or coordinated act aimed at disrupting or profiting from computer systems.
- Cyber-attacks: a common feature of cyber-attacks is the collection of data for political purposes.
- Cyber-terrorists: are designed to induce panic or fear by undermining electronic systems.
With this in mind, cybersecurity laws are created to protect people from cyber-attacks and to counter them. Because practically every firm has an online component these days, cybersecurity regulations apply to almost all of them.
What is the scope of cybersecurity legislation?
The most prevalent issues that occur from cyber attacks are often covered by cybersecurity laws and regulations. Criminal behaviour, business governance, insurance issues, and law enforcement authority are among the topics discussed.
Previous Cybersecurity Laws
Cybersecurity legislation did not have much sway in the past century. At the time, the type of cybercrime perpetrated was not as serious as it is now. The regulations were analogous to copyright protection or software piracy legislation at the time.
However, the threat has grown, and far more serious cyber-attacks are now the norm. The use of ransomware to outright treason are all examples of these crimes. To combat and deter such acts, substantial action must be taken now. Increased legislative action has resulted from the growing threat.
Current Cybersecurity Laws
To discourage such behaviour, fines of up to $5 million have been imposed, as well as hefty prison sentences. Given the damage that hackers can cause, instituting such penalties for cybercrime may still be insufficient.
Prior to 2015, the United States’ federal government was ignorant of multiple attempted data breaches at private entities. With the passage of the Cybersecurity Act of 2015, all of that changed. Congress finally passed legislation allowing companies in the United States to share personal information related to cybersecurity with the government after numerous attempts. This information could be used by the government to prosecute criminals.
Difficulty in Prosecution
Cybercrime was previously difficult to prosecute for the following reasons:
Area of jurisdiction
Jurisdiction was one of the issues that prosecutors had to deal with. The perpetrator of the crime was frequently found to be outside of the country or the legal jurisdiction of the court. This is why the US is concentrating its efforts on the international stage and forming cyber allies.
Many cybercrimes go unreported
The majority of cyber-crimes go unpunished because the perpetrators do not report the crime to authorities. Because of the negative impact and loss of trust that would result, small, medium, and even large organisations have failed to disclose breaches.
Evidence collection was quite difficult
In recent years, digital forensics has advanced dramatically. To identify and preserve evidence that can be used to prosecute cyber-criminals, best practises and strict processes have been developed. However, in the not-too-distant past, prosecuting cyber-criminals was difficult due to a lack of expertise in gathering and preserving evidence.
Cyber-criminals use advanced methods to cover their tracks
Hackers can operate with a degree of anonymity thanks to the use of TOR and VPNs. Aside from that, hackers work tirelessly to hide their identities. Cybercriminals are at the forefront of research, and they are constantly working to make themselves more difficult to detect, track, and apprehend.
What sorts of activities are criminalised by law?
Cybersecurity laws and regulations have an impact on the types of crimes that are committed in various industries. Federal law and county law are two of the sectors.
Cybersecurity laws make the following activities illegal:
- Hacking into computers
- Economic espionage is a type of espionage that occurs when
- Corporate espionage is a type of espionage that occurs when
- Theft of one’s identity
- Breaking into computer systems, gaining unauthorised access to data, and altering or deleting it
- stealing information that is confidential
- Unauthorized communication publication or use
- Copyright infringement is a crime.
- Fake news is being spread.
- Children’s sexual exploitation
- Defacing websites on the internet
- Increased volumes of irrelevant internet traffic cause websites to become unavailable to the users who are supposed to be viewing them.
- Numerous other crimes committed over the internet have been criminalised under various categories of the law.
Ways in which cybersecurity regulations are enforced
Cybersecurity is addressed in the United States through sector-specific initiatives, general regulation, and private sector participation. Cybersecurity standards are implemented in a variety of ways at the national or federal level.
Federal Cybersecurity Laws in the United States
Health Insurance Portability and Accountability Act (HIPAA) (1996)
In 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act, or HIPAA.
Prior to HIPAA, there was no industry-wide standard for managing protected personal information (PPI) held by healthcare companies. There were no best practises in place when it came to security. Health records were previously held as paper documents, which is one of the reasons there were no cybersecurity guidelines in the healthcare industry.
The healthcare sector was trying to shift away from paper records in order to become more efficient just before HIPAA was implemented. The requirement to access and share patient information swiftly arose from the need to become more efficient.
Many companies were formed to capitalise on the need for electronic healthcare records and profit from it. For the most part, security was an afterthought for most of these businesses. The government immediately saw the necessity for rules to ensure that security requirements were adhered to.
HIPAA’s main goals include the following:
- Streamline the storage and processing of healthcare data.
- Ascertain that hospitals, insurance firms, and other health-related businesses protect private personal information appropriately.
- Limits on health insurance should be addressed.
- The Gramm-Leach-Bliley Act (GLBA) is a federal law that prohibits financial institutions from failing to comply with the Gramm-Leach (1999)
Gramm-Leach-Bliley Act (GLBA) (1999)
- GLBA’s main accomplishment was to remove a piece of a 1933 law that had become obsolete. The Glass–Steagall Act of 1933 was the name of this law. In banking, securities, and insurance, the Glass–Steagall Act prohibited corporations from doing business together. Insurance and securities were also prohibited from being sold by a bank.
GLBA also compels financial institutions to disclose how they retain and protect their customers’ personal information, in addition to the aforementioned requirements. Safeguard Rules were introduced as part of the GLBA. The law states that certain safeguards must be followed. The safeguard rules include, among others, the following:
- Employees who will have access to consumer information should have their backgrounds checked.
- A confidentiality promise must be signed by all new workers.
- On a “Need to Know” basis, limit access to private information.
- Strong passwords should be required, and they should be changed on a regular basis.
- Require that computer screens lock after a certain period of inactivity.
- Implement data encryption and device security policies.
- Employees should get initial and ongoing security training, as well as reminders of the policy.
- Create remote work security policies.
- Develop policies that will use discipline to enforce security violations.
- Take precautions to protect data while it is in transit and at rest. Control who has access to the information as well.
- Securely dispose of data
Act to Protect the Homeland (2002)
George W. Bush signed the Homeland Security Act of 2002 into law. The Federal Information Security Management Act was incorporated as part of this legislation (FISMA).
Following repeated terrorist assaults in the United States, the United States passed the Homeland Security Act. The World Trade Center bombing and the distribution of anthrax spores to news outlets and government leaders are examples of these terrorist acts.
The Department of Homeland Security was created by the Homeland Security Act of 2002. (DHS). Other aims of the act were cybersecurity-related FISMA requirements. The National Institute of Standards and Technology’s implementation was incorporated in FISMA (NIST). The National Institute of Standards and Technology (NIST) is now in charge of creating cybersecurity standards, guidelines, and methodologies.
The National Institute of Standards and Technology (NIST) lays out nine steps to achieving FISMA compliance:
- Sort the data you want to keep safe into different categories.
- Choose the bare minimum of controls for a baseline.
- Use a risk assessment approach to fine-tune your controls.
- In the system security plan, document the controls.
- Apply security measures to any information systems that aren’t appropriate.
- After the security controls are in place, evaluate their efficacy.
- Assess the mission or business case risk at the agency level.
- Authorize the data processing system.
- Always keep an eye on the security controls.
Is It Enough to Have Laws?
Healthcare organisations, financial institutions, and federal agencies are all subject to the three regulations listed above. However, there are no cybersecurity laws in many other industries.
Some contend that more government involvement isn’t required. Securing data and sensitive information is in the best interests of any organisation. Companies and organisations place such a high value on this effort that they invest large sums of money.
Others believe that protecting civilians is the government’s obligation. To ensure that residents are protected, this responsibility necessitates the creation and enforcement of laws.
Despite the greatest efforts of enterprises to maintain compliance with laws, regulations, and best practises, data breaches and successful assaults continue to occur. Nonetheless, having efficient rules in place can surely aid in the goal of data security.