International Cyber Terrorism
International Cyber Terrorism
International Cyber Terrorism
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
A June 2013 Congressional report found there were over 50 statutes relevant to<br />
cybersecurity compliance. The Federal Information Security Management Act of<br />
2002 (FISMA) is one of the key statutes governing federal cybersecurity regulations.<br />
Federal Government<br />
United States<br />
There are few federal cybersecurity regulations, and the ones that exist focus on<br />
specific industries. The three main cybersecurity regulations are the 1996 Health<br />
Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act,<br />
and the 2002 Homeland Security Act, which included the Federal Information Security<br />
Management Act (FISMA). The three regulations mandate that healthcare<br />
organizations, financial institutions and federal agencies should protect their systems<br />
and information. For example, FISMA, which applies to every government agency,<br />
"requires the development and implementation of mandatory policies, principles,<br />
standards, and guidelines on information security." However, the regulations do not<br />
address numerous computer related industries, such as Internet Service<br />
Providers (ISPs) and software companies. Furthermore, the regulations do not specify<br />
what cybersecurity measures must be implemented and require only a "reasonable"<br />
level of security. The vague language of these regulations leaves much room for<br />
interpretation. Bruce Schneier, the founder of Cupertino's Counterpane Internet<br />
Security, argues that companies will not make sufficient investments in cybersecurity<br />
unless government forces them to do so. He also states that successful cyberattacks on<br />
government systems still occur despite government efforts.<br />
It has been suggested that the Data Quality Act already provides the Office of<br />
Management and Budget the statutory authority to implement critical infrastructure<br />
protection regulations by the Administrative Procedure Act rulemaking process. The<br />
idea has not been fully vetted and would require additional legal analysis before<br />
a rulemaking could begin.<br />
State Governments<br />
State governments have attempted to improve cybersecurity by increasing public<br />
visibility of firms with weak security. In 2003, California passed the Notice of Security<br />
Breach Act, which requires that any company that maintains personal information of<br />
California citizens and has a security breach must disclose the details of the event.<br />
Personal information includes name, social security number, driver's license<br />
number, credit card number or financial information. Several other states have followed<br />
California's example and passed similar security breach notification regulations. Such<br />
security breach notification regulations punish firms for their cybersecurity failures while<br />
giving them the freedom to choose how to secure their systems. Also, the regulation<br />
creates an incentive for companies to voluntarily invest in cybersecurity to avoid the<br />
potential loss of reputation and the resulting economic loss that can come from a<br />
successful cyber attack.<br />
Page 82 of 174