Digital technologies develop rapidly and are implemented in a wide variety of fields constantly. As almost every aspect of everyday activities is related to modern technologies, controversial problems may occur. Individuals rely on digital devices to make purchases, store personal data, communicate, or find information. Businesses and organizations utilize modern technology to make financial transactions, maintain commercial activities, optimize operations, and work with big data. Governments and authorities also rely on digital technology as it is broadly utilized in such vital fields as the national economy, healthcare, and even defense. Therefore, the provision of cybersecurity became essential not only in the private sector but also on a national level. It may be critical to prevent cybersecurity breaches or data leaks to maintain the effective functioning of the government and ensure the sovereignty of the country.
As a response to rising security threats National Security Strategy (NSS) has been developed. It plays a considerable role in outlining the core principles and dimensions in which security and cybersecurity initiatives are implemented on a national level (Deitchman, 2019). The NSS is periodically developed by the government to address existing threats. Even though it may be an essential part of the basic activity functioning of any country, NSS frameworks may differ significantly as the global threat and cyber threat environment is not uniform. Some regions may suffer most from ransomware, whereas others view social engineering attacks as the primary threat. Therefore, the U.S. government periodically updates the NSS to address the relevant needs of the United States.
Nonetheless, it may not be possible to comprehensively address cybersecurity issues in a multi-level NSS that focuses on a wide variety of fields that are not related to cyberspace. Some other documents and protocols consider cybersecurity as an independent issue. For instance, according to the National Strategy to Secure Cyberspace (2003), the core strategic objectives are to “prevent cyberattacks against America’s critical infrastructures, reduce national vulnerability to cyberattacks, and minimize damage and recovery time from cyberattacks that do occur.” Even though these objectives may remain relevant, the concrete frameworks that are used to prevent cybercrime may become outdated. Technology develops rapidly, and hence, new, unprecedented cyber threats emerge. It may be necessary to develop a relevant national cybersecurity strategy annually to address existing threats. However, the National Strategy to Secure Cyberspace has introduced almost two decades ago and did not receive the necessary updates.
The role of the National Strategy to Secure Cyberspace is partially adopted by the NSS. The NSS is developed periodically, with the latest issue introduced in 2017. Therefore, it contains more relevant approaches to current threats in different fields, including cybersecurity. According to the U.S. National Security Strategy (2017), it is critical to improve cyber tools and expertise, as well as achieve higher integration and agility. However, even though the most recent NSS acknowledges cyberspace as an essential element of national security, the document does not provide sufficient and concrete frameworks that could be implemented to prevent cyber threats and mitigate related risks. At the same time, cyberspace becomes more and more important in terms of national security as it penetrates various vital fields, influencing political, economic, and social aspects of human life. Moreover, as new threats emerge, it may be critical to introduce response mechanisms that are adequate and effective.
Therefore, the NSS may not provide sufficient strategic guidance in terms of national cybersecurity. Even though it is the most recent document that considers various aspects of cyberspace through the prism of national security, its frameworks may not be relevant to the cyber threat environment in 2021. Covid-19 caused a dramatic change in the use of digital technology worldwide. As a consequence, cybercrime evolved alongside new technologies, introducing new challenges to security on both individual and national levels. Furthermore, new cyber threat actors will continue to appear, and the cybersecurity threat landscape will continue to change. It may not be possible to develop a comprehensive cybersecurity strategy that can remain relevant for several years (Tikk, 2018). Moreover, in the light of recent covid-related events, it may be challenging to sufficiently address cybersecurity issues within a unified NSS. Hence, it may be highly beneficial to introduce a separate cybersecurity strategy that should be published alongside the NSS. In addition to that, it may be critical to constantly analyze the cybersecurity threat landscape and update existing frameworks regularly to address the most relevant issues.
Public/Private Partnerships
As already mentioned, the cybersecurity threat landscape transforms as new actors emerge and new vulnerabilities are found. Therefore, introducing a timely response is a critical element of effective cybersecurity. To achieve that goal, sufficient information regarding the latest threats may be required. Vulnerabilities and particularly zero-day vulnerabilities may be discovered by organizations in the private or the public sector. However, the same exploit may result in a cybersecurity breach in other organizations if the information is not shared. Frameworks and regulations that maintain the interchange of cybersecurity information between organizations in both public and private sectors may contribute to significant improvements in national security (Kosseff, 2019). The Cybersecurity Act of 2015 aims at resolving communication-related issues as well as providing legal frameworks. However, diverse barriers still complicate data interchange and mitigate the potential benefits of a partnership between public and private organizations. Moreover, several ethical issues and privacy concerns may require further consideration. It may be rational to improve existing regulations to encourage public and private partnerships adequately.
Nonetheless, the Cybersecurity Act of 2015 contains valuable information regarding possible ways of maintaining such a partnership. According to Reffkin (2016), federal entities should regularly provide reports to inform the private sector about potential cyber threat indicators and related defensive mechanisms. In addition, diverse frameworks were introduced to provide the private sector with relevant data about the cyber threat landscape and recently developed cybersecurity measures. One of these frameworks can be represented by the National Cybersecurity and Communications Integration Center (NCCIC), which serves as a hub that promotes communication between cybersecurity stakeholders. Even though timely sharing of information is the key to improving cybersecurity, there are some legal limitations. First, shared data should not violate relevant legislation and regulations. Second, it is prohibited to share any information that contains the personal data of citizens and hence, violates privacy laws. Finally, the data should be masked to reduce the risks related to human error or insider attacks.
The Cybersecurity Act of 2015 also offers opportunities for the private sector to share relevant data for the common benefit. However, provided data should not violate any of the above-mentioned limitations and should not contain the personal information of users. It is critical only to collect information that can be used to build knowledge regarding potential cyber threats and improve cybersecurity in general. Therefore, several primary purposes of data sharing can be outlined. One of the main goals of data sharing is the prevention of threats and the reduction of related risks. Hence, it is essential to identify emerging threats and develop an appropriate response timely. Defensive mechanisms should rely on the latest technological advances and introduce a comprehensive approach to cybersecurity regardless of the origin of the targeted threat or threat actor. Another objective is conducting cybersecurity-related activities without violation of any existing laws. Several ethical issues and privacy concerns may make data sharing a challenging process, yet it is critical to address these issues and not violate citizen privacy.
Therefore, the private sector is not obliged to share any data with NCCIC, and cooperation is not mandatory. Furthermore, authorities should not limit an organization in any way if it refuses to provide such information. Such limitations are essential in terms of protecting personal data, securing classified information, and maintaining a free market. Mandatory data sharing could compromise the principles of fair competition and force private entities to leak valuable information related to their core business activities. Even though the Cybersecurity Act of 2015 explores the themes of privacy and personal data sharing, provided frameworks and limitations may not be sufficient. It may be vital to update the act to prohibit withholding any data that contains the private information of citizens (Deitchman, 2019). It may also be highly beneficial to refocus on identifying cybersecurity threats and mitigating consequential harm. Further development of frameworks should be conducted to encourage fruitful cooperation of private and public sectors without violation of privacy.
References
Deitchman, S. J. (2019). National security strategy for the future. Beyond the Thaw, 92–129.
Kosseff, J. (2019). Cybersecurity law (2nd ed.). John Wiley & Sons.
Reffkin, C. (2016). The Cybersecurity Act of 2015: Can we legislate effective data security? Overview of Cybersecurity Act of 2015 | Crowe LLP.
Tikk, E. (2018). National Cybersecurity legislation: Is there a magic formula?Cybersecurity Best Practices, 615–633.
White House. (2003). The National Strategy to Secure Cyberspace. White House communications agency Washington DC.
White House. (2017). National security strategy of the United States of America. Web.