State-sponsored cyber attacks may require revamping how the government helps companies fight back.
When you need help during an emergency, you call 9-1-1—and each of your first responders has a clear role to play and works together to achieve a common goal: ensuring your well-being.
According to former U.S. Secretary of Commerce Penny Pritzker, that same type of coordinated response across the public and private sectors is exactly what “we need to defend our country against major cyber-attacks.” But former Secretary Pritzker also recognized that achieving this unified partnership between government and business may require “fundamentally changing” the way businesses work with federal agencies to counter cyber threats.
In a recent article, Professor Daniel Garrie of the Cardozo School of Law and Lieutenant Colonel Shane R. Reeves of the United States Military Academy assess what they consider the “unsatisfactory” options that companies have for confronting cyber threats from state actors. Garrie and Reeves argue that existing domestic law does not provide the “comprehensive regulatory framework” that is needed to foster strong cooperation between the public and private sectors. Moreover, they explain that because international law limits how a company can cope with a cyber attack, regulatory reforms that support robust public-private partnerships in the United States are essential.
Garrie and Reeves first explain the challenges companies face when responding to cyber attacks. Disagreement over basic definitions and criteria, rapidly changing technology, and unclear boundaries between different types of cyber activity—like “cyber crime” vs. “cyber terrorism”—create challenges when categorizing an attack. They also note that “most corporate lawyers lack the technical aptitude to properly attribute a cyber incident or to understand the appropriate response.”
In turn, the inability to categorize an attack makes it difficult to determine which agencies should respond and what the response should be. For attacks that threaten national security, the Department of Homeland Security (DHS) is tasked with coordinating a response, primarily through its National Cybersecurity and Communications Integration Center.
Companies can also submit a report to the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center. The FBI then coordinates with other appropriate agencies for further action. Depending on the type of attack, the U.S. Department of Defense’s Defense Cyber Crime Center may also provide forensics, cyber analytics, and other support. Ultimately, Garrie and Reeves conclude that it is usually best for companies to contact either DHS or the FBI, who will then coordinate with other agencies as needed.
But Garrie and Reeves also caution that recent high-profile cyber attacks—like the Sony hack—demonstrate that agencies may be limited in responding to cyber attacks by state actors. Concerns about reputational harm and liability that can stem from a cyber attack may also encourage companies to keep to themselves, rather than partner with the government.
Garrie and Reeves also observe that the present domestic legal framework for addressing cyber attacks is highly fragmented. Currently, there are at least ten federal statutes that apply to cybersecurity, which assign regulatory roles to at least seven federal agencies. Moreover, Garrie and Reeves note that many cybersecurity laws only apply to the healthcare and financial sectors and merely offer “general standards.” They lament that this complex and incomplete legal landscape means a victimized company “cannot look to a comprehensive domestic framework for a remedy.”
Given these challenges, a company might be tempted to take matters into its own hands—but according to Garrie and Reeves, international law restricts how private entities can retaliate against state actors. Although a company can take some defensive measures under international law, its response must be “physically harmless, noncoercive, and perhaps even nondetrimental.”
Faced with these limitations under international law, Garrie and Reeves conclude that, practically speaking, companies must rely on domestic law and work with government agencies to enforce these laws—which makes reforms that support greater public and private sector collaboration critical.
To improve public-private cybersecurity partnerships, Garrie and Reeves propose creating a “confidential reporting mechanism, coupled with limiting financial liability.” They argue that such a mechanism is necessary to make companies “willing to openly report a cyber incident.” Specifically, they recommend adopting “a regulatory regime similar to that imposed on financial institutions following the passage of the Patriot Act”—namely, a Financial Crimes Enforcement Network, which required that financial institutions report any “transactions suggestive of criminal behavior, money laundering, or terrorist financing by filing a suspicious activity report.”
Garrie and Reeves argue that by shielding companies from financial liability and discovery during civil litigation for reporting suspicious activity under the Bank Secrecy Act and related regulations, the government ensured that “information sharing dramatically increased” between financial institutions and government. And because companies generally have similar concerns when they report suspicious cyber activity to the government, they believe applying this model could encourage more companies to come forward.
Garrie and Reeves do acknowledge that within the last year, the Obama Administration took several steps to support private and public cooperation in addressing cyber attacks, which included establishing the Cyber Threat Intelligence Integration Center and issuing an executive order to promote cybersecurity cooperation between the government and the private sector. But Garrie and Reeves note that although these measures may help, they are still not sufficient given the difficulties that companies face.
Additionally, DHS’s National Cyber Incident Response Plan—which is currently in draft form—is limited to addressing significant cyber incidents, which are defined as those “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
Former Secretary Pritzker delivered her emergency 9-1-1 call analogy during her recent keynote speech at the U.S. Chamber of Commerce’s 5th Annual Cybersecurity Summit, in which she lamented that companies hit with a cyber attack often see only “the downsides of engagement – potential liability, the risk of punitive action, and the investigations that may result from even basic interactions.”
That dynamic, she asserted, needs to change.