Cyber Insecurity

In 2014, five Chinese hackers were indicted by the U.S. Justice Department; new security breaches struck both public and private organizations, resulting in the loss of millions of people’s private data; and a U.S. entertainment company was hacked for releasing a movie. Yet despite these unprecedented attacks and booming cybertheft, 2014 nearly finished without any meaningful reforms of U.S. cybersecurity policies. In a last-minute display of efficiency by a notoriously gridlocked Congress, however, a number of bills were passed in the final weeks of the year that contained key cybersecurity provisions—most importantly, the National Defense Authorization Act for Fiscal Year 2015 (NDAA).

Most of the legislation passed at the end of 2014 was narrowly focused on the structure of the federal government’s cyberdefenses. For instance, the National Cybersecurity Protection Act of 2014 codifies the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which already existed. The Federal Information Security Modernization Act of 2014, on the other hand, primarily moves the federal government’s cybersecurity management under the Department of Homeland Security.

Buried within the NDAA, however, is a small but powerful provision (Section 1637) that allows the president to sanction foreign hackers known to have engaged in economic or industrial espionage in cyberspace. Under this expanded authority, the president can list people, companies, or organizations that fit the statute’s definition of cyber spies and ban them from sending or receiving payments through the U.S. financial system. The section is modeled after the Deter Cyber Theft Act of 2014 and draws in part from a recommendation made two years ago by the Commission on the Theft of American Intellectual Property (IP Commission).

Through the NDAA, Congress has finally given the administration an effective tool to respond to cyberattacks. Now instead of issuing indictments against foreign hackers that no one seriously believes will lead to prosecution, the president can impose financial sanctions. Banning attackers from the financial system provides one less avenue of support for their efforts. The administration should begin consistently exercising this authority to mitigate IP theft and cyberattacks. Consistent use of this new tool would incentivize foreign actors not to steal or use stolen U.S. intellectual property. Such a shift in the incentive structure within China and other countries was the goal of some members of the IP Commission from the start. What remains unknown is whether President Obama will actually use this newly expanded authority. On occasion, he has indicated that cybersecurity is a top priority. More often, however, it appears that cybersecurity has taken a back seat to other foreign policy objectives.

While Section 1637 of the NDAA is a step in the right direction, it is not a silver bullet. Many deficiencies still exist in U.S. cybersecurity law that will limit the effectiveness of sanctions authority. Private companies still fear liability for sharing threat data, even anonymously, with the federal government. The proposed Cyber Intelligence Sharing and Protection Act would have fixed this. But with Representative Mike Rogers retiring, it is unclear whether the bill will have a new champion. Another hurdle is that technical limitations make attribution of cyberattacks difficult. While companies may know that they have been hacked, it is usually impossible for them to identify the person or organization responsible. Without hackers’ names, how will the administration know whom to sanction? Finally, the immense breadth of the Computer Fraud and Abuse Act, the nation’s “anti-hacking” statute, shackles private actors from fully defending their own networks for fear of criminal liability. So while the NDAA may prove to be a useful tool, its power is constrained by legal, structural, and technical limitations that have yet to be addressed. Much work remains to be done to reduce the $300 billion per year cost of foreign theft to the U.S. economy.

What then should we look for in 2015? Watch if the president decides to use his new authority under the NDAA to sanction foreign hackers. Watch how foreign actors react to new sanctions under the NDAA or otherwise, such as the administration’s January sanctions against North Korean actors for their ties to the high-profile Sony hack. Watch if Congress passes legislation to help address some of the deeper issues of cyber insecurity.

2015 has potential. The year began with legislative momentum, the establishment of two new cybersecurity subcommittees in Congress, and sanctions by the president against North Korean actors for their role in cyberattacks. Stay tuned to see if policymakers are motivated to act on cyber legislation needed to create a healthier economy, stronger national security, and more reliable critical infrastructure.