Cybersecurity Laws – A Complete Overview
Over the past two decades, technological advancement has increased at an exponential rate. As time passes, we continue to reap the benefits of technology while also increasing our reliance on it. Internet-based applications, drones, mobile applications, industrial automation, machine learning applications, and other technologies have altered our way of life significantly. However, there are significant dangers associated with these technologies. As a result, our governments have passed legislation about cybersecurity.
The Scale of the cyber threat
The United States government spends approximately 19 billion dollars per year on cybersecurity, according to the Congressional Budget Office. Cyber-attacks, on the other hand, continue to grow at an alarming rate year after year.
Generally speaking, there are three main threats that cybersecurity efforts try to mitigate:
Cybercrime is defined as any act committed alone or in collaboration with others to target computer systems to gain financial gain or cause disruption.
Cyber-attacks are frequently used to gather information with a political motivation.
Cyber-terrorists: are individuals who seek to cause panic or fear by interfering with electronic systems.
With this in mind, cybersecurity legislation is intended to protect individuals and organisations from cyber-attacks. Because virtually all organisations today have an online component, cybersecurity laws apply to virtually every business today.
What do cybersecurity laws cover?
Cybersecurity laws and regulations are typically written to address the most common issues that arise as a result of cyber threats. These issues include a concentration on criminal activity, corporate governance, insurance issues, and the jurisdiction of law enforcement agencies.
Cybersecurity Laws of the Past
Before the twenty-first century, cybersecurity legislation did not carry much weight. There were fewer consequences back then for the type of cybercrime being committed than there are today. The laws in effect at the time were comparable to those governing copyright protection or software piracy today.
However, the threat has increased, with much more severe cyber-crimes becoming the norm. These offences range from the distribution of ransomware to the commission of treason. Now is the time for serious action to be taken to counter and deter such crimes. Increased legislative action has resulted as a result of the growing threat.
Current Cybersecurity Laws
To deter such behaviour, authorities have imposed fines of up to $5 million as well as lengthy prison sentences. Given the potential harm that hackers can cause, the establishment of such penalties for cybercrime may be insufficient.
Before 2015, the federal government of the United States was completely unaware of several attempted data breaches involving private institutions and businesses. This all changed with the passage of the Cybersecurity Act of 2015. After several failed attempts, Congress finally passed legislation that allowed businesses in the United States to share personal information related to cybersecurity with the authorities. The government may be able to use this information as evidence in criminal prosecutions.
Difficulty in Prosecution
In the past, cybercrimes were difficult to prosecute for a variety of reasons, including the following:
One of the reasons prosecutors were having difficulty was because of a lack of jurisdiction. Many times, the person who committed the crime was not within the country’s borders or the legal jurisdiction of the court system. This is why the United States is concentrating its efforts on the international stage and on establishing allies in cyberspace.
Many cybercrimes go unreported for a variety of reasons.
The vast majority of cyber-crimes do not result in prosecution because the perpetrators do not report the crime to the appropriate authority. The negative impact and loss of trust that would result from not disclosing breaches have deterred small, medium, and even large organisations from disclosing breaches.
The collection of evidence proved to be extremely difficult.
In recent years, there has been a significant advancement in the field of digital forensics. To identify and preserve evidence that can be used to prosecute cyber-criminals, best practices, and strict processes have been developed. It was, however, difficult to prosecute cyber-criminals in the not-too-distant past because few people possessed the specialized knowledge required to gather and preserve the evidence.
Cyber-criminals employ sophisticated techniques to conceal their identities.
Hackers can operate with a certain degree of anonymity thanks to the use of Tor and virtual private networks (VPNs). In addition to this, hackers put in a lot of effort to hide their tracks. Cyber-criminals are at the forefront of technological advancement, and they are constantly striving to make themselves more difficult to identify, track, and apprehend.
What sorts of activities are criminalized by law?
- Cybersecurity laws and regulations have an impact on the types of crimes that are committed in the various industries where they are committed. Federal law and county law are two examples of these sectors.
- The following are examples of activities that are prohibited by cybersecurity legislation:
- Computer hacking is a crime that occurs on a computer network.
- Economic espionage is defined as
- Corporate espionage is a serious offence.
- Theft of one’s identity
- Breaking into computer systems, gaining access to unauthorised data, and modifying or deleting the data are all examples of cybercrime.
- Obtaining confidential information without permission Unauthorized publication or use of information
- Criminal infringement of copyright \sSpreading of fake news
- Child sexual exploitation is a serious problem.
- Attempting to deface internet websites
- Increased volumes of irrelevant internet traffic are flooding websites, making them
- unavailable to the actual users who are supposed to be viewing them.
- A wide range of other crimes committed over the internet has been criminalized under the various categories of the law as well.
Ways in which cybersecurity laws are enforced
Sector-specific initiatives, general regulatory frameworks, and private sector participation are all used to combat cybersecurity in the United States. There are several different methods for implementing cybersecurity standards at the national or federal level.
The Health Insurance Portability and Accountability Act (HIPAA) is one of the most important federal cybersecurity laws in the United States (1996)
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996.
Major US Federal Cybersecurity Laws
Before the implementation of HIPAA, there was no standard method for safeguarding the protected personal information (PPI) that organizations in the healthcare industry kept on their employees and patients. There were no best practices in place for information security. One of the reasons why there were no cybersecurity standards in the healthcare industry was that health records were traditionally stored on paper, rather than electronic media.
Just before the implementation of HIPAA, the healthcare industry was frantically attempting to transition away from paper records to become more efficient. The need to become more efficient prompted the requirement for quick access to and transfer of patient information from one system to another.
Because there was a pressing need to transition to electronic healthcare records, a slew of businesses were established to capitalise on the situation and profit from it. Security was a last-minute consideration for the majority of these businesses. The government recognised the need for legislation as soon as it became aware of the necessity to enforce security requirements.
The HIPAA’s key objectives are as follows:
- Modernize the methods for storing and processing health-related information.
- Ensure that hospitals, insurance firms, and other health-related organisations provide proper protection for sensitive personal information.
- Address the limitations of health insurance coverage.
- The Gramm-Leach-Bliley Act (GLBA) was passed in 1999. (1999)
- In 1999, President Bill Clinton signed the Gramm-Leach-Bliley Act into law. The Financial Services Modernization Act of 1999 is another name for this piece of legislation.
- The most significant accomplishment of the GLBA was the removal of a piece of antiquated legislation from 1933. The Glass–Steagall Act was enacted in 1933 and was named after the founder of the financial institution. The Glass–Steagall Act prohibited banks, securities firms, and insurance companies from conducting joint business in these industries. In addition, a bank was not permitted to sell insurance or securities.
- In addition to the requirements outlined above, the GLBA requires financial institutions to disclose how they retain and secure the personal information of their customers. Safeguard Rules were established by the GLBA and must be adhered to. Specifically, these safeguard regulations are defined in the legislation. The safeguard rules include, among other things, the following:
- Employees who will have access to client information should be subjected to background checks.
- New employees must sign a confidentiality agreement.
- Access to private information should be restricted to those who have a “Need to Know.”
Make use of strong passwords that are changed regularly.
- Set a time limit on how long computers screens should be idle before they must be locked.
- Security policies for devices and data encryption should be implemented.
- Employees should get initial and recurrent security training, and they should be reminded of the policy consistently.
- Create policies to ensure the security of remote workers.
- Create regulations that will allow you to pursue security infractions through disciplinary action.
- Prepare to safeguard data at rest and data in transit by taking the following measures.
- Also, restrict who has access to this information.
Information should be disposed of away safely.
- The Homeland Security Act of 2002 (2002)
- During George W. Bush’s administration, the Homeland Security Act was signed into law.
- The Federal Information Security Management Act was included in this legislation (FISMA).
Following a series of terrorist attacks in the United States, the United States passed the Homeland Security Act. Terrorist acts such as the World Trade Center bombing and the mailing of anthrax spores to some news organisations and government leaders are examples of such acts.
The Department of Homeland Security was founded under the Homeland Security Act (DHS). In addition to this, the act had additional objectives, such as the establishment of FISMA cybersecurity laws. The Federal Information Security Management Act (FISMA) involved the implementation of the National Institute of Standards and Technology (NIST). The National Institute of Standards and Technology (NIST) was given the responsibility of producing standards, guidelines, and techniques for cybersecurity measures.
The National Institute of Standards and Technology (NIST) offers nine steps to achieving compliance with the Federal Information Security Management Act:
- Organize the information that needs to be safeguarded into categories.
- Choose the bare minimum of baseline controls.
- Using a risk assessment approach, fine-tune your controls.
- The controls should be documented in the system security plan.
- Implement security controls for information systems that are not appropriate.
- After the security controls have been implemented, they should be evaluated for efficacy.
- Determine the level of risk that the mission or business case faces at the agency level.
- Permit the information system to begin processing.
- Keep an eye on the security settings at all times.
- Are These Laws Enough to Protect Us?
- The three regulations listed above involve requirements for healthcare organizations, financial institutions, and federal authorities, among other things. However, many other industries do not have cybersecurity legislation that applies to them.
- Some believe that greater government intervention is not required and that the current level of government intervention is sufficient. Keeping data and sensitive information secure is in the best interests of any company. The significance of this initiative is so great that businesses and organizations are investing large sums of money in it.
Others believe that it is the role of the government to defend its citizens. To fulfill this role, laws must be enacted and enforced to ensure that the citizens’ rights are respected.
Data breaches and successful assaults on corporations continue to occur despite the best efforts of enterprises to maintain compliance with applicable laws, regulations, and best practices. Even nevertheless, the existence of effective legislation can undoubtedly aid in the achievement of the goal of data security.