The Government's Strategy to Combat the "Cyber Arms Race"

20 February 2015 Manufacturing Industry Advisor Blog

In the midst of ongoing, escalating and increasingly troublesome reports of large-scale corporate cyber breaches, the federal government is trying to fight back more forcefully with a dual strategy to shore up agency capability and exchange information with industry in a “shared mission.” Recently, it added five newly enacted cybersecurity laws to its arsenal – or mitigation squad. Their purported goal: to improve the government’s capability to thwart and limit future attacks. The laws generally seek to:

  • Streamline internal agency procedures and implement new strategies,
  • Fill important cyber vacancies at the Department of Homeland Security and improve the effectiveness of its cyber-dedicated personnel, and
  • Promote industry standards and best practices in a fast-evolving cyber world.*

This latest round of legislative tweaks, however, is but one component of a more comprehensive approach that includes executive action and solicits industry participation – and disclosure.

In the Cybersecurity Summit that the White House convened at Stanford University last Friday, President Obama acknowledged the government’s inability by itself to combat cybercrime in a quickly escalating “cyber arms race.” That critical infrastructure and so many computer networks reside in the private sector – outside of government – was the reason given for the necessity of a proposed private-public sector partnership. While recognizing the ingenuity of many American companies he asserted that they often lacked the means to fend off a cyberattack, the “situational awareness” or the ability to immediately warn other companies and coordinate a defense with other companies or within the same industry. By contrast, government was portrayed as more often receiving the most current information on impending harm – warnings that could be rendered more effective with relevant information from companies or sectors. (Last week a new monitoring collaboration was announced: DHS would house a center where designated government and business delegates monitor cyber threats around the clock.)

The bottom line Administration strategy: to enlist the help and cooperation of the private sector in joining the government on a “shared mission” and “share appropriate information as true partners.” To further that goal, President Obama signed an executive order to facilitate the government’s release of classified information about cyber threats to companies and promote the sharing of information between companies and industries through organizational hubs. For example, a company’s recognition of a particular malware or a suspicious virus and subsequent warning could thwart a large-scale cyberattack. Formulating a common set of standards that encompasses safeguarding privacy and civil liberties was a component of the order. Participation in the program will be voluntary, however.

The proposed joint venture of government and business continues, however, to highlight the tension – and, in many corporate circles, the mistrust – of the government to honor company privacy rights and individual personal information. President Obama acknowledged the inherent tension and the difficult process of finding a way to uphold individual liberties and privacy while safeguarding national security interests in its quest to beat back cyber threats. In an effort to assuage those concerns, he said that it was not appropriate or even possible for the government to secure computer networks of private business. Other protective measures proposed:

  • A national standard to alert victims of stolen information within 30 days,
  • Creation of a Consumer Privacy Bill of rights to disclose what personal data companies collect and how they the information; and
  • A Student Digital Privacy Act to protect the objective of educational technologies – to teach rather than collect and use data to sell goods and services to students irrespective of their education.

In this ”wild, wild West” of the cyber world, a torrent of catch-up initiatives recently has been taking hold and new measures will continue to be proposed. Ongoing and new overtures by the federal government for cooperation and openness in the private sector will be made with increasing urgency. And along with the objectives of protecting national security, U.S. citizens, personal information and corporate commercial assets – in finance, manufacturing and health care, among other industries – will be the heightened challenge of doing so while protecting individual liberties and the right to keep one’s own personal information private from both hackers as well as the government, even when the reasons are well-intended.

* The individual cyber laws and legislative proposals will be discussed in greater detail in subsequent postings.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.