Prof. Fred Cate, law, Indiana University, stressed the need to amend cybersecurity laws at a lecture Wednesday.
Cate is a founding director of the IU Center for Applied Cybersecurity Research and a member of the U.S. Department of Homeland Security’s Data Privacy and Integrity Committee.
Because technological shortcomings are in large part not the source of U.S. cybersecurity problems, Cate argued that solutions to insecurity can be found instead in legal and organizational reform.
“[Cyber security] is increasingly proving to be much more associated with the challenges of individual and organizational behavior with legal and economic incentives and not with technology,” Cate said.
Cate provided several examples of high-profile cases in which cybersecurity played an important role.
He referenced the 2015 breach of the U.S. office of personnel management, which had “21.5 million background security check files containing some of the most sensitive information you could imagine in a personnel record. If ever there was a crown jewel that you were going to protect it would be these files and we lost all of them.”
These attacks are often a result of “human failure,” according to Cate.
“In most of the large cyber attacks of the past three or four years, in all but maybe two or three, they started with a phishing message,” he said. “They started with a social engineering attack.”
Cate cited a general lack of concern among many political and business leaders as one reason for shortcomings in cybersecurity. Surveys have shown that a sizable amount of people in many government bureaus view cybersecurity as “unimportant.”
“The reason we have this crisis is because of our inability to motivate institutions to do the sensible things they need to do,” he said. “Some large minority of us don’t seem to think it matters.”
However, Cate acknowledged that the cybersecurity issues facing the United States, and the world as a whole, do not have a simple solution.
“We are suffering many market failures here, often because the costs are felt by somebody other than the party that has the ability to take some preventative action,” he said.
Where responsibility for a cybersecurity breach lies is not always clear because often a breach can occur years after a product is created, in a way in which could not have been foreseen at the time of its creation, according to Cate. The government is also often not well equipped to deal with cybersecurity issues.
“The nation’s highest cybersecurity official is the cybersecurity coordinator in the White House, an individual with no budgetary or operational authority, no authority to make any government agency do anything,” he said.
To complicate matters further, Cate said cyber attacks are almost never isolated to one state.
“Only the defenders act nationally, the attackers act globally,” he said. “Cybersecurity is an international challenge that totally ignores national political boundaries.”
Even if there was a way for countries to come together and create laws regulating cybersecurity, Cate argued that many nations would not be particularly interested.
“Countries do not want to sign onto an accord that limits their ability to take advantage of cyber vulnerabilities,” he explained.
The lecture, “Cybersecurity and the Role of Law,” was part of International Education week at Cornell presented by the Einaudi Center.