By Vaughan Meyer, Master's Candidate at Georgetown University's Walsh School of Foreign Service

 In the past year, attacks on companies like Sony Pictures and Target captured attention and alerted the public to the extent of the United States cyber-vulnerability, and cybersecurity rose to primacy in social and political debate. The US government has responded with legislation and policy proposals, but some advocates say these efforts do not go far enough to address this problem’s complexity. However the debate unfolds, cybersecurity will only grow in importance as the economy and the world population become increasingly connected.

By Vaughan Meyer, Master's Candidate at Georgetown University's Walsh School of Foreign Service

 In the past year, attacks on companies like Sony Pictures and Target captured attention and alerted the public to the extent of the United States cyber-vulnerability, and cybersecurity rose to primacy in social and political debate. The US government has responded with legislation and policy proposals, but some advocates say these efforts do not go far enough to address this problem’s complexity. However the debate unfolds, cybersecurity will only grow in importance as the economy and the world population become increasingly connected.

 According to the New York Times article “Reinventing the Internet to Make It Safer,” the Internet was not built as a secure system. This did not arise from the founder’s negligence, but rather because there was no predicting the role the Internet would play just a few decades after its formation. It started as a means for its small group of creators to share data with each other, but then blossomed into a global technology filled with social security numbers, bank account information, and private messages. Security measures like passwords act as drywall patch for some of the structure’s inherent weaknesses, covering up the holes, but not reinforcing the walls and doors. Such vulnerabilities leave openings for attacks on personal, corporate, and government systems.

 Recently, corporate attacks have received the most attention. Beyond the infamous Sony hack, the past twelve months have seen breaches of major health care companies like Premera Blue Cross, financial mega-firms like J.P. Morgan Chase, and retail giants like Home Depot. Breaches like these sometimes focus on the theft of clients’ medical data, personal identifiers, and credit card information. Other times they focus on obtaining intellectual property, such as proprietary research, product development schedules, and advanced technical information.  The cumulative effect of these breaches makes cyber espionage, according to former NSA Director General Keith Alexander, “the greatest transfer of wealth in history.”

 Cybercrime also goes beyond the economic and poses threats to security, as evidenced by attacks on the US government and its extended security apparatus. Boeing has experienced cyber theft of intellectual property related to its defense activities, and government bodies, including the Department of Energy and the Army Corps of Engineers, have been hit by a number of cyber incidents. Cyberattacks like these can erode America’s comparative advantage in high-tech security innovations, lead to the release of sensitive information, and compromise the government systems undergirding daily American life.

 Though Americans better understand the need for cybersecurity, the means for obtaining it remain elusive. One of the biggest difficulties lies in attribution: tracing a cyber-incident to its source and determining who is responsible. That “who” could be a foreign government, a social or political organization, or even a few loosely organized individuals. Another major problem is governance: it is unclear who manages what sectors of the internet, what different players’ responsibilities are, and who to turn to for protection and redress. In addition, organizations may not want to reveal the extent of cyber incidents they experience or how deeply these incidents may have penetrated their systems. While understandable, this reticence can obstruct information sharing and assessment of cyber incidents and their patterns. This obstruction, in turn, can hamper future detection and prevention of cyber incidents aimed at the organization and others like it.

 The growing concerns surrounding cybersecurity have led to a few proposed remedies. In 2011, President Obama first issued a Cybersecurity Legislative Proposal and then issued a renewed Proposal in early 2015. These Proposals promote information sharing between stakeholders, facilitation of cybercrime reporting, and shoring up critical infrastructure.  The US Congress has also taken up the issue. Some outside groups have criticized these proposals and the government’s response to cybersecurity more generally as insufficient, lacking detail, and worrisome in their potential treatment of personal data. Consensus has yet to be reached and may prove difficult to achieve given the nascence of the field.

However this government activity unfolds, cybersecurity will grow in the coming years. The events of the past year have only started to peel back the curtain on the extent of cyber vulnerability and the damage cyber incidents can cause. Yet even this burgeoning awareness has led to growth. For instance, an Exchange-Traded Fund (ETF) focused on the cybersecurity industry called HACK has grown 14% in the few months since it was formed in November 2014. The political debate in the US continues to expand, and the public advances in its knowledge of and concern for these issues. More firms are focusing on cybersecurity, and specialists in the field have greater and greater sway. It is a disconcerting and exciting arena, and will shape how, and how securely, we communicate, transact, and connect in the future.