Politicians in the United States have met significant resistance in their efforts to craft effective cybersecurity legislation. While most officials realize the need for regulatory guidelines to address digital threats, disagreements over the role of government often present a challenge. One of the key issue centers around cybersecurity information sharing.
On one hand, many experts believe it is necessary for the U.S. government to design laws that would force companies to share information about cyber criminal activity. In return, the government would share some of its information. However, critics of this strategy believe information sharing should be voluntary and encouraged through incentives. As legislative failures in the U.S. have shown, it isn’t easy to reconcile these two views in one country. And the problem gets even more complex on the international level, according to recent AOL article.
The article highlighted comments from Major General David Neasmith, an Afghanistan veteran who now heads information management on the Canadian joint defense staff. Neasmith said that truly effective information sharing would have to be automated, so that cyber criminal activity is passed from computer to computer. However, setting up such a protocol to protect privacy between government entities and private businesses is not going to be easy.
NATO’s manual for cyberwarfare
Despite the struggle surrounding cybersecurity information sharing, NATO has made some progress in outlining guidelines for cyberwarfare. The draft of the Tallinn Manual is designed to provide guidelines for what cyber operations may constitute “use of force” between two nation states. Under most circumstances, use of force from one state against another is prohibited by international law. The manual does not dictate guidelines for responding to cyber criminal activity and is only designed to clarify acts of war.
For example, a cyberattack that does comparable damage to a physical use of force is also considered unlawful. However, attacks that only result in psychological effects, such as reduced morale, are not considered uses of force. In addition, the manual dictates that a victim of such an attack has the ability to defend itself, using force if necessary.
What role should government entities play in improving national cybersecurity? Should an international law be crafted that better defines cyber criminal activity?