Government’s Role in Information Security

Abstract

The intention of this article is to determine the role of the United States government in the information security. In the contemporary world, the risks associated with information technology have become a real problem for most organizations and governments across the world. The United States government, corporations, and people are also at risk, and thus there is a necessity to establish a strategy to protect all stakeholders from possible vulnerabilities. In fact, this paper endeavors to ascertain and analyze the policies enacted by the government and the responsible institutions or agencies.

In order to find the information on the role of government in information security, several laws and regulation that guide the legislative system on the issue were reviewed. Five legislations on cyber security passed by the Congress and enacted by the president have been utilized in this study. It also involves one executive order, which offered a regulatory framework on how to handle the issue of cyber security. In fact, this paper analyzes six sources, which have been used to compile the current role of the government in the information technology.

The analysis of the above sources has proved that the government has several positions on information security. First, it has the obligation to ensure that information is adequately shared among the private and public sectors to enhance safety through a common infrastructure. The government also has to create national cybersecurity strategy that protects present and future information. Other roles include raising awareness among society, ensuring qualified and resourceful cybersecurity workforce, and establishing federal agencies that are dedicated to the issues of cyber security among other important goals. The paper recommends for citizens and corporate entities to join the government in ensuring that it adequately executes its functions.

List of Keywords: Cybersecurity, Cyberattack, Venerability, Cybercrime, Critical Information, Threat, Cyberterrorism, Information Protection, and Cyberwar

Best Essay Writing Services

Need Custom Written Paper? We'll Write an essay from scratch according to your instructions

Plagiarism Free

Prices From Only $11.99/Page

Call now Order now Start chat

Introduction

In the contemporary world, information technology has become the order of the day for personal, corporate, and government operations. The introduction of these new technologies has lowered the cost and time, and increased efficiency and accuracy of most operations. Hence, institutions and people all over the United States have significantly incorporated the information technology system into their daily operations in order to ensure that disruptions in such system do not result in massive risks and loss. However, this innovation has its disadvantages, since individuals of ill intention have already started finding ways of intruding the information system. Cybercrime and cyberattacks have thus become legitimate threats in the country both for the private and public sectors (Titch, 2013). There is thus a need to guarantee that information security is maintained at optimal level in the country, to protect the people, corporate and government operations.

The government’s role in information security is a topic that analyses what the United States government has done to date in protecting its institutions and people from information attacks. Such incidents as hacking, information theft, and data breach have been regularly causing people to fear. For example in February 2013, there was a massive attack on Federal Reserve Bank, Bank of America, and American Express and the important information on the economic sector (Russian Today, 2013). Same year, another attack was directed at the New York Times and the Wall Street Journal news media. Such events caused different concern groups to raise questions on what the United States government was doing to eliminate this problem. This paper thus aims at outlining some of the functions that the US government has played in protecting its citizens, corporation and institutions from information attacks.

Current Government Role

In the United States, just like in many nations in the world, the issue of information security is still new. The government has not been able to define adequately the problems surrounding the information security, an issue that has resulted in numerous ineffective approaches toward the predicament. For example, words like cyber-attack, cyberterrorism, cybercrime, and cyber war have been used to identify the issue, and thus it is not simple to differentiate them and create a single law (Titch, 2013). However, despite all the misunderstandings, the government has still placed a few legislations to regulate possible risks. These new laws and regulations that have been created by the Congress and the executive department in the United States show the primary role of the government in information protection.

Computer Fraud and Abuse Act of 1986

Computer Fraud and Abuse Act (CFAA) aimed to reduce the rampant computer system cracking at that time, and set a framework on how the federal government was supposed to approach computer-related offenses (Jensen, 2013). CFAA is among the oldest laws that were passed by the Congress to enhance the information security in the United States. Despite it has been amended several times, the law still performs a significant role in the federal regulation of information system mostly in government, financial, and commerce sectors.

The first function of this legislation is to protect computers in the United States. It defines a computer as a tool used in government activities both federal and state, those employed in financial functions on the local and international level, and those used in domestic and international commerce (The United States, 1986). The definition of computer in this context also include PCs that are located outside the US but involved in fraud or abuse of US government, financial, or commerce information. The law thus gives the government the ability to protect all the information, which can sabotage the economy of the United States.

Under this act, fraud and abuse include such actions as accessing a computer and obtaining information on national security data and accessing information on financial records, financial institution, and reporting agencies data without authorization. The fraud and abuse also consist of getting variable economic information intentionally without the permission of the relevant body (The United States, 1986). The above areas of coverage thus give the federal government a significant role in protecting the financial, security, and economic information present in all computers in the United States.

Despite been the oldest form of law that enables the government to ensure the safety of the country’s information, this legislation has now been termed as ineffective. It was created when the efficient use of technology was not in place, and thus it failed to catch up with the technological development. First, this law has excessive prosecution discretion, which limits the ability to judge properly the offenders (Jensen, 2013). It also lacks the proper definition of the computer crimes, because currently it is hard to differentiate act of civil disobedience from cyber-crime. In fact, these flaws have led to the development of other legislations.

President Executive Order of 2013

On February 2013, President Obama issued an executive order 13636, which addressed the issue of cyber security. The order “Improving Critical Infrastructure Cybersecurity” aimed at increasing the country’s infrastructural capability of securing its information (Fischer et al. 2013). It established three principal roles in addressing the protection of the information in the United States. The three key positions include information sharing, privacy, and adoption of cybersecurity practices.

On the exchange of information, the executive order stated that it aimed at improving the transfer of information recognizing cybersecurity threats, attacks, vulnerabilities, prevention, and response across and within all the United States institution including the government. Those corporation and government organizations that are believed to have a critical role in cyber security were the focus of the government (House, 2013). The executive order also stated that the information sharing was to happen in a willful manner without the coercion of the government. This new policy had the primary focus of ensuring that all necessary infrastructure of cyber security was combined under the same framework to help public and private sectors improve critical information cyber security.

The executive order also provisioned privacy and liberty protections as outlined in the US constitution. Over the years, the primary concern on the American cyber security has been aimed at ensuring that information is shared across all sector without violating the right to privacy. However, his executive order introduced a brilliant idea, identifying that an exchange of information mostly by the private organizations was voluntarily. Despite the government reserved some rights to regulate sensitive sectors, most of the corporations were given the liberty to decide whether to share or to keep their information private (House, 2013). To enhance the exchange of information in a voluntary manner, the order requested National Institute of Standards and Technology (NIST) and other government agencies to develop a secure platform for the information that would protect individual institutions, and encourage the spread of cyber security techniques. The role of this section of the order was to encourage participation in secure information sharing without violating constitution.

Lastly, the executive order also promoted the adoption of cybersecurity practices within the government and private sector. For example, on the acquisition and contracting, the order stated that Secretary of Defense was obligated to make suggestions to the president on involving security standard during the abovementioned processes (Fischer et al. 2013). The Secretary of Homeland Security was also required to ensure that each agency had developed a workforce and programs that enhanced cyber security. High-risk critical infrastructure was also supposed to be identified by the government and private institution, and necessary policy was developed to protect information security.

Cybersecurity Enhancement Act of 2014

This law gives more legislative authority to the executive order outlined above. Its primary aspiration was to promote the ongoing voluntary public-private partnership, which enabled information sharing (Congress.gov, 2014a). It also added more government role to this partnership by suggesting an increase in research and development on cybersecurity and agency workforce development and education. The law also incorporated the role of public preparedness and awareness on information security.

The first purpose of this law on cyber security was to enhance the information sharing by amending the part of National Institute of Standards and Technology (NIST). Based on the executive order, this body was supposed to enhance independently and coordinate the voluntary sharing of information by assuring a secure platform. However, this act increased the role by allowing the Secretary of Commerce to serve via NIST in facilitating and supporting the development of a voluntary process (Hoar, 2014). The secretary was asked to ensure that such voluntary information sharing was consensus-based and industry-led with standards and procedures that were cost effective in reducing the cyber risk. This law also prohibits federal, state, or local governments from using the information shared at NIST to regulate the volunteering organization.

This act also introduced another role of the government in cyber security concerning research and development. It directed several agencies and institutions in the United States like National Aeronautics and Space Administration (NASA), Department of Commerce and Department of Defense (DOD) among other to develop and update a federal cybersecurity research and development strategic plan every four years (Congress.gov, 2014a). It also stated that such strategic plan was to be coordinated by the National Science and Technology Council.

Law also introduced another government role in information security of education and workforce development. It directed the Department of Commerce, National Science Foundation (NSF), and the Department of Homeland Security (DHS) to recruit individuals, who were competent to solve information technology security related issues and encourage innovation (Hoar, 2014). The legislation also requires the government to establish awareness and preparedness programs through NIST what will enlighten organizations and ordinary people on the need for cyber safety and on the ways to respond in case of an attack.

National Cybersecurity Protection Act of 2014

National Cybersecurity Protection Act (NCPA) is another law, which adds more weight to the ever-growing role of federal government in information security. The bill introduced two principal roles that ensured that federal information remained secure (Hoar, 2015). It directed on the codification of national cybersecurity center and created a federal agency data breach notification law.

On codification, NCPA suggested that the existing cybersecurity and communications operations center, which is found in the DHS, should be codified. The law thus directs the National Cybersecurity and Communications Integrity Center (NCCIC) to offer several services, including sharing information about cybersecurity risks and incidents, incident response to federal and non-federal entities, and providing technical assistance and risk management support (Hoar, 2015). This law also puts the obligation of observing the functioning of this codification under the Congress, where Secretary of the DHS is required to report on the success of the program for four consecutive years after the enactment.

Another role that this legislation played was the creation of federal agency data breach notification law. This new law requires agencies in the federal government to give information to individuals or institutions affected by data breach immediately without unnecessary delays after the discovery of the event (Congress.Gov, 2014b). However, delayed information is allowed in case national security is endangered and if such notification will disrupt a law enforcement investigation and hamper security remediation actions. NCPA also suggests that in case a federal agency was breached, then selected congressional communities should be notified within 30 days. Such notification is perceived to be necessary as it will help the affected individuals, organizations, institutions, or agencies react within the shortest time possible to prevent risk or loss.

The last role NCPA develops is national cyber incident response plan. This legislation directs different bodies and institutions, including federal, state, and local governments, agencies, and information sharing and analysis organizations to develop and maintain cyber incident response plans (Congress.Gov, 2014b). Such plan, based on NCPA, will address cybersecurity risks to critical infrastructure.

Cybersecurity Workforce Assessment Act of 2014

Cybersecurity Workforce Assessment Act (CWAA) was developed due to a further increase of the role of cybersecurity workforce, as outlined in National Cybersecurity Protection Act. It gives Department of Homeland Security (DHS) the obligation to develop a long-lasting workforce through constant evaluation and enhancement (Congress.Gov, 2014c). It directs that such assessment of the workforce shall be conducted every four years. The role of this Act is to ensure that DHS can confront any cyber security issues it encounters at any time.

The first requirement that the legislation places on the DHS is the development of a comprehensive working strategy. The strategy has an objective of enhancing the DHS readiness, capacity, training, recruitment, and retention of cybersecurity workforce. It will also ensure that DHS has an implementation plan that can last for five years, can forecast the cyber security needs for the next decade, and also has multi-phased recruitment plan (Congress.Gov, 2014c). Lastly, the comprehensive working strategy will promote the detection of hindrances impeding the recruitment and development of a DHS cybersecurity workforce and enhance the detection and filling of existing gaps among the employees.

CWAA also introduces the cyber security fellowship program. Under this program, the DHS is required to established course that will train its workforce on how to be equipped against any cyber-attack. The act also places the duty to educate those who are pursuing such courses within the government, making the DHS offer tuition payments for such individuals (Francis & Ginsberg, 2016). This law also extends the fellowship program to all the people perusing an undergraduate or postgraduate degree in the area of cyber security and those who have accepted to work with DHS after the graduation. The primary objective of this program as per CWAA is to ensure that the DHS has a ready and well-equipped workforce both from internal or external sources.

Cybersecurity Act of 2015

Cybersecurity Act of 2015 was initially referred as Cybersecurity Information Sharing Act (CISA) and had been debated in Congress for several years’ without success. The act was founded on the idea that cyber threat was a real risk equally to both the private and public sectors (Tran, 2016). It also observed that if any of these divisions is affected, then the country is at risk too. The role that it placed on the government was an increased obligation to coordinate and enable information sharing in the country.

One change that this act makes on the initial exchange of information role is the expansion of the channels of sharing. It authorized the president to allow the information to be shared via other institutions similar to DHS, unlike the old laws that only allowed NCCIC to handle such information. Under this new provision, the DHS is authorized to distribute the information on cyber threats that it has received through its portal to other security agencies or private sector (Congress.Gov, 2015). Opponents of the bill perceive this sharing of information as a violation of the right to privacy. However, the act took some actions and blocked the private exchange of information. The primary goal of such sharing is to ensure that all security agencies and important industries are aware of the imminent risk.

This law had spent several years in the Congress because the members were concerned that it was violating amendments of the United States Constitution, like the fourth amendment that gave all citizen the right to privacy. On the contrary, it established a partial voluntary framework, which did not obligate anyone to participate directly in information sharing or through the set standards and procedures (Shields, 2015). It also promised that no private sector would be held liable for information shared to the DHS portal. This act so far is the most compressive law that has given the government more mandate in enhancing information security through the great and coordinated information sharing.

You can ask us “write my research paper” on this or any other topic at Essay-Online-Shop.com. Don’t waste your time, order now!

Conclusion

In conclusion, the above analysis has outlined some of the functions that the US government performs to protect its citizens, corporations, and institutions from information threats. The topic of the study is important because the issue of information security is still new to the country, and continues to increase on a daily basis. It has been revealed that the roles of the government in protecting its people and institutions are defined by several laws that have been enacted on cyber security. Moreover, it is indicated that the government has the role to coordinate information, enhance security workforce, create awareness among people, protect computers with critical information, and develop cyber security strategies among other functions. The paper recommends for all individuals to adhere, accept, and help in these functions so the government can create an information security in America.