As Covington kicks off Cybersecurity Awareness Month with a series of weekly articles, preventative tips, and Q&As developed by our cybersecurity practice professionals, it’s worth recollecting how much our cybersecurity landscape has changed over the last twenty-plus years, and how the law has responded to these evolving challenges.
Although the late 1990s saw the first denial-of-service-attacks, and the “I Love You” worm and the Melissa virus damaged computers across the internet, cybercrimes were largely committed by small groups of young “hackers” more interested in learning how to use computers and navigate the internet, than causing serious economic damage. Of course, the government and the military were already grappling with more serious intrusions, but the potential benefits to society of global connectivity outweighed any potential long-term threats.
Over time, however, cybercrime became a source of revenue, and soon well-funded, international criminal conspiracies, supported by a robust online black market, were committing digital bank robbery, credit card fraud, and identity theft. Commercial entities increasingly were victimized by indirect means of monetizing information too, including through economic espionage, extortion, and insider trading.
Over this same period of time, criminal statutes, such as the Computer Fraud and Abuse Act and the Economic Espionage Act, were enacted to meet the challenges of new types of crimes. In addition, procedural laws, including the wiretap laws and the Electronic Communications Privacy Act, were supplemented to ensure the proper collection of digital evidence of online crimes, both old and new.
In more recent years we’ve seen a significant change in both the motives underlying malicious activity, and the severity of its impact. Information itself is becoming weaponized to embarrass owners, manipulate the public, and poison software applications. Perhaps more alarming is the growing trend toward destructive malware and digital attacks on physical infrastructures and systems. Significantly, such malicious acts are increasingly conducted by state agents and other organizations motivated by geo-political objectives.
In response, over the last year we have seen a tremendous growth in the number of regulations and standards focused on preventing threats to our critical infrastructures, including, for example, our energy grids, communications networks, and financial systems. As the threat landscape expands to include all manner of connected “things,” we can expect additional legislative and regulatory activity targeting public health and safety.
Ironically, despite the profound changes the Internet has brought to global commerce, education, and our society more generally, discourse about cybersecurity policy has remained relatively constant over time. The Internet of Things and Artificial Intelligence are driving the same discussions about the balance between security and innovation, and engendering consumer trust that early adoption of ecommerce did twenty years ago. Recent debates between the government and the private sector over encryption are reminiscent of the Clipper Chip debate of the mid-1990s; and while governments wrestle with how best to re-craft rules to protect individual privacy, the collection and use of personal information grows exponentially. Finally, as the public sector continues to evangelize information sharing and incident reporting, the private sector recognizes the very real impact that a cybersecurity event still has on its reputation and bottom line.
As we explore current threats and how best to mitigate cybersecurity risks over the coming weeks, it’s worth bearing in mind two truisms that underpin the evolution of cybersecurity. First, as cybersecurity tools, public awareness, and legal regimes become ever more sophisticated, so do the malicious actors. Second, the best defenses continue to rest with the individual: from the most sophisticated actor to the routine fraudster, the easiest way to access a computer network is still by guessing a password or tricking a user.