Featured image of post Cracking Down on Cybercrime: A Policy Brief on Improving Government Cybersecurity
Academic Works

Cracking Down on Cybercrime: A Policy Brief on Improving Government Cybersecurity

An analysis of different policies the American government could exercise to improve cybersecurity attacks on government infrastructure.

Cracking Down on Cybercrime: A Policy Brief on Improving Government Cybersecurity

        One of the largest rising issues regarding the security of the United States today is the rise of cyber-attacks on the American government’s infrastructure. Ever since the start of the 21st century, the United States is one of many governments that lies victim to thousands of cyber-attacks on a near daily basis. While most attempts to take down such hacker groups are successful, the attacks with successful interception come with a plethora of negative effects. In recent years, cyber-attacks have put thousands, if not, millions of citizens of the United States at risk of their lives being negatively affected by the corruptive decisions executed by hackers. For instance, the Colonial Pipeline Ransomware Incident of 2021 led to the company paying hacker group Darkside a total of $4.4 million in ransom (Wood, 2023). While the Department of Justice was able to recover $2.3 million of the ransom, or roughly 52%, that money was safe due to a cryptocurrency processing error, meaning that the money would have disappeared without a trace if Darkside did not run into such an error (Romo, 2021). Apart from the monetary loss of the cyber-attack, the Colonial Pipeline is one of the largest refined oil and jet fuel distributors in the United States, responsible for roughly half of all the gas distributed on the east coast, providing gas to fifty million Americans (Blount, 2021, pp. 1). While there have been cyberattacks that have stolen much more money than $4.4 million, this is one that was an attack on American infrastructure that directly affects the American population. From Texas all the way to New York, people faced shortages of gas that could have been easily prevented if the United States’ critical infrastructure were designed to combat cyber-attacks and security flaws.

        With the rise of cyber-attacks that have damaged and interrupted the current government infrastructure, it is crucial now more than ever to find a solution to our current cybersecurity situation before it turns into a fiasco. While the Colonial Pipeline Attack is one of the more recent attacks on American infrastructure specifically, this trend is not solely a federal, but an international issue as well. Throughout 2021, hackers in North Korea stole some of the largest sums of cryptocurrency internationally, racking up $400 million in stolen cryptocurrency, with Chainalysis, a popular company known for analyzing the cryptocurrency transactions through the Blockchain, claiming that 2021 was one of the best years for North Korean hackers (BBC Editorial, 2022). While these attacks were not directly on the American government (most of them were on company headquarters located in the United States), the government infrastructure is notorious for its flimsy guidelines and their reinforcement, so it is only a matter of time before attacks like the North Korea crypto robberies takes much more from the American government than $5 million.

        What also makes this situation urgent is the deaths that occurred due to certain cyber-attacks. In 2022, the international stage saw a rise in cyber-attacks on hospitals around the world, with a study conducted by the CyberPeace Institute claiming that “the average cyberattack on a health care system leads to 19 days of patients unable to receive some form of care” (Miller, 2022). These hacks on healthcare systems led to disruptions across the health field, ranging from patient file corruption to interruptions in critical health tests, with one such case in 2020 leading to the death of an Alabama baby after a cyber-attack interrupted critical pre-birth testing, which prevented doctors from pointing out the umbilical cord was wrapped around the child’s neck (Miller, 2022). Furthermore, a 2016 IBM Index showed that health care is the sector that falls victim to the most cyber-attacks, mainly due to how much personal information can be stolen and sold online, making it an easy cash grab for hackers (Heritage Editorial, 2018).

        Situations like these could become increasingly common in the United States if future policies continue to ignore this overbearing issue that has an overbearing grip on U.S. government infrastructure. In a policy study conducted by the Heritage Foundation, recent reports found that all cyber-attacks cost the global economy $2.1 trillion dollars by 2019, roughly four times as much as the total was in 2015 (Heritage Editorial, 2018). If the United States wishes to put an end to this frequently exploited scenario, it is in the best interest of its government and its sectors to look for solutions. Congress has worked to get more government funding to IT and Cyber Security, with their fiscal budget for 2023 offering nearly $65 billion in government funding to information technology and $10.9 billion for civilian cybersecurity, an 11% increase from the 2022 budget (White House, 2022, pp. 233). However, the public will not see any major changes to these sectors until later in the year, making the current funding useless until properly distributed and decided what exactly the money will cover in each sector.

        In addition to the long wait American citizens may have to face until these funds are put into effect, there are other factors to consider when determining cyber-attacks. For one, should the location of these hackers and government involvement influence how the United States, and its government organizations handle the threat. In the case of the North Korean crypto robbing, the US government believes that the hacker group, the Lazarus Group, works directly for North Korea’s intelligence branch, the Reconnaissance General Bureau (BBC Editorial, 2022). It is also important to recognize what issues led to previous hacking incidents. While the United States government cannot entirely predict what the future of hacking will bring to the table, it is critical that the US relies on past incidents for future protection. If the government fails to do so, then every citizen of the United States that has been electronically documented is at risk of hack attacks that could strike any minute, which could lead to identity theft, server failure, missing electronic information, server corruption, and money down the drain.

        At this moment, the United States is not in the best position in terms of cyber security, as shown by the previous examples mentioned prior. Luckily, there might be a way for the United States government to avoid such a drastic and depressing outcome from these cyber-attacks. Throughout the past couple of months of writing up this public policy, I have brought along three different solutions that could, at the least, minimize the severity and/or the frequency of these cyber-attacks. Hopefully, if at least one of these policies are taken into consideration, the United States government should see a downward trend in successful cyber-attacks, keeping the country safe on federal, state, and local levels.

Public Policy Option 1: U.S Influences on the Private Sector

        One solution, proposed by the Heritage Foundation, which could solve the cyber attack problem is for the United States government to influence the private sector to invest money into cybersecurity advancements (Heritage Editorial, 2018). Unlike the other two public policies that follow, this is the only one where the government does not directly force another entity to comply with the United States’ standards. In short, the United States government should offer tax incentives or other economic benefits to organizations in the private sector in hopes that the private sector adapts their current policies to receive those tax incentives. The result of these incentives, in theory, should lead to more cyber security measures implemented by the private sector, allowing the government to avoid tensions between the foreign entities or corporations.

        But this proposal has its issues. While tax cuts always sound like a great idea, these cuts would only be available to companies and the wealthy, leaving those that do not fit into the requirements at a massive financial disadvantage. In fact, this policy is a bit counterintuitive, for the wealth gap between the wealthy and the middle and lower classes, contributing to another problem that the American public already faces (Georgescu, 2017). Before this policy is ever used, it should be noted that the effectiveness of this policy heavily depends on whether the American people would be willing to sacrifice economic inequality for the possibility of advanced cybersecurity measures for electronically stored information. While this consequence may be better than what the other alternatives’ consequences if such policies were implemented, such is still worth mentioning since it is a longstanding issue between the U.S. government and its people.

Public Policy Option 2: Demand Immediate Government Notification, Intervention of Attack

        Unlike policies one or three, this policy does not rely on the art of influencing another entity or government, but rather demanding entire executive control of a company or sector when a cyber-attack does occur. One of the largest criticisms regarding the Colonial Pipeline Ransome Attack is the company’s sluggish reaction to the hack, with the attack happening on May 6, 2021, the FBI confirming the attack on May 10, and restoring the system by the end of the day (Gianna, 2021). Under this public policy, the FBI and other federal agencies could demand temporary executive control to manage a national emergency via presidential powers. Theoretically, the government would enter, do its job until the emergency is over, and leave. The government could also fine the company in question if the hack is not reported within a certain time.

        If this policy were utilized, this would allow federal agencies to manage the disaster as soon as possible, which would mean that the impact of the hack could be easily minimized. In the case of the Colonial Pipeline Ransome Attack, the FBI did not obtain access to the infrastructure until well over 48 hours of the attack occurring (Gianna, 2021). In that same amount of time, the FBI was able to obtain access to the infrastructure, remove the ransomware, restore the infrastructure, and release instructions to other major sectors on how to tackle the cyber attack if it were to happen again (Gianna, 2021). While most cyber security attacks are successfully managed and put to rest by the company, when situations like the pipeline incident start to affect the lives of the public, the government should and must step in to ensure the safety of the American government’s infrastructure.

        But, just like any new policy, this one has negative consequences as well. For one, this is an extension of the president’s power, which its precedent would be heavily decided depending on how each president chooses to utilize such a power. For instance, if a president down the line abuses this power to keep a company in line, which would lead to an argument as to whether such a power should be normalized. Such has happened in the past before, like the idea of judicial review was a determination of the Madison v. Marbury case. One could argue that this is simply a test to see what parameters should be set for such a power but guaranteeing that future leaders will stay within those parameters is slim. If such powers are abused too often, it could lead to companies and organizations to relocate outside of the country, which would affect the economy of the United States. Again, this is a stretch, but most private companies can relocate if the company no longer wishes to deal with a controversial use of presidential powers.

Public Policy Option 3: Foreign Diplomatic Action

        Lastly, the United States could place sanctions or embargos on entities that harm the United States’ infrastructure. Like policy one, this policy relies on influencing another entity into complying with a set of standards and expectations by the American government. In theory, the United States would investigate a hacker group following a cyber-attack on an U.S. government entity or company. From there, the government could determine the hacker group, its whereabouts, and whether the country housing the group participates in or promotes the hacker group’s actions. Finally, the United States could either place sanctions on the country or company, place embargos on a country, or attempt to strike a treaty between government officials regarding cyber-attacks. This would lead to the government having the most control over other countries that decide to harm the United States and its infrastructure. Furthermore, working with other countries to create treaties regarding cyber security could lead to further action from the United Nations, which would greatly benefit those who are against cyber-attacks.

        However, out of all three of the policy options, this one has the direst consequences if not used properly. While sanctions against other countries, especially those that are less powerful than the United States, would most likely sway governments to comply with the United States, it would be a massive overreach of power. Furthermore, the United States tends to only put embargos and economic sanctions in place if there is a threat of war, such as the embargos that the Truman administration put in place on Japan during World War II, or the rise of sanctions on the middle east after 9/11. However, almost every single embargo is useless if the country being sanctioned or embargoed can find another country that will trade with them. In 1940s Japan’s case, Japan invaded and took over the Dutch East Indies, which led to Japan no longer requiring trade for oil from the United States. Another issue to consider is the possibility of another Cold War, especially since the Cold War led to a rise in factions between the western and eastern hemispheres.

        There is also the chance that the FBI accuses the wrong hacker group of a cyber-attack, which could be devastating for the United States’ credibility on the international stage. While this scenario is not common, placing an embargo or an economic sanction on another country using an accusation could permanently damage relations between other countries. Regardless of its possibility, there is no guarantee that the government is 100% accurate, so such a case would have to be carefully observed.

        Lastly, the effects of embargos could hurt the United States more than the country being embargoed. For instance, if the United States were to embargo trade with China, the United States would lose nearly 18% of its entire imports with China compared to China’s 8.6% of important from the United States (Office of Technology Evaluation, 2022). In other words, the United States would be figuratively shooting itself in the foot if the government chose to place embargos.

Preferred Policy Option

        After careful consideration between the three policy options, the best choice for the United States to go with is policy two. While it is not the safest option in terms of certainty, policy two offers the government an easy route into a cyber-attack, removing any need for federal agencies to get involved with another entity after the investigation. Furthermore, the federal government has more materials than the companies in question, meaning that the federal government is not going to need as much money, time, or resources to deal with the fiasco. While policy three does include the variable of international diplomacy into the equation, it is best for the United States to increase its defense rather than treaty its way out of cyber-attacks. In addition to the lack of defense, policy three would ensure that the United States is willing to end trade agreements with other countries, which might hurt the United States more than countries facilitating malicious hacker activity.

        In terms of legislation, the President of the United States would be able to oversee the situation with powers he already possesses due to his position. For policy one, tax legislation would have to be altered for the incentives in question, which could lead to disagreements in the process. For policy three, embargoes, sanctions, and treaties would all require another government agency or branch to handle the situation. As an example, if the President were to sign a treaty with another world leader, the Senate would have to ratify the treaty with a two-thirds vote. Policy two ensures that the President would be able to work with other government agencies to terminate a cyber threat in a timely manner. While these three policies options have their flaws, I hope that my recommendations have helped with the future of how the United States government supervises companies during times of national emergencies. Thank you for your time and I hope my submission of these public policies ensure the betterment of the United States’ government infrastructure.  

References

BBC Editorial. (2022, January 14). North Korea hackers stole $400m of cryptocurrency in 2021, report says. BBC News. Retrieved April 12, 2023, from https://www.bbc.com/news/business-59990477

Blount, J. (2021, June 8). Hearing before the United States Senate Committee on homeland security … Testimony Blount. Retrieved April 13, 2023, from https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/Testimony-Blount-2021-06-08.pdf

Georgescu , P. (2017, June 29). Why the private sector must save America. Knowledge at Wharton. Retrieved April 12, 2023, from https://knowledge.wharton.upenn.edu/article/why-the-private-sector-must-save-america/

Gianna. (2021, May 19). Cybersecurity and Society. Scenario Colonial Pipeline Ransomware Attack. Retrieved April 13, 2023, from https://maui.hawaii.edu/wp-content/uploads/2022/07/Scenario-Colonial-Pipeline-Ransomware-Attack.pdf

Heritage Editorial. (2018, April 11). The Growing Threat of Cyberattacks. The Heritage Foundation. Retrieved April 12, 2023, from https://www.heritage.org/cybersecurity/heritage-explains/the-growing-threat-cyberattacks

Miller, M. (2022, December 28). The mounting death toll of hospital cyberattacks. POLITICO. Retrieved April 12, 2023, from https://www.politico.com/news/2022/12/28/cyberattacks-u-s-hospitals-00075638

Office of Technology Evaluation. (2022). 2021 U.S. trade with China - bis.doc.gov. Template - 2021 Statistical Analysis of U.S. Trade with China. Retrieved April 13, 2023, from https://www.bis.doc.gov/index.php/country-papers/2971-2021-statistical-analysis-of-u-s-trade-with-china/file

Romo, V. (2021, June 8). How a new team of Feds hacked the hackers and got Colonial Pipeline’s ransom back. NPR. Retrieved April 12, 2023, from https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac

White House. (2022, March 28). 16. Information Technology and cybersecurity funding - white house. Information Technology and Cybersecurity Funding. Retrieved April 13, 2023, from https://www.whitehouse.gov/wp-content/uploads/2022/03/ap_16_it_fy2023.pdf

Wood, K. (2023, March 7). Cybersecurity policy responses to the Colonial Pipeline Ransomware attack. Cybersecurity Policy Responses to the Colonial Pipeline Ransomware Attack | Georgetown Environmental Law Review | Georgetown Law. Retrieved April 12, 2023, from https://www.law.georgetown.edu/environmental-law-review/blog/cybersecurity-policy-responses-to-the-colonial-pipeline-ransomware-attack/