This Is Why We Don’t Have Meaningful Cybersecurity Legislation Yet

Dr. Vincent Berk is CEO of network security company FlowTraq.

We recently saw the House pass three cybersecurity bills aimed at building out and regulating critical infrastructure protection. These bills now move on to the Senate for a vote, and many are wondering how they will fare. Meanwhile, we’re also seeing the Cybersecurity Information Security Management Act face obstacles like a potential White House veto.

This raises the question: Why is it so difficult for governments to establish proper legislation about security and privacy? 

It’s important to consider how rules and regulations are created for the physical world around us. Physical laws are created for a particular territory, like a town or country. This is an iterative process that has taken us over 300 years to establish a set of laws by which we live today.

The issue of governing the multidimensional virtual world is rather complex, as it is not easy to define the territory.

Territory boundaries in the cyber realm are naturally based on a large network boundaries on which citizens interact daily – making purchases, doing taxes, renewing insurance, communicating with friends and family – all online. These boundaries generally do not line up with state lines or country borders.

Governments have only been working to establish laws for the cyber realm in the past five to 10 years, which means they are not very experienced yet, and there’s a lot more work to be done. The starting point here should be to identify the parameters of the situation. 

Defining Territories in Cyber

Defining territories or boundaries on the Internet is incredibly difficult because the laws of physics don’t apply. Because everything on the Internet is virtually fully connected, laws that keep individuals physically separated – such as rivers, oceans or mountain ranges – do not apply.

For example, it’s illegal in the U.S. to hack into servers and steal information. However, it’s fairly easy to use a server in another country where there is no such law, and remotely connect to hack into a U.S. system. This complicates the idea of geographic borders that traditionally give boundaries to the law.

Perhaps the most logical boundaries for the cyber realm are boundaries of large networks or “autonomous systems”. A large corporation will have thousands of computers in its network and has the power to create a set of laws by which computers within that network are bound. Anything physically connected by a wire into that network or through a connection by Virtual Private Network is subject to follow that law. If laws are broken, users can be evicted.

Large networks will spread across many physical jurisdictions, and often multiple countries, which can make creating laws at a state or national level difficult to enforce. Therefore, and most important, we must decide who has the mandate to create laws by which Internet-connected users are governed.

Often, this will depend on the type of infraction. For instance, murder happens to be illegal across the globe; however, some countries require the use of motorcycle helmets and others don’t. So it stands to reason to work toward unity among all large network and Internet providers for the worst of Internet crime (such as data theft and denial of service), and allow local differences in law for minor offenses.

How to Prosecute Cyber Law?

After territory lines are drawn and laws are created, the next dilemma is finding ways to prosecute that law when it’s broken. To punish an offending individual and place him or her in physical jail, we must recognize that cyber laws cannot simply be governed by large network operators. Rather, for such offenses, authorities must find ways to effectively and accurately identify the criminal and prove guilt through the collection and presentation of digital evidence, which will require crossing international boundaries.

Determining which government agency or court has the authority to administer justice in a particular matter depends on the type of case, the grade of the offense and the level of government involved. For example, the criminal system has municipal police, county sheriffs, state police and federal agencies like the FBI and DEA enforcing laws passed by the governing bodies at the corresponding levels. To pass a cyber law, the federal government must work internationally to decide who is ultimately responsible for prosecuting cyber law per offense.

Cyber Law: It’s Only the Beginning

The fact that cyber bills are circulating in Congress is promising, but there is still a lot of work to be done. While much of the conversations today focus on cybersecurity versus privacy, it’s important to identify the legal processes involved in the development and prosecution of cyber legislation. We are only just beginning to scratch the surface of defining cyber laws, where they are applicable and who is responsible to prosecuting these laws.

As we continue high-level conversations about the role of government agencies in various cyber defense processes, we must keep in mind these key principles unique to the cyber realm to create cyber laws truly effective and sustainable over time.

(Image via Maksim Kabakou/Shutterstock.com)