In light of the recent tweet by Vermont Senator Patrick Leahy (@SenatorLeahy) about how Congress must work together to fight threats to our cybersecurity AND the recent testimony before Senate Judiciary Committee of Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge Pablo Martinez there may be some very interesting breakthroughs on the horizon with regard to maximum penalties for cybercrime. I’ve had the pleasure of working many of these cases in the past and feel that enhanced federal sentencing guidelines with aggravating circumstances to the Computer Fraud and Abuse Act (CFAA) could possibly keep those found guilty from committing additional crimes. It could also deter those contemplating committing those crimes all together.
This also brings up another topic, which was mentioned in a previous blog post about how Mikko Hypponen (@mikkohypponen) suggests a global response / legal framework to respond / prosecute cyber criminals who use the global nature of the internet and jurisdictional boundaries to thwart prosecution. Not implying that it’s not happening now, because I know that it is, but there is an ever-growing need for US and international law enforcement agencies to work together to detect and investigate cybercrime.
There is also a huge onus on the corporate world to collaborate as well.
Considering that the US government is not the only entity in the crosshairs of cyber criminals, it’s critical for those being attacked to collaborate with those who can help. A “bleep” on one company RADAR doesn’t become a trend (or a recognized problem) unless the rest of the organizations getting hit by the same group of cyber criminals report it. Collaboration is key!
To complicate matters, for those that work in a large corporate (or government) entity, if poor communication exists between those defending/working/securing the network – it’s possible that you won’t even know you were hit by cyber criminals for up to a year. And, when you do realize it, the hack becomes public knowledge due to regulatory or ethical reasons – stock prices could fall immediately. Here are two recent examples Sony and News Corp.
Even to complicate, complicate matters – if your organization doesn’t have the proper policy to respond to cyber attacks, then you could be in a terrible position and end up losing even more resources/dollars/time/ intellectual property.
I started going into a few directions in this blog post, but to sum things up:
- New legislation could impose harsher penalties for cyber criminals
- It’s important to see the “global” or “high level” or “out of the box/company” perspective on past/current/future cyber crime events
- Don’t wait for legislation to implement a policy to require you to report cyber attacks
- If you fail to implement an effective cyber attack response plan in a proactive way – it could literally cost you many dollars/resources/etc in the very near future.