2. Abstract:
Cyber crime and cyber terrorism are of great concern domestically and internationally. The United
States, however, has been slow to adopt legislation regarding the rights and responsibilities of
protecting the country’s data. Rather than develop an overarching framework or become signatory to
international accordsdesignedtodeal withwhatisultimately a transnational threat, law makers in the
US have beenreluctantuntil veryrecently,withinthe lastfew years,to make a concentrated legislative
effort.Anypreviousworkdone on the issue was primarily concerned with publically held institutions,
such as the Army or national infrastructure, largely for national security reasons. A critical gap has
remained and that has been first, how exactly the relationship is defined when public and private
interests meet, and then finally what is required legally of private institutions to protect their data.
There is a renewed effort on the part of the US congress to address these issues, and it appears to be
spearheadedbycorporations and private industry. However, this is in direct contrast to their previous
strategyof obstinacy,attemptingtoscuttle anyattemptsatsubstantive legislationfor fear that it would
be an “undue burden” and “stifle innovation”. This new tactic of appearing to be civically engaged is a
cynical ployto insinuate themselvesintothe legislative process.Rather than being a case of law makers
consulting experts, paid lobbyists are shaping legislation. The resulting law shifts the burden of
protection of private data from the corporate to the public sphere, affording corporations with the
benefits but none of the associated risk.
Introduction:
Ever since that day, nothing has been the same. Who can forget where they were on
November 24, 2014 when they heard the news; Seth Rogen/ James Franco vehicle “The
Interview” wouldn’t be coming out. According to media outlets, the terrorists had won. At least
that was the case being made by the likes of David Auerbach and Slate magazine in their op-ed
piece, “The Sony Hackers Are Terrorists”. Auerbach made the case that while other companies
had experienced breaches and lost data, it was the first time an American company had been
assaulted by hackers who wanted to send a message to Sony. The effects were devastating
according to one insider:
SonyPictures’networksubsequentlywentdown
for twodays,forcingemployeestouse personal e-mail
3. accounts,work fromhome,andin some cases, resortto
paperand pencil todo theirwork...“It’s justbusinessas
usual,if the yearwas 2002,” one SonyTV stafferwrote to
me in a Facebookmessage.“[There are] lotsof PAshaving
to run jump-drivesbackandforthall overthe place,and
handdeliveringhardcopiesof filesandscripts. (Auerback
2015)
Truly horrific. That Sony was able to recover from the attack is a testament to the resilience of
Sony management. To be fair, Sony did not pull “The Interview” from theaters because of a DoS
attack on their system, but rather because at some point after the initial breach was
discovered, The Guardians of Peace (the group responsible for the attack which was itself most
likely a front for North Korean-elements) promised 9/11 style attacks on theaters should they
show the film(Auerback 2015). It was only when theater chains themselves refused to play the
picture that Sony pulled the plug, thereafter being somewhat unjustly accused of capitulation
by critics who rushed to judgement before learning that a legitimate terror threat had been
made.
Hyperbole seems to be the trend in the post 9/11 world, where the line between what
constitutes actual terrorism and what constitutes a simple crime has become indistinct to the
point of non-existence. Conflating cybercrime with cyber terrorism has become a popular
rhetorical tool among politicians who, in the same breadth, mention attacks on the US food
supply and its financial institutions, as if they are one in the same. An op-ed for the Huffington
Post, written by former North Dakota Senator Byran Dorgan is a prime example of such a trend.
The Democratic Senator opened up the article about “cyber terrorism” by discussing the
infection of computers belonging to Aramco, a Saudi Arabian oil company, by possible Iranian
“terrorists” (Dorgan 2013). His second example was about hackers commandeering the
Associated Press’s Twitter account and erroneously reporting an explosion at the White House.
He made sure to mention the resulting stock market plunge of 143 points. Subsequently, he
switches back to the word “terrorist”, saying that “cyber terror is now the new language of war
that we barely understand” (Dorgan 2013). He goes on to say that across the country “the
4. government and private corporations” are working to protect us against cyberattacks (Dorgan
2013).
Not only does Dorgan confuse the term hacker and terrorist, he says we are protected
by the government, as well as corporations. It is possible he could mean private contractors
working in some sort of Federal agency, but the overwhelming sentiment is that he sees no
difference between a limited attack on a single corporate entity and full blown assault on the
national infrastructure. Martin Libicki, a senior management scientist for the RAND corporation,
doesn’t see it that way. “The difference between a costly annoyance,” Libicki writes “and terror
affected” (Libicki 2015). Because hacks like those that happened to Sony lack the ability to
create a “visceral sense of fear”, they cannot be called terrorism (Libicki 2015). That’s not to say
that American businesses are not tempting targets and aren’t in danger from, and should be
secured against, cybercrime, but unless criminals can precipitate an economy-wide crash on the
scale of the 2008 financial crisis, the idea of crimes against hedge funds being equivalent to
attacks on the country’s water supply is inaccurate and inappropriate.
So why is this relevant to a discussion about cyber security legislation? It’s important
because it provides the rhetorical framework for understanding the success of the current push
for cyber legislation. Without it, the reasoning behind such legislative momentum is nigh
incomprehensible. This paper asserts that because of the urgency lent to the issue by the
conflagration of cybercrime and cyber terrorism, businesses are able to position themselves in
such a way that preserving their individual interests appears to be in the overall national
interest, and so they are given deference in the legislative process, shaping possible future laws
to their benefit. This is bad for the average citizen however, because it does little to protect the
rights of the individual, while conferring protections on corporations at public expense.
Literature Review:
The literature review for this paper involved a wide swath of topics. Although none of
the existing literature directly examines the idea of the current Congressional action as being
anomalous in the history of such legislation nor the idea of it as resulting from corporate
lobbying, there were many separate sources that looked at each issue separately. I, however,
chose to look at them in the larger context, not in a vacuum.
5. Collusion between Government and Business
The literature covering the general topic of government being used as an instrument of
corporations is long and storied. Obviously the biggest influence in that capacity would be Karl
Marx, but he hardly has a monopoly on the subject. “War is a Racket” was written by Smedley
Butler in 1912 and reveals how, in his capacity as military commander, he was instrumental in
securing interests of the Dole Fruit company in South America. For more up-to-date
information, I looked to the several sources, one being Journal of National Security Law and
Policy, in particular an article by Suzanne Landau, “Under the Radar: The NSA Efforts to Provide
Secure Private-Sector Communications Infrastructure”. Landau outlines the history of the NSA
since its inception in the late 1940’s, early 1950’s, where it often would, at the very least,
examine the communication infrastructure of private companies. This was often done in order
to provide them with an advantage in competing in international markets (Landau 2012).
Although that was not part of the NSA’s mandate, it was an early example of the government
using national resources for private benefit.
A paper by Dr. Bajaj Komlesh, an official in the Indian government, provided key insight
into the US’s history of providing its companies with a comparative advantage in the
international market by using resources earmarked for defense. It’s something he argues has
only increased under the auspices of “counter-terrorism” (Baja 2012). This would include, but
was not limited to, electronic eavesdropping, wiretapping and network intrusion. Such methods
are, according the Bajaj, widely used by the US, especially against the Chinese. The Chinese
view this as economic provocation because it allows the US and its allies to bargain from a
position of strength in international economic negotiations (Bajaj 2012).
Lobbying in the United States
Lobbying is not an activity unique to the US, the EU has an entire building designated for
lobbyists, but the US is known for an aggressive type of lobbying. In particular, the US is known
for a “revolving door” where a government employee leaves work on Friday and on Monday
starts her new job as a lobbyist. This has obviously taken on much more significance since the
Citizens United Supreme Court decision but even traditional lobbying, outside of elections, has
experienced a boon, as regards to cybersecurity. According to information and articles from
sources as diverse as Reuters News Agency to Progressive think tanks, the amount of lobbying
in Washington DC for cyber legislation has tripled since 2012. The New York Times puts the
figure at $134 million as of 2014 (Dusel 2014) and that sum is likely to grow. These sources,
6. while informative, were a little light on analysis and as such, the information provided was
somewhat scattershot. Locating it proved to be one of the biggest challenges of this paper.
PR Material
There was a substantial amount of material generated during the lobbying efforts, from
several view points. The most prolific however, tended to be either business interests or trade
groups, although they were sporadic government agencies and Civil Rights groups created
promotional literature as well. The group that produced the most material, by far, was the US
Chamber of Commerce and their publication “Free Enterprise”. It seems scarcely a week went
by without some sort of op-ed or press release coming from Chamber of Commerce. In a piece
that would eventually go on to be published in “The Hill” a major Washington DC organ, the
Chamber defined their position as being fiercely anti-regulatory, but amendable to cooperation
between private industry and government (Joston 2012).
Another major group was the Business Software Alliance. This was a collection of
companies including Microsoft and McKafee which were very vocal in their support of certain
pieces of legislation. They were particularly rabid when it came to the topic of copyright
infringement and piracy. In a somewhat misguided campaign, at one point the BSA was
encouraging employees to rat on their employers with the “Bust Your Boss” initiative, where
the organization would pay “whistleblowers” for alerting them to any possible illegal software
use in their office (Gaskin 2009). There have been similarly acronymed trade groups, like the
Internet Security Alliance (ISA) but they are relative youngsters compared to the BSA, which has
been around since 1988.
Taken separately, these resources were interesting yet inchoate, not yet coalescing into a
bigger picture. There was the historical framework for business-government interaction, but it
had yet to incorporate the newly created frontiers of the digital world. There was information
about which group donated to which cause, but not how it fit into an overall strategy. This
paper strives to take the above mentioned sources and synthesize them into something new.
Argument:
7. Like most things in the United States, cyber legislation is being driven less by common sense
than by dollars and cents. The current push for legislation, although seemingly spearheaded by
companies, is in direct contrast to their previous strategy of obstinacy, and is in fact a cynical
ploy to appear civically engaged all the while crafting laws which benefit them, sometimes at
the expense of citizens. It is the intention of this paper to demonstrate that the ultimately goal
of those corporations lobbying Congress is to shift the burden of data protection onto the
government, while shielding themselves from liability.
Discussion:
Although the specifics of each piece of cyber legislation differ, the pattern of those
opposed and those in favor, who wants what and how they are willing to settle rarely change,
the only shifting constant is in the ratios. When Civil Rights activists likes something, the
security hawks feel they are losing out. When the security hawks have something they are
happy with, the Civil Rights activists have strong reservations. When the Civil Rights activists
and the security hawks are happy, the telecommunications industry refuses what they see as a
regulatory burden and lobby to have the whole thing shut down. It’s dull and predictable but
that has been the primary road map to Congressional gridlock. So what’s changed? Why is
there now a push for legislation? Partially, the momentum is the result of a spate of high-profile
security breaches at retailers such as Target and Home Depot and healthcare providers such as
Anthem. There is the view that now is the time to act (Maza 2015).
The industry knows it has a security problem. Former Carter administration official
Amitai Etzioni, says that although corporations have been opposing efforts to create a cyber-
regulatory structure, they have also been neglecting the role of cybersecurity, viewing it as
superfluous. In fact, many executives regard the idea of cybersecurity itself as within the
existing purview of its IT departments and not necessarily worth the expense (Etzioni 2011)
which if they fully implemented adequate security protocols would be substantial. Many
8. businesses also view the idea of Federally mandated cyber security measures as something the
government, rather than the companies themselves, should foot the bill for (Etzioni 2011).
So we have an industry unwilling to spend the money to defend itself but acutely aware
of what happened to the likes of Target and Sony. Needless to say approaching the government
for help would look… awkward. Companies are continuing to try other ways around beefing up
security, such as with CyberSecurity Breach insurance. This is mostly seen as a way for smaller
companies without the resources of the bigger corporations to protect themselves from the
potentially ruinous effects of a data breach. So far the cyber insurance industry has grown into
a $2.1 billion behemoth. It suffers from its own forms of unwieldiness, mostly because the legal
structure and what companies are required to protect and disclose, etc. is somewhat codified in
laws like the Graham Bleachly Act, but is in no way uniform (NPR 2015).
In many ways, smaller companies may be helped by an over-arching regulatory
structure but they are butting up against decades of anti-oversight thought, propagated largely
by groups like the Business Software Alliance and the US Chamber of Commerce. For example,
there were attempts during the George W. Bush administration to create some sort of
regulatory framework by Richard Clark:
Duringhistenure at the White House,Clarke attemptedto
institute anambitiousregulatoryregime,buthe sayshis
planwas largelyblockedbyanti-regulationforceswithin
the administrationof George W.Bush.StewartA.Baker,
whoservedasthe firstassistantsecretaryof homeland
securityforpolicyat the time,writesthatthe proposed
strategy“sidleduptowardnew mandatesforindustry,”
wouldhave requiredformationof asecurityresearchfund
that woulddrawon contributionsfromtechnology
companies,andwouldhave increasedpressureonInternet
companiestoprovide securitytechnologywiththeir
products.These requirementswere viewedastooonerous
9. for businesses,Bakernotes,bymanywithinthe
administration,andultimately“anythingthatcouldoffend
industry,anythingthathintedatgovernmentmandates,
was strippedout.”(Etzioni 2011).
So with the increased lobbying and more conciliatory approach being taken by the US
Chamber of Commerce, what’s changed? In large part, the answer is the man who occupied
The White House. While Bush almost completely ignored the issue (Etzioni 2011), Obama has
been much more pro-active in trying to set up something to protect the nation’s infrastructure,
which as was previously mentioned in the introduction, now seemed to include economic and
financial components. Obama has been cautious in his attempts to woo corporations and made
it a point to say in 2009 that “[m]y administration will not dictate security standards to private
companies.” (Etzioni 2011).
It was in this more “conciliatory” atmosphere that lobbying began in earnest in the
Capital. Companies like Google, Ratheon and Boeing all have spent billions trying to sway
members of Congress. The US Chamber of Commerce started a campaign in 2012, advocating
for a “voluntary cooperation” regime, culminating in a joint paper with the National Institute of
Standards and Technology (NIST). The solutions advocated by the Chamber are largely “market
based” (Beachanue 2014) and encourage, but not require communication between companies
about cyber threats. In addition to its work with the NIST, the Chamber of Commerce worked
with John McCain and five other Senators to create the SECURE IT bill, which was meant to
challenge another cyber legislation bill proposed by Joe Lieberman and Susan Collins (Vigiyan
2012) which they felt was placed too many restrictions on private industry.
Other than issuing an Executive Order in 2013 directing the government to develop
voluntary cyber standards for privately-held assets considered critical to national security, and
to increase sharing of cyber attack information with companies (Salant 2013), the White House
finds itself at an impasse. Although corporations are now advocating for solutions to the cyber
security problem where before they simply stalled, their lobbying efforts continue to focus on a
few areas deemed non-negotiable. The overall corporate wish-list includes no regulatory
apparatus, which the Obama administration has largely assented to, but the lobbyist insist that
there will be no information sharing without assurances of freedom from liability and
negligence (Salant 2013).
10. Conclusion:
As of February, 2015 Obama is still stumping for some sort of compromise on the cyber
legislative agenda. At the Summit on Cybersecurity and Consumer Protection hosted by
Stanford University a weary Obama made yet another plea, "It’s one of the great paradoxes of
our time that the very technologies that empower us to do great good can also be used to
undermine us and inflict great harm," Mr. Obama said, addressing the summit (Maza 15). It’s
easy to picture him sighing. Through a confluence of language, equating cybercrime with cyber
terrorism and financial instruments with the national security infrastructure, there has been a
great flip in the script. Sensing a White House willing to compromise, businesses feel they can
lobby for a regulatory regime that wasn’t, instead looking for voluntary compliance. Despite
James Lewis, a cyber-security expert at the Center for Strategic & International Studies, flatly
conclude[ing] that “the market has failed to secure cyberspace. A ten-year experiment in faith-
based cyber security has proven this beyond question.” (Etzioni 2011) corporations persist in
the idea. Honestly, who could blame them? With the NSA conducting corporate espionage on
their behalf, and the possibility that they might be immunized to prosecution for liability and
negligence if they are able to get their agenda passed, why would corporations want to spend a
red cent on cybersecurity? Of course there is the idea that consumers won’t be protected and
citizens’ civil rights might be trampled, but a good PR department can right any sinking ship.
Especially when they don’t have to spend money on the lawyers they would normally need to
defend themselves from compliance violations and class action lawsuits.
11. Bibliography
Auerbach, David “The Sony Hackers are Terrorists.” 17 December 2014. Slate.com.
http://www.slate.com/articles/technology/bitwise/2014/12/sony_pictures_hack_why_its_perp
etrators_should_be_called_cyberterrorists.html
Bajaj, Kamlesh “Industrial Espionage and Counter-Terrorism: Two Sides of the Same
Coin.” 9 July 2014. China-US Focus. http://www.chinausfocus.com/peace-security/industrial-
espionage-and-counterterrorism-surveillance-two-sides-of-the-same-coin/
Beauchesne, Ann “U.S. Chamber of Commerce Launches National Cybersecurity
“Roundtables” Series in Chicago” 2 June 2014. US Chamber of Commerce.
https://www.uschamber.com/us-chamber-commerce-launches-national-cybersecurity-
roundtables-series-chicago
Dorgan, Byron “Cyber Terror is the New Language of War” 17 July 2013. HuffingtonPost.
http://www.huffingtonpost.com/sen-byron-dorgan/cyber-terror-is-the-new-l_b_3612888.html
Etzioni, Amitai “Private Sector Neglects Cyber Security” 29 November 2011. The
National Interest. http://nationalinterest.org/commentary/private-sector-neglects-cyber-
security-6196
Gaskin, James “Business Software Alliance Dirty Trick Update” 14 October 2009.
Networkworld.com. http://www.networkworld.com/article/2251718/smb/business-software-
alliance-dirty-tricks-update.html
Goetz, Kaomi “Companies Worried About Hackers Turn to Cyber Insurance” 19 March
2015. NPR. http://www.npr.org/2015/03/19/393865187/companies-worried-about-hackers-
turn-to-cyber-insurance
12. Landau, Susan “Under the Radar: NSA Efforts to Secure Private-Sector Communication
Infrastructure” 29 September 2014. Journal of National Security Law and Policy Volume 7 Issue
2. http://jnslp.com/wp-content/uploads/2015/03/NSA%E2%80%99s-Efforts-to-Secure-Private-
Sector-Telecommunications-Infrastructure_2.pdf
Libicki, Martin “Cyberattacks are a Nuisance, Not Terrorism” 8 February 2015.
Newsweek.com http://www.newsweek.com/cyber-attacks-are-nuisance-not-terrorism-305062
Marcus, Steve “Telecoms Prevail in Arguing Against Cybersecurity Recommendations”
19 March 2013. Reuters.com. http://www.reuters.com/article/2013/03/19/us-usa-
cybersecurity-fcc-idUSBRE92I03420130319
Maza, Cristina “Will the Government and Private Industry be Able to Cooperate?” 3
February 2105. Christian Science Monitor. http://www.csmonitor.com/USA/USA-
Update/2015/0213/Cybersecurity-summit-Will-government-businesses-cooperate-more
Salant, Jonathan “Lobbying is Big Business in the Capital” 21 March 2013. Bloomberg
Business. http://www.bloomberg.com/news/articles/2013-03-21/cybersecurity-lobby-surges-
as-congress-considers-new-laws
Vijayan, Jakumar “No BiPartisan Fight in Bill Debate” 5 March 2012. Computer World.
http://www.computerworld.com/article/2505963/cyberwarfare/no-partisan-fight-over-
cybersecurity-bill--gop-senator-says.html