Among the pending executive orders that President Donald Trump is getting ready to sign is one that would direct the Pentagon and various national security agencies to undertake a massive review of the nation’s cybersecurity infrastructure, the Washington Post has reported. Given the clamor about the hacking of computers in the U.S. by the Russians, and its possible effect on the Presidential election, such a decisive step isn’t surprising.
While federal officials are trying to get their arms around the problem, New York State has already proposed legislation to combat breaches involving institutional cybersecurity. The law frequently trails technology, but New York Gov. Andrew Cuomo is making strides to catch up with several new cybersecurity measures introduced in his State of the State in January.
Cuomo’s commitment is hardly surprising. According to the governor’s office, cybercrime is now considered more lucrative than drug trafficking and is estimated to have cost the global economy more than $400 billion in damages in 2014 alone.
The governor’s proposals focus on three main issues, the first of which is computer tampering. He wants punishments toughened to be commensurate with the damage that was done. Currently, $50,000 worth of damages is treated the same as $5 million worth. Under the new legislation, someone who causes more than $1 in damages via computer tampering could be slammed as a new class B-level felon, which in New York State means up to 25 years in prison if convicted.
A second aspect of Cuomo’s proposals is identity theft. Again, the governor plans to bolster the identity theft statutes so that the severity of punishment corresponds with the number of identities that someone steals. The measures would also seek to hammer thieves who steal the identity of “vulnerable” populations, such as senior citizens. The resulting criminal punishments would range from an A misdemeanor—which could be a year in prison or three years of probation, plus a fine up to $1,000—to a D felony, which mandates up to seven years of jail time.
Finally, the proposed measures include the development of a Cyber Incident Response Team (CIRT) cobbled together from technology personnel from a variety of agencies, including the state Division of Homeland Security and Emergency Services and the National Guard. The response team will aid state authorities and local governments that have been targeted by cybercriminals. The CIRT won’t require any new legislation.
But Cuomo’s proposal for the most part would deal with institutional cybersecurity issues, not social media-related ones. For example, these proposals would have no bearing on nonconsensual pornography, such as revenge porn, according to Carrie Goldberg, whose law firm, C.A. Goldberg PLLC, specializes in issues of Internet privacy, sexual consent, and the cyber harassment of individuals.
Goldberg pointed out that Cuomo’s proposals don’t address the victims with whom she so often deals. She noted that the only proposal that could potentially have teeth in her realm of work is the governor’s plan to expand computer intrusion laws “to better protect private citizens.”
“Conceptually it could help victims whose images are obtained via hacking,” Goldberg said in an email. “But if Governor Cuomo was serious about protecting victims of nonconsensual pornography, he would support a state law. New York is dramatically lagging behind other states in tackling this issue . The Governor should add his voice to the fight.”
Michael A. Vatis, a partner in the New York office of Steptoe & Johnson LLP, specializes in Internet, e-commerce, and technology issues, and represents corporate and institutional clients concerned with privacy, security, and intelligence matters. He acknowledged that the biggest beneficiaries of Cuomo’s proposed measures are such corporate and institutional entities and state and local authorities.
“Previously, these entities were largely left on their own to defend against, and respond to, cyber attacks, and many lack the resources and expertise to do an adequate job,” he explained in an email. “If the new CIRT is adequately resourced, it will help these entities build up their defenses against cyber attacks and respond effectively to attacks that do occur.”
One non-institutional constituency that will be helped by Cuomo’s proposals would be the elderly.
Leita King, Scam Prevention Coordinator at healthcare provider company Lifespan, said older adults often fall prey to cyberattacks due to generational issues.
“Older adults don’t want to be viewed as helpless by their family or caretakers, so they keep quiet about things that trouble them,” she said via email.
While educating the elderly about cyber threats would be an appropriate first step, King stressed that training banks and service providers should be the second biggest priority. Providing a path to prosecution for those who seek to take advantage of seniors should also be high on the to-do list.
According to Steptoe & Johnson’s Vatis, the success of these measures and the CIRT comes down to resources.
“Increasing penalties for computer crimes can be somewhat helpful in deterring computer criminals, but it is more important to increase the probability that cybercriminals will be caught and prosecuted, and that requires increasing the resources available for investigating and prosecuting cyber crimes,” he said. “Unfortunately, state governments often resort to simply increasing penalties for crimes, which is relatively easy and cheaper to do than providing more resources to catch criminals. But increasing penalties alone is not enough. More resources must be devoted to the agencies that investigate and prosecute cyber crimes.”
New York isn’t the only state taking strides towards increasing cybersecurity. Fourteen states—California, Colorado, Delaware, Florida, Georgia, Indiana, Kansas, Maryland, New Hampshire, Oregon, Utah, Virginia, Washington, Wyoming—already have some level of cybersecurity legislation on the books, though approaches vary by state.
As for the federal government, Trump’s four-part cybersecurity plan involves a review of all cyber defenses and vulnerabilities, the creation of a Joint Task Force at the federal, state, and local levels, recommendations for enhancing U.S. Cyber Command from the Secretary of Defense and Chairman of the Joint Chiefs of Staff, and development of our own offensive cyber capabilities. But the implementation timeline remains unclear.