Cyber Privacy, Law and Governance in the Spotlight After U.S. ElectionManaging Director, Cybersecurity Consulting and Advisory Services for Marsh Risk Consulting
Neither of the major party candidates in the 2016 U.S. presidential election were known for being tech-savvy. Yet, throughout the election cycle, anxiety over cybersecurity was a central theme, raising issues that businesses and government will face for years to come.
The first of these issues deals with how to authenticate electronic communications. Hackers—widely said to be part of the Russian government—broke into the emails of the Democratic National Committee and other accounts. The information stolen was made public by WikiLeaks in a series of inflammatory releases aimed at disrupting the election, but there was little reporting or commentary about the authenticity of the leaked emails.
The question then becomes, how do we know when an email is authentic? We can expect to see businesses and government focus on two aspects of information governance around security, both of which apply cryptographic techniques when the information is created. First, there is now an increased incentive to use methods at the point of origination that make it possible to later verify authenticity. Second, more information will be given the quality of nonrepudiation. That is, it will be created in such a way that its originators cannot deny authorship.
Deployment of such technologies will enhance the focus on these aspects of security and wider adoption of these techniques, particularly in government communications.
The second issue is, what will be done to address the changing concerns and expectations regarding cyber privacy? This area is likely to get worse before it gets better. Users’ expectation that they will have privacy in cyberspace will take on increasing prominence in the already crowded privacy issue space. A big lesson—one that should have been learned long ago—is that we must recognize that we cannot expect our electronic communications to be private unless we take deliberate measures to make them so.
For personal email, it’s good practice to encrypt all email; it gets a little more complicated for businesses.
Encryption, one of the best solutions for privacy protection, is supported by just about every email application and most web-based email systems. Email encryption technology provides a way to ensure that the only addressees that can read the message are those to which it is being sent. Also, it’s generally the same technology that allows the messages to be digitally signed to ensure authenticity.
For personal email, it is a good practice to encrypt all email messages; it gets a little more complicated for businesses. Companies would be wise to develop an encryption strategy, one which covers data encryption generally. There are good reasons at the enterprise level to not encrypt all information and equally good reasons to encrypt some information. The takeaway is that encryption technology is available for email, is not overly difficult to use and it goes a long way to ensure the privacy of email communications.
Other key privacy questions that surfaced during the election relate to accountability: Who is liable when information privacy is not adequately protected? Will users of information services continue to accept lengthy and legally complex liability language typical of most online privacy policies? Will users be able to manage or control the privacy of their information themselves in coming years? We can expect these questions to remain prominent for some time to come.
Finally, how will international law evolve to address modern cyber threats? The purported DNC hack by Russian agents puts a focus on current national laws and international covenants: Do they adequately cover potential cyber meddling by one country in another’s elections? This will be debated hotly in the legal domain, but it will take years—decades even—to work out and implement international agreements and domestic legislation globally.
There are many multilateral international efforts underway—both governmental and non-governmental—to address cyber-related public policy issues such as internet governance, technical standards, privacy, cybersecurity and encryption, systemic risk in the financial sector and the law.
Rationalization of international law in any domain is a long, drawn-out process. The international Convention on Cybercrime, for example, which defines some of the most obvious examples of what should be considered crimes in cyberspace, entered into force in 2004. Today, there are still only about 50 countries that have ratified it and even fewer that have fully implemented it through legislation. The United States is a signatory, but some other large and economically strong countries have refused to ratify it on various grounds. That is just one basic example of the state of international cyber law, and it is likely to get greater attention in light of the U.S. election.
Basic Strategy Questions Remain the Same
There is such heightened awareness today of how much we depend on networks and computers that cyber threats seem overwhelming. In many respects they are but for the nation as a whole, the U.S. election itself has not really changed the priorities. The basic strategic questions are still there: How much of a risk does the cyber environment impose on an organization? How much should be invested to mitigate it? Where do we find the qualified people needed to manage the security controls? How do we think about cyber insurance coverage?
Over the next two years, 77 percent of organizations expect to increase their investment in cyber risk management, according to the 2016 Marsh Excellence in Risk Management Survey. As companies develop their cyber strategy and defenses in the coming months and years, the issues raised during this election cycle should jump-start discussions from the corner office to the boardroom. There is no room for apathy; action is needed today to confront the new developments of tomorrow, some affording answers and others raising more questions.