U.S. cybersecurity is more fractured than it might appear, with state and federal authorities handling their own responsibilities while private companies also have to work on their own infrastructure.
“We know that other nation states — China, Russia, Iran and North Korea — are coming after us in the cyber domain,” Jamil Jaffer, founder and executive director at the National Security Institute at the George Mason University Law School, told Fox News Digital.
“We generally expect the government to defend against those kinds of attacks. If a Russian bomber comes across the horizon, nobody says, ‘Hey, you know, Walmart or Target, why didn’t you have surface-to-air missiles on the roof of your building, defend against that Russian bear bomber?’
“Of course, we don’t expect that [in cybersecurity],” he continued. “We expect Walmart, Target, JPMorgan, a small mom-and-pop business in the middle of the country to defend themselves against any cyberattack, whether it’s somebody in their basement or the Chinese nation-state or the Russian nation-state.”
That inverted relationship partially exists largely due to the fact that the private sector owns and operates internet access in the United States even though it has developed into a significant factor in warfare. In the months prior to the Russian invasion of Ukraine, military experts told Fox News Digital cyberattacks would serve as a major indicator that an invasion was about to occur.
In outlining what a Chinese invasion of Taiwan would look like, experts have routinely cited a cyberattack as a leading indicator that Beijing would make its move.
Yet the U.S. has its cybersecurity split into three pieces — the federal government, operating through the Cybersecurity and Infrastructure Security Agency (CISA) as part of the Department of Homeland Security; state-level governments; and private companies.
“As a general matter, cybersecurity policy has been fairly forward-leaning and has been fairly bipartisan,” Jaffer told Fox News Digital. “It varies from member to member in Congress, but at the end of the day … we rely on them to get the incentives right.
“We have to give them better incentives and not penalize industry with excessive regulations or excessive lawsuits and liability,” Jaffer argued. “I think it’s likely to make us less cyber-safe.”
In a recent study, Proxyrack, a proxy provider website, surveyed each state to determine which were most at risk for cyberattacks, based on the number of cybercrime victims per 100,000 people. Nevada, Iowa, Alaska, Delaware, Florida, Maryland, Colorado, Washington, Arizona and California rank as the top 10 most vulnerable, according to the survey, showing little consistency in region, political inclination or other factors outside of mere investment in cybersecurity.
Phishing (email scams), vishing (phone scams), smishing (text scams) and pharming, which aims to direct internet traffic to fraudulent websites, ranked as the most common crimes, responsible for just under 324,000 victims in 2021. Another 82,500 people were victimized by non-payment scams, and another roughly 52,000 suffered personal data breaches.
California alone reportedly lost $1.23 billion to cybercrime and scams, with Texas, New York and Florida each losing over half a billion dollars to these same crimes in the same year.
“While there is a federal Department of Energy and a Federal Energy Regulatory Commission, we generally think about power, water and the like as being a state responsibility,” Jaffer noted. “I think you’ll see states doing a lot more in that space and working with their people and also on emergency response. If something goes wrong, just like you would in a hurricane or other an earthquake or other natural disaster.
“States come in first, the federal government comes in later. And it’s likely where you’re likely to see the states play a role in cyber in the cyber domain,” he said.
Jaffer stressed that private and state operators function with only part of the picture since the federal government tightly controls information about threats from foreign actors such as Russia, China, Iran and North Korea. Nations like Iran and North Korea have significantly improved their own cyber literacy over the past decade.
North Korea, in particular, has improved its capabilities and focused on scams and other cyber operations that would allow it to gain as much wealth as possible to bypass sanctions.
The federal government has embraced its role as enabler and supporter rather than as leader in these spaces. CISA regularly reviews various industries and state requirements and weaknesses to help them strengthen and improve their infrastructures.
“The main role of the federal government, including through CISA, within the Department of Homeland Security, within that role of homeland security, is to provide both state and local governments and private companies with services, with guidance, with information to help them secure their networks, help them understand threats, help them prioritize risks,” Eric Goldstein, CISA executive assistant director for cybersecurity, told Fox News Digital.
“We provide information bulletins, we share information and so our role is really to support the operators of these critical systems, whether they’re state government or private sector,” he added.
Goldstein acknowledged that this burden of responsibility on state governments can lead to “a wide diversity across particularly local governments based upon their level of resources or their cybersecurity maturity.” But there are resources that can allow states and local governments to achieve a “common baseline, including CISA’s recently-released Cybersecurity Performance Goals.”
CISA aims to “help fill those gaps and raise the bar so we achieve a higher baseline and more uniformity of practice across the country,” he said.
Whether the various pieces at work in the U.S. cybersecurity apparatus can achieve that efficacy and literacy remains to be seen, but CISA is trying to help bring “all sectors to work together continuously around cyber threats.”
“I think there is a widespread recognition at this point that every network is at risk and no one organization can defend their networks alone. And so we have to collaborate between all levels of government and with the private sector if we’re going to succeed,” Goldstein said.