The Impact of The Financial Modernization Act Of 1999

I am researching the Computer Security Act of 1987, Public Law No. 100-235 (H.R. 145), (Jan. 8, 1988). That American federal law came into effect in 1987, during the Regan administration period that goes from January 1981 through January 1989. As complexed as the whole matter may seem (and it really is), there are two important nuances to note. On one hand, the National Institute of Standards and Technology, NIST (n.d.), handled security control that pertains to the non-military government system and the National Security Agency, NSA (NIST, n.d.), that of the civilians, until the NSA has gradually become the one taking on the role that the NIST used to play while the NIST, currently and mostly, trains federal employees in computer security. The NIST and NSA entities focus on national computer security. Complementary to each other: they plan, train computer management systems and computer users, implement policies, provide technical assistance.

The Position I want to take I agree with the entire intent of the law as well as the current way in which it is written from an Information Technology (IT) standpoint. Over time, we have progressed, and certain things have become obsolete (such as telegraphs and census machines that were in use before the Internet). Nowadays, there are fewer antiquated practices. Security measures have also improved to include privacy protections, although ICANN, ICANN-accredited registrars, and the Whois database (EPIC, 1994-2018) are exempted in respect to domain name registration and the identity of the registrants. That can partially explain how the US government was able to retrace back the hacking by Morris (Davis, 2015). The overall intent of the Computer Security Act of 1987 remains the same: a practical focus on national security.

Background

The Internet is about sixty years old and was created in the US in a simpler form that granted exclusive access to researchers whose work was, a priori, to benefit the Defense department starting in 1958 (Science Node™, 2018) during the Cold War (Encyclopaedia Britannica, Inc., 2018), a period of geopolitical tensions between the US and the USSR (Republics of the Soviet Union). Does not it seem logical suddenly that laws created in the US regarding the use of the Internet practically be federal laws that require the direct overseeing and approval of the president himself? These details remind everyone that the Internet is indeed an American creation. Having become a public network that billions of people use globally has not changed that fact. Therefore, this paper that aims at looking at one specific American law related to online security could potentially be useful within and across borders.

Before extending on how the law got to be the way it currently is (a timeline to the Act), hacking is a concept that deserves to be defined so the dangers it presents to an IT system can be clear in relation to the usefulness of the law mentioned above. Hacking is the event of damaging computers with lines of code to the point where malware self-replicate “like a virus until the machine slows down and eventually shuts down” (Davis, 2015, p.2). The dangers that hacking presents to an IT system are that it does not operate efficiently anymore, and there can be loss of data of all sorts, whether confidential, security-related, vital, etc. Hackers specifically target government IT networks using worms in the forms of trojans, viruses, and more. The Computer Security Act of 1987 has gotten to adjust since the eighties with amendments and other inclusions because of new threats: the popularity of social media, for instance, and the interaction of millions of people every day have required the monitoring of behaviors, exchanges and actions so as to limit negative consequences of diverted use, not to forget people’s privacy (US Department of Justice, 2015).

A Timeline to the Act

Here is the history of laws, regulations, and agencies dedicated to securing IT infrastructure starting in the beginning of the twentieth century when Congress established national standards based on Stratton’s convincing arguments (NIST, n.d.).

It was founded on March 3, 1901 as a National Standards Laboratory, half a century before the creation of the Internet, and is a part of the US Department of Commerce. Wilson, Stine & Bowen (2009) drafted a publication that Poth & Klein (2014) revised later. Both publications, listed as references below, are meant for the training of federal personnel (and their contractors) with cybersecurity responsibilities. Chief Information Officers (CIO) rely on NIST publications as up-to-date procedures for their information systems. Only those people with the adequate authority and professional status have the appropriate insights regarding the operation and security system of their own agency.

Congress established the Health Insurance Portability and Accountability Act (HIPAA) in 1996 as standards that protect sensitive patient information. The US Department of Health and Human Services (HHS) oversees the HIPAA Security Rule (Office for Civil Rights, 2013).

Gramm-Leach-Bliley Act (Federal Trade Commission, 2015), or GLB Act, or GLBA, or the Financial Modernization Act of 1999 requires financial institutions to disclose to their customers and to the government how they both protect and share the consumers’ information as those institutions must comply with the requirements for Privacy Rule.

”The Homeland Security Act of 2002 created the Department of Homeland Security (DHS)” (Homeland Security, 2015), a federal agency that publishes on their websites many document types of which one clearly reads cybersecurity.

The Federal Information Security Modernization Act (FISMA) has been in place within the DHS since 2014. Among other nuances of its role, it provides technical assistance, oversees the implementation of non-national security policies for federal executive branches of the system, according to the web page listed below as Homeland Security (2018).

According to the Computer Security Act of 1987 (EPIC, 2018), amended in January 1988, each federal agency is responsible for the security awareness as part of periodic training of computer security practice of all employees who operates or manages federal computers, either by the agency’s own trainers or by an alternative program that can achieve comparable results.

Ramifications of Malicious Attack

Overall Impact. Citing the 1988 example of Morris (Davis, 2015), the hacker who infected roughly six thousand computers, it is a terrifying idea to imagine how so many industries were affected at once: education, research, and the military. Closer in dates, if any US Internet user had to look at security packages that Norton® by Symantec ™ offers (Symantec Corporation, 1995-2018), it would be clear that most connected computers worldwide, belonging to government entities, private companies and even to individuals, can be targeted. Domino effects can add to the damage with file transfers and the use of infected devices from machine to machine, at a slower pace than with any online spread, but still reaching units that might have not gotten touched.

Financial Impact and More. This, of course, is not the only aspect that damages to computers entail. There also are invaluable pieces of information that can be considered as assets for their users. For instance, social security numbers, secret recipes, codes to secured data, banking information, passwords, complete profiles, and so on. Besides, time spent to produce documents and files of all sorts translate into man working hours that get wasted ipso facto.

Inadequacies and adequacies of the law you are researching

Inadequacies. The Computer Security Act of 1987 is not a perfect law. Different agencies have different requirements and various levels of sensitive information. Likewise, this law is not necessarily reflective of those different protection enclaves as confirms the latest article by NCSL dated November 2018 in which the author reports that only two US States, Nevada and Minnesota, have enacted privacy laws that prohibit Internet Service Providers (ISP) to disclose consumers’ information without explicit consent. Highlighted inadequacies that can be pointed out are obsolete technology devices or measures still in place, the many various needs of the different agencies and the fact that umbrella protection does not work for all types of IT infrastructures, which tend to be specific to the objectives in place for them. It is necessary to address possible amendments to the vernacular used in text.

Adequacies. The following is deemed adequate: the involvement of NIST, with its responsibility for the training of federal individuals who have certain types of information technology and cybersecurity responsibilities. That is the reason why the development of SP 800-16, a book of procedure, exists that contains the learning continuum delineating security basics and literacy as well as training and development methodologies.

Proposed Changes

To guarantee a better application of the law for which I am advocating, I would be much in favor of the following positive changes to information insurance and IT security, such as:

Present texts and literature of law to online sellers, for instance, in the 24 States that have pending legislation regarding measures that affect Internet and telecommunication users (NCSL, 2018).

Analyze and interpret benefits to the users as well as consequences for not following the pending legislature if any or all came to pass in the respective States.

Conclusion

This new proposal of the law should be adopted because online sellers, like federal employees, should be aware of the requirements that they have to follow regarding information security rules. Moreover, US States may impose their own variations of the law with more or less restrictions on certain aspects depending on the importance that details they emphasize have for their constituents. Online sellers may also develop relationships with customers outside the area of their physical location, governed by certain local laws; while they must ensure their customers across the country or across the globe also get the protection that is in place for them. It just should become second habit to update one’s knowledgeability regularly about updates made to cyber law and that are of interest to them because of the role they play in regard to the collection, storage, and dissemination of consumer’s information as well as because they use computer information systems connected to the Internet. Computer Security Law has become a concern for all involved, not just an issue for the federal branch of the United States to worry about at their level only.

References

Davis, A. (2015, March 6). A history of hacking. Retrieved from

http://theinstitute.ieee.org/technology-topics/cybersecurity/a-history-of-hacking

Encyclopaedia Britannica, Inc. (2018). Cold War – International Politics.

Retrieved from https://www.britannica.com/event/Cold-War

EPIC. (1994-2018). Cybersecurity privacy practical implications. Retrieved from https://www.epic.org/privacy/cybersecurity/, more precisely in §2, read the Internet corporation for assigned names and numbers (ICANN) https://epic.org/privacy/internet/ICANN_privacy.html

EPIC. (2018). Computer security act of 1987. Retrieved from https://www.epic.org/crypto/csa/

Federal Trade Commission. (2015). Gramm-Leach-Bliley act. Retrieved from https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

Homeland Security (2015). Homeland security act of 2002. Retrieved from https://www.dhs.gov/homeland-security-act-2002

Homeland Security. (2018). Federal information security modernization act. Retrieved from https://www.dhs.gov/fisma

NCSL. (2018). Privacy legislation related to Internet service providers. Retrieved from http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-legislation-related-to-internet-service-providers-2018.aspx

NIST. (n.d.). History. Retrieved from https://www.nist.gov/timeline#event-a-href-node-774226first-director-samuel-w-stratton-a

Office for Civil Rights. (2013). Summary of the HIPAA security rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Wilson, M., Stine, K. M., Bowen, P. (2009). Information technology security training requirements: A role- and performance-based model. NIST SP 800-16 (draft). Retrieved from https://www.nist.gov/publications/information-security-training-%20requirements-%20role-and-performance-based-model-draft

Toth, P. & Klein, P. (2014). Information technology security training requirements: A role- and performance-based model. NIST SP 800-16 | Revision 1 (2nd draft, version 2)

https://csrc.nist.gov/csrc/media/publications/sp/800-16/rev-1/draft/ documents/ draft sp800 16 rev1 2nd-draft.pdf

Science Node™. (2018). A brief history of the Internet. Retrieved from https://sciencenode.org/feature/a-brief-history-of-the-internet-.php

Symantec Corporation. (1995-2018). Internet security center. Retrieved from https://us.norton.com/internetsecurity?inid=nortoncom_nav_internetsecurity_homepage:homepage

US Department of Justice. (2015). Privacy act of 1974. Retrieved from https://www.justice.gov/opcl/privacy-act-1974