Could cyberattack result in criminal charges?
The consequences for cyber crimes have been public condemnation, negative publicity and fines. That might change in the future.
The threats of cyberattacks on our systems are recognized as a risk. Some publically traded organizations even list this as a risk in documents with financial projections and earning information. That would lead one to believe that cyberattacks are a foreseeable risk and as such must be addressed.
What about those that do not address these threats? Are there consequences and if so how severe are they? Until now most of the consequences have come mostly in the form of public condemnation, negative publicity, negative reactions and a few have come in the form of fines.
In a recent cyberattack scenario planning exercise the consequences changed. Earlier this year, the CEO of security company Top Patch was quoted on the CNN Money website as saying, "nation-state attackers will target critical infrastructure networks such as power grids at unprecedented scale in 2013," and went on to say, "these types of attacks could grow more sophisticated, and the slippery slope could lead to the loss of human life."
That became the construct for the cyberattack scenario, where a cyberattack targeted a critical infrastructure component that was owned and operated by a for-profit business. The attack resulted in the death of one or more individuals. An investigation was launched and it was determined that the cybersecurity in place to protect the critical infrastructure systems that were compromised was far from what would be considered usual and customary within that peer group.
It would be reasonable to predict that once the investigation’s findings got out, civil litigation would follow. What about criminal charges? Could the CIO and/or chief information security officer (CISO) be charged with negligence when a cyberattack resulted in death or deaths?
There are a substantial number of conversations about the threats our systems face from cyberattacks taking place at the CIO and CISO levels. Given this possibility, the topic will be high up on that list, if not at the very top.
An article about the recent South Carolina Department of Revenue breach of personal and financial information was brought to my attention and said to be very relevant. It is. Given the current cyber threat environment and the continued breaches and theft of sensitive data, it is easy to see how the CIO and CISO could be held accountable, especially if a cyberattack results in a death or deaths.