Georgetown Law
Technology Review

INTRODUCTION: HACKING AND SOCIETY

Nearly ubiquitous in today’s online culture, “hacking” has generally reclaimed the benign spirit the word once held in the early days of electronics, throwing off the more nefarious meaning it held throughout the tail end of the twentieth century.1 Robert McMillan, A 125-Year-Old Letter Dives into the True Meaning of the Word Hack, SLATE (Jan. 29, 2015), http://www.slate.com/blogs/future_tense/2015/01/29/modern_technology_and_the_history_of_the_word_hack.html [https://perma.cc/TR2X-K8Z2]. The word “lifehacks”—a technique for accomplishing a familiar task more easily and efficiently2 Rosa Golijan, ‘NSFW,’ ‘ZOMG,’ and ‘Twittersphere’ Added to Dictionary, TODAY (Nov. 9, 2017), https://www.today.com/money/nsfw-zomg-twittersphere-added-dictionary-122978 [https://perma.cc/ZM33-X6L3].—was added to the Oxford dictionary in 2011, and embodies the culture of creative thinking and efficient problem solving that was pervasive in the origins of computer-based hacking.3 Brian Harvey, What Is a Hacker?, U.C. BERKELEY, https://people.eecs.berkeley.edu/~bh/hacker.html [https://perma.cc/C5SD-28QJ].

In the 1960s, students and researchers at Massachusetts Institute of Technology (MIT) gained the moniker of “hackers” as they developed technology that improved the operation of software and hardware in the early days of computers.4 Ben Yagoda, A Short History of “Hack”, NEW YORKER (Mar. 6, 2014), https://www.newyorker.com/tech/elements/a-short-history-of-hack [https://perma.cc/2AEW-EMB6]. Early hackers created “patches” to resolve various errors of code in programs and shared them.5 Jonathan Strickland, How Hackers Work, HOWSTUFFWORKS, https://computer.howstuffworks.com/hacker.htm [https://perma.cc/HP3E-7DUX]. It was perceived as a challenge to dive into complicated programs and try to find creative solutions to the problems of the era.6 See id. While the creative origins of hacking were positive, it is difficult to ignore the presence of malicious intents held by many in the modern hacking community.

Today’s malicious hackers seek something far different than greater operating system efficiencies. Instead, they seek to profit or gain notoriety by breaching personal or institutional systems. The original goals of hacking—to advance computing and networking for the challenge of it—fell to the wayside as some hackers searched for ways to illicitly gain from their skills.

In the modern world of hacking, some individual hackers organize to achieve their goals. Groups such as Anonymous, an online activist hacking group, attempt to reach the public and seek political influence through online attacks.7 See Kim Zetter, Is Anonymous Dead, or Just Preparing to Rise Again?, WIRED (June 9, 2014), https://www.wired.com/2014/06/anonymous-sabu/ [https://perma.cc/B7DG-Q798]. Others, such as the Lizard Squad, seek notoriety by disrupting the online services of Microsoft and Sony to impact millions of users.8 Charlie Hall, Infamous Lizard Squad Attacks on Sony, Microsoft Lead to Federal Charges, POLYGON (Oct. 7, 2016), https://www.polygon.com/2016/10/7/13202218/infamous-lizard-squad-attacks-on-sony-microsoft-lead-to-federal-charges [https://perma.cc/H2KL-A28Q]. While such online personas can benefit groups seeking publicity, many hacker groups keep a lower profile and instead seek personal profit through their actions.

The goals of hacking generally fall into one of three categories: (1) procuring information and access, (2) disrupting computer activity, or (3) permanently destroying data, software, or hardware in attacks. Two possible methods of attack are (1) taking advantage of coding vulnerabilities in software that have yet to be patched by developers, or (2) using less sophisticated methods of phishing to take valuable information from users. Defending against hacking attempts can be done in a number of ways that include: (1) preventing threats before they occur, (2) scanning computers with the intent to delete and remove threats, and (3) maintaining effective response protocol in the event of a breach to minimize the harm.

GOALS OF HACKING

Procurement of Information and Access

Hackers have a variety of goals, but the majority act at a localized level, trying to obtain personal data and information about individuals.9 See Kim Zetter, Hacker Lexicon: What Is Phishing?, WIRED (Apr. 7, 2015), https://www.wired.com/2015/04/hacker-lexicon-spear-phishing/ (“An estimated 91% of hacking attacks begin with a phishing or spear-phishing email.”) [https://perma.cc/Z6L8-UPXQ]. Many consumers in the United States own numerous electronic devices, which store personal information such as addresses, credit card numbers, passwords, and even social security numbers. Malicious attacks on personal computers seek to gain access to sensitive or identifying information and benefit thieves. Criminals can then sell access to compromised credit cards on the “dark web”—websites hidden from general web browsers—for around $10 to $20 worth of virtual currency.10 Suzanne Woolley, Here’s What Your Identity Sells For on the Dark Web, BLOOMBERG (Sept. 15, 2017), https://www.bloomberg.com/news/articles/2017-09-15/equifax-hack-your-social-security-and-identity-are-for-sale [https://perma.cc/F5SN-RYBX]. Sophisticated hackers can automate and easily scale their attacks through a single program or “exploit kit” to infiltrate hundreds or thousands of vulnerable computers.11 Fraser Howard, Exploring the Blackhole Exploit Kit, NAKED SECURITY (Oct. 29, 2017), https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-2/ [https://perma.cc/MS9P-HZ4F]. These exploit kits can be sold or shared online to create widespread attacks on personal computers.12 Id.

On a larger scale, corporate data is also a particularly valuable source of information for hackers.13 Mark Smith, Huge Rise in Hack Attacks as Cyber-Criminals Target Small Businesses, GUARDIAN (Feb. 8, 2016), https://www.theguardian.com/small-business-network/2016/feb/08/huge-rise-hack-attacks-cyber-criminals-target-small-businesses/ [https://perma.cc/69RC-B7JY]. Whether the goal of the hacker is corporate espionage or an attempt to gain leverage over a powerful business, there is a significant draw to infiltrating the much more complex security systems of large corporations with the chance of a large payoff. For example, by gaining access to the inner networks of a company like Equifax, hackers collected personal data from 143 million American consumers in a single attack.14 Seena Gressin, The Equifax Data Breach: What to Do, FED. TRADE COMM’N (Sept. 8, 2017), https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do [https://perma.cc/H72A-DK96]. Another vein of corporate hacking is one that seeks to damage the reputation of a company—such as the 2014 breach of Sony that resulted in a public-relations nightmare.15 Andrea Peterson, The Sony Pictures Hack, Explained, WASH. POST (Dec. 18, 2014), https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/the-sony-pictures-hack-explained/ [https://perma.cc/R9KV-F53X]. The leak revealed executive compensation and racially insensitive emails, all seemingly in response to the studio’s promotion of The Interview, a film based on the fictional assassination of the North Korean leader Kim Jong-un.16 Id.

Hackers may also take control of computer systems in order to ransom back that control to the rightful owners. Hackers can then capitalize on the importance of information to the company instead of being limited to the value of its information to the public.17 Sheera Frenkel, Global Ransomware Attack: What We Know and Don’t Know, N.Y. TIMES (June 6, 2017), https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html [https://perma.cc/F2QD-QRGQ]. The overwhelming impact of “ransomware” was felt across the country in May 2017, when over 300,000 computers were infected by the WannaCry attack, which sought $300 per computer to restore normal access.18 Bill Chappell, WannaCry Ransomware: What We Know Monday, npr (May 15, 2017), http://www.npr.org/sections/thetwo-way/2017/05/15/528451534/wannacry-ransomware-what-we-know-monday [https://perma.cc/Q4VK-2GCJ]. In a more targeted attack, the recent 2017 hacks of HBO highlight an instance of hackers hoping to profit from extorting a high-profile media company by threatening to leak its popular series, Game of Thrones.19 Todd Spangler, HBO Hacks and Leaks: How Much Have They Hurt the Business?, VARIETY (Aug. 17, 2017), http://variety.com/2017/digital/news/hbo-hacks-leaks-business-impact-1202531385/ [https://perma.cc/JPU5-JRPF].

The most powerful players in cyber-security are governments, who seek to procure intelligence for their national security. Many nations with active cyber programs have massive budgets and identifiable intelligence interests and often draw blame for serious hacking attacks.20 See Dustin Volz et al., U.S. Blames North Korea for Hacking Spree, Says More Attacks Likely, REUTERS (June 13, 2017), https://www.reuters.com/article/us-northkorea-cyber-usa/u-s-blames-north-korea-for-hacking-spree-says-more-attacks-likely-idUSKBN1942MK [https://perma.cc/HL6U-L358]. While it is nearly impossible to determine the precise origin of a hack, forensic analysis often can point to potential locations of origin based on factors such as the language of the keyboard used to write the code.21 David Glance, How We Trace the Hackers Behind a Cyber Attack, CONVERSATION (Dec. 3, 2015), http://theconversation.com/how-we-trace-the-hackers-behind-a-cyber-attack-51731 [https://perma.cc/KQR8-UJSM]. Governments such as Russia, China, and North Korea are often put in the spotlight when trying to attribute blame following a leak, but sophisticated players can attempt to mask their involvement by deliberately using servers in another country.22 See id.

 Disruption of Service

Some hacker groups are more likely to pursue disruption of service instead of going to the lengths of infiltrating a network for personal data. The barrier to launch a disruptive attack is much lower than that of persistent intrusion and data collection. For example, a common disruptive attack, a Distributed Denial of Service (DDoS), overwhelms targeted networks with traffic from infected computers.23 Margaret Rouse, Distributed Denial of Service (DDoS) Attack, TECHTARGET, http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack [https://perma.cc/L5JM-Q33D]. A network of infected computers, commonly referred to as a “botnet,” can cost as little as $150 per week and can be used to overwhelm a target, making the victim service unavailable for normal access.24 Max Goncharov, Russian Underground 101, TREND MICRO. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf [https://perma.cc/K6SC-SAPG].

Alternatively, hacker groups may seek to promote political agendas by defacing a website’s visual appearance by altering the underlying code. By defacing a website through this form of online graffiti, hackers can tarnish reputations of companies or attempt to gain a platform to distribute their ideas.25 Website Defacement, TREND MICRO, https://www.trendmicro.com/vinfo/us/security/definition/website-defacement/ [https://perma.cc/R6AS-KYW7]. These attacks often utilize “SQL injection,” taking advantage of the code used to communicate with servers (SQL) to gain access to administrative accounts that hackers can then use to manipulate a page.26 Best Practices to Address the Issue of Web Defacement, BANFF CYBER TECHS. (Mar. 24, 2016), https://www.banffcyber.com/best-practices-to-address-the-issue-of-web-defacement/ [https://perma.cc/V8GJ-2UV9]. While these attacks are generally viewed as harmless and can generally be resolved quickly and easily, they may cover up other nefarious actions on the part of a hacker such as uploading malware to a breached server.27 Website Defacement Definition, CYBERCRIME, http://cybercrime.org.za/website-defacement/ [https://perma.cc/V8VX-DDEW].

Destruction

 While disruptive and intrusive attacks undoubtedly result in headaches and financial loss for those impacted, attacks aimed at destruction pose the most serious threats to businesses. In 2013, over 30,000 computers in South Korea found their hard drives completely wiped following a coordinated attack on the financial and broadcasting sectors of the country.28 Alex Hern, North Korean ‘Cyberwarfare’ Said to Have Cost South Korea £500m, GUARDIAN (Oct. 16, 2013), https://www.theguardian.com/world/2013/oct/16/north-korean-cyber-warfare-south-korea [https://perma.cc/UR95-K829]. These attacks were estimated to cost South Korea over $600,000,000 in economic damage and were likely perpetrated by combative nations.29 Id.

The destructive impact of cyber-attacks extends beyond the memory and software of computer systems; the hardware of the infected computers may also be impacted. In 2010, Iran’s Natanz nuclear facility was compromised by the Stuxnet virus.30 Kim Zetter, An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, WIRED (Nov. 3, 2014), https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ [https://perma.cc/L8NV-J5J7]. Stuxnet destroyed 984 uranium-enriching centrifuges and the plant’s operational efficiency was reduced by 30%.31 Michael Holloway, Stuxnet Worm Attack on Iranian Nuclear Facilities, STANFORD UNIV. (July 16, 2015), http://large.stanford.edu/courses/2015/ph241/holloway1/ [https://perma.cc/FXQ8-HLLA]. While countries may benefit from acquiring data and information from their targets, destructive cyber warfare is increasingly becoming an avenue to gain power on a global stage.

METHODS OF ATTACKS

Exploiting Software Vulnerabilities 

With the standardization of tools to prevent cyberattacks, hackers have developed methods to circumvent traditional protections and to exploit software vulnerabilities. The impact of software vulnerabilities can best be seen through “zero-day” exploits. The zero-day refers to attacks on software generally made before a developer is aware of the exploit—the developer has “zero days” to respond to the vulnerability.32 What is a Zero–Day Exploit?, FIREEYE, https://www.fireeye.com/current-threats/what-is-a-zero-day-exploit.html/ [https://perma.cc/2LUM-WR4E]. For example, in 2013, Oracle’s Java went through a series of recurring zero-days as the developer continuously pushed out patches trying to resolve software vulnerabilities being exploited by malware exploit kits such as BlackHole.33 Michael Lee, Java Zero Day Skyrockets BlackHole Exploit Success Rates, ZDNET (Aug. 30, 2012), http://www.zdnet.com/article/java-zero-day-skyrockets-blackhole-exploit-success-rates/ [https://perma.cc/LHG9-V8AC]. Especially after an exploit is announced, unpatched software is vulnerable to attacks; even effective responses by developers are regularly undermined by unresponsive clients and users, who may not expeditiously install patches. On average, discovered zero-day vulnerabilities are estimated to persist for ten months as users continue to use outdated software and remain at risk for further infection.34 Leyla Bilge et al., Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World, CARNEGIE MELLON U., https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf [https://perma.cc/4X5F-KDHY].

 Phishing

 While potential software vulnerabilities are one avenue for access, hackers also manipulate users to unintentionally grant access to personal networks. Users are often described as the weakest link in the chain, and hackers have identified unknowing users as easy targets for gaining access to computers. This technique, known as “phishing” is used by hackers to manipulate users into unintentionally granting access to the user’s accounts.35 Danny Palmer, What Is Phishing? How to Protect Yourself from Scam Emails and More, ZDNET (Sept. 6, 2017), http://www.zdnet.com/article/what-is-phishing-how-to-protect-yourself-from-scam-emails-and-more/ [https://perma.cc/8KNH-S8JC]. Often crude, phishing attempts may be distributed through links in an otherwise innocuous email in an attempt to convince a user to divulge private information such as usernames, passwords, data, or social security numbers.36 Id. More sophisticated methods may involve directing users to a link which installs malware directly onto a computer, subverting traditional firewall protections.37 Id.

Highly sophisticated methods of phishing—“spear phishing”— target specific users or businesses to gain high-level access to their company’s particular networks.38 Id. Spear phishing often targets specific individuals and relies on the appearance of legitimacy to carry out attacks. These attacks often involve “spoofing” an email to make it appear as if it comes from a trusted colleague and are usually presented in a manner that an average user will believe is legitimate.39 Mark Lanterman, How to Identify and Avoid CEO Spoofing, Spear Phishing, and Social Engineering Attacks, LAWYERIST (Oct. 11, 2016), https://lawyerist.com/identify-avoid-ceo-spoofing-spear-phishing-social-engineering-attacks/ [https://perma.cc/ARY4-XBTV]. Following this mold, sophisticated hackers have successfully posed as CEOs using convincing emails to entice lower-level employees to respond with sensitive information.40 See Brad Rhen, Falling for an Email Scam Could Prove Costly, READING EAGLE (Mar. 21, 2017), http://www.readingeagle.com/business-weekly/article/falling-for-an-email-scam-could-prove-costly [https://perma.cc/69R5-8UZV]; Ted Haller, ‘CEO Spoofing’ Costs Drug Company $50 Million, FOX 9 (Feb. 19, 2016), http://www.fox9.com/news/ceo-spoofing-costs-drug-company-50-million [https://perma.cc/8SJH-8V8X].

Regardless of the means hackers use to penetrate the defenses of a computer or network to gain illicit access, vulnerabilities will continue to persist so long as software can be exploited and humans can be misled. Nevertheless, systematic prevention methods are important as a first line of defense.

METHODS OF DEFENSE 

The information security (IS) industry revolves around developing software to protect networks from attacks and managing the risk of future harmful developments.41 Kevin Broughton, Realizing an Information Security Risk Management Framework, SWIMLANE (Aug. 23, 2017), https://swimlane.com/information-security-risk-management-framework/ [https://perma.cc/XJE9-8UCF]. There is no one-size-fits-all solution that protects every computer, and future vulnerabilities are inevitable.42 See id. IS teams use every method suitable to their businesses, but many companies cannot afford to implement every defensive method available and create tailored protection for their own devices. Careful planning is necessary to maximize the effectiveness of a business’ defense.

Preventative Methods

Methods that prevent access are some of the most effective ways to secure networks. Modern computer firewalls provide relatively reliable sources of protection from outside traffic that may be dangerous to a computer system. Modern computers have firewalls that prevent outside sources from establishing direct connections with a computer without express permissions and are one of the most important security tools available.43 Chris Hoffman, What Does a Firewall Actually Do?, HOW–TO GEEK (Sep. 21, 2016), https://www.howtogeek.com/144269/htg-explains-what-firewalls-actually-do/ [https://perma.cc/6QMR-B8Q4]. By blocking unwanted access to a computer, firewalls ensure that hackers have a more difficult time penetrating a system’s defenses.

The shortcomings of a firewall are apparent, though, when hackers disguise unwanted access using phishing attempts or by distributing malware via otherwise trusted websites. For example, in 2013, NBC was the victim of an attack that resulted in the NBC homepage—a page most viewers had harmlessly accessed before—running malicious JavaScript and surreptitiously installing malware in user’s browsers.44 Paul Ducklin, NBC Website Hacked and Distributes Malware—Here’s What Happened, NAKED SECURITY (Feb. 22, 2013), https://nakedsecurity.sophos.com/2013/02/22/nbc-website-hacked-and-distributes-malware/ [https://perma.cc/BC2H-QRG2].

The incident at NBC also demonstrates shortcomings in another popular security tool: blacklisting. Blacklisting compiles a comprehensive list of malicious websites that users will be unable to access due to security risks present on the sites themselves. This task is effectively impossible when new websites are created by the minute, and even a trusted website may be safe one day and malicious the next.

Whitelisting—creating lists of trusted, rather than malicious, sites45 Drew Robb, Whitelisting: Why and How It Works, ESECURITY PLANET (Sept. 24, 2014), https://www.esecurityplanet.com/malware/whitelisting-why-and-how-it-works.html [https://perma.cc/H22X-KT7P].—may be more effective at keeping out unwanted intruders, but may also be operationally impossible for companies with thousands of computers requiring access to a variety of websites and applications.46 See id. An alternative to compiling a personal whitelist may be to trust a security firm to generate a comprehensive whitelist, but this moves the security concern upstream and away from the computer’s owner. There can also be larger detrimental impacts if a security firm itself is hacked. For example, in 2013, Bit9’s—a whitelisting security firm—was compromised by malware within its own network.47 Brian Krebs, Security Firm Bit9 Hacked, Used to Spread Malware, KREBS ON SECURITY (Feb. 8, 2013), https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/ [https://perma.cc/P5D5-QH9Z]. The intrusion resulted in malicious applications being granted access to Bit9’s clients, creating significant risks for users that relied upon its security services.48 Id.

Although it may seem regressive in the modern era of the “Internet of Things,” where increasingly every device is connected and communicating, one of the most effective protections is disconnecting sensitive computers from the Internet.49 See Bob Stasio, Should We Disconnect to Improve IoT Security?, SECURITY INTELLIGENCE (June 26, 2017), https://securityintelligence.com/should-we-disconnect-to-improve-iot-security/ [https://perma.cc/3QVT-7M64]. With no Internet access, this method effectively removes the risk of phishing attempts via email and the risk of software vulnerabilities being exploited via the Internet. However, with many protective patches distributed via the Internet, systems wholly disconnected—“air-gapped”—may be particularly susceptible to long-standing and well-known vulnerabilities.50 See Sean Illing, A Cybersecurity Expert on Why You Should Be Very Worried about the Internet’s Future, VOX (Aug. 7, 2017), https://www.vox.com/2017/7/26/15981824/internet-cybersecurity-net-neutrality-klimburg-the-darkening-web [https://perma.cc/LG52-4HW2]. The Stuxnet virus was delivered to an air-gapped Iranian facility on a USB thumb to a computer disconnected from the Internet.51 Daniel Terdiman, Stuxnet Delivered to Iranian Nuclear Plant on Thumb Drive, CNET (Apr. 12, 2012), https://www.cnet.com/news/stuxnet-delivered-to-iranian-nuclear-plant-on-thumb-drive/ [https://perma.cc/5WMS-YPR9]; Holloway, supra note 31. Designing an infrastructure for protection must balance the necessity of Internet access with maintaining adequate protection for computer devices.

Scanning Services

Anti-virus (AV) services protect computer networks by scanning devices for known malicious applications and those that have distinct signatures similar to existing malware.52 Michael Thornton, You Can’t Depend on Antivirus Software Anymore, SLATE (Feb. 16, 2017), http://www.slate.com/articles/technology/future_tense/2017/02/why_you_can_t_depend_on_antivirus_software_anymore.html [https://perma.cc/3RF6-FNZ6]. While still an important component in a protection service, AV software is unable to protect users from the unknown.53 Id. Sophisticated hackers can utilize their knowledge of existing and prominent AV providers to test their malware before distribution to ensure it will not be caught by existing filters.54 Id. When the New York Times was targeted by Chinese hackers in 2013, its AV provider, was unable to fend off the intrusion due to the customized malware designed to defeat its services.55 Cadie Thompson, Symantec to NYT: Chinese Hack Not Our Fault, CNBC (Feb. 1, 2013), https://www.cnbc.com/id/100427464 [https://perma.cc/9QXD-HAVY]. Although many users view AV as their shield for protection on the Internet, it has never been and can never be a permanent security solution in its current form.

Maintaining Response Protocol

Many companies inevitably realize their current protections will be inadequate against future waves of hackers. The largest data breach in history was disclosed in 2016 when Yahoo! admitted that all 3 billion of its accounts were compromised.56 Lisa Baergen, Yahoo! Data Breach Affected 3 Billion Users, Info. Security Buzz (Nov. 18, 2017), http://www.informationsecuritybuzz.com/expert-comments/yahoo-data-breach-affected-3-billion-users/ [https://perma.cc/5EJ9-ETHS]. Then, in 2017, Equifax disclosed a breach that impacted the credit information of 143 million Americans.57 Gressin, supra note 14. When large, sophisticated software businesses and security firms can be breached, effective response protocols are necessary to minimize and contain the effects of unwanted access.

Communication is key to ensure the safety of computer networks everywhere. AV services rely upon maintaining effective lists of malicious applications and must be informed when new malware is discovered in order to protect existing customers.58 John Stone, Detecting and Recovering From a Virus Incident, SANS Inst. (2002), https://www.sans.org/reading-room/whitepapers/malicious/detecting-recovering-virus-incident-903 [https://perma.cc/6WLZ-Z4KT]. Many malware exploits take advantage of zero-day software vulnerabilities, and developers must know when a breach has occurred to determine an effective patch. Communication to end users is equally important because many are not as sophisticated and are unlikely to know when they should disable a vulnerable application plugin or update their software.

The U.S. government is equally limited in its ability to prevent cyberattacks and create regulatory solutions to existing problems. Many actions of cyber criminals are already illegal, and detection is a limiting factor in prevention. The government is often limited to disclosing only suspected perpetrators. Furthermore, its responses are often limited to patching and resolving existing vulnerabilities. While regulations require public companies with sensitive information—such as banks—to comply with certain minimum security standards, constantly evolving attacks show that mere compliance is not enough.59 Rocco Grillo & Stroz Friedberg, Regulatory Compliance Does Not Equal Cybersecurity, Clearing House (2017), https://www.theclearinghouse.org/research/banking‑perspectives/2017/2017-q2-banking-perspectives/regulatory-compliance-does-not-equal-cybersecurity [https://perma.cc/ML68-HJXV]. Cybersecurity is a growing and complicated field that will take both technological and political forces to influence change and protect computer systems from malicious attacks in the future.