Note to Government: Mandate Cybersecurity, Then Get Out of the Way
The digital economy stands on uncertain ground.
From Target to Adobe, cybercriminals have infiltrated the networks of some of the largest businesses in the United States, turning 2013 into a record-setting year for data breaches. Companies lost more than 800 million records in nearly 2,200 incidents, doubling the loss of the previous highest year, 2011, according to an analysis of the data by Risk Based Security.
We can no longer afford to not take action. While the Internet has brought us immeasurable benefits, it has also increased the risks that individuals, businesses, and the government face on a daily basis. We can easily communicate with people in other countries and conduct business globally, but such digital proximity means that criminals and industrial spies are only a click away.
Each industry must develop best practices to defend their networks, data, and businesses, but the collective industry has little hope of defending against the variety of online attackers they face without help from the government. While the companies who are targeted by cybercriminals are also an easy target for blame, the government needs to start taking a hand, by assuming a firmer role in setting clear cybersecurity standards, imposing transparency, defining reputation and trust, and helping to secure critical infrastructure. In short, it needs to foster the development of a true secure business ecosystem.
Corporations, meanwhile, must be allowed to come up with solutions that make business sense in their own markets. But they have no choice but to get serious about cybersecurity—for example, by appointing top executives to come up with specific strategies for meeting the new standards.
The government needs to step up to help make it clear that cybersecurity is an economic imperative that companies must address on their own, but still offer help when the adversary is likely another nation. Creating public policy to support a cybersecurity ecosystem should be priority—but it needs to be done in the right way.
The past three administrations and Congress have been slow to take action. Starting with the Clinton administration and through the administration of President Bush, the government has typically espoused the concept of a public-private partnership. While such cooperation is necessary, it is not sufficient to build a secure ecosystem that will allow businesses to flourish. Companies need the opportunity and impetus to secure their own businesses.
The latest administration, which has presided during some of the most egregious breaches, has finally created momentum behind the concept of doing more for cybersecurity. In January, the House Committee on Homeland Security marked up the the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696), which would create information sharing programs and allow cybersecurity firms to obtain liability protections. The National Institute of Standards and Technology—in compliance with Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” issued by President Obama on Feb. 12, 2013—is currently leading a policy initiative to create a cybersecurity framework.
Yet, the current initiatives fall short of what is needed and may be too inflexible to deal with the fast-changing environment on the Internet.
Like France’s Maginot Line, which proved useless against Germany in 1940, static defenses erected against hackers—the firewalls, antivirus programs, and patching of vulnerable systems—do little but complicate their plans for attack. Using social engineering, attackers can quickly create a beachhead inside a network for extending a compromise deeper into the business’s systems.
Any policy created to deal with online threats also needs to be flexible. We should recognize that policy is always behind the times and that trying to regulate cybersecurity from the top down will always leave us lagging behind the attackers. In addition, while many of the strategies are similar, different companies need to put their own spin on their security plan. What Wells Fargo needs to do for cybersecurity may be different, in some respects, from what a public utility like PG&E may find necessary. Rigid specifications are out of date before the ink is dry, and when data moves at the speed of light, time is not our friend.
A Blueprint for a Cybersecurity Ecosystem
While public-private partnerships have been so often talked about as to become a cliche, cooperation is needed. Yet, any policy that calls for a public-private partnership also needs to spur the various stakeholders to take action. The creation of the information sharing and analysis centers (ISACs) are a prime example: Without incentives some ISACs, such as healthcare, have foundered, while others, such as financial services, have received broad support.
The Internet Security Alliance has recognized this fundamental truth in their efforts to promote the cybersecurity framework. In a statement on the development of the NIST framework, ISA CEO Larry Clinton said: “We have that rarest of all phenomena in Washington DC—we have consensus on a solution—we now need the political courage to turn that political consensus into practical reality. The framework is the engine to promote greater cybersecurity, the incentives are the fuel that will power that engine.”
For those that collaborate in securing our digital frontier, incentives may include low-cost cyber insurance if certain standards of performance are met.
Yet, incentives without coordination and collaboration are not enough. While government regulation is not the way forward, having an ad-hoc plan where each organization develops its own strategy is a recipe for disaster. In order to move forward, the United States needs a cybersecurity ecosystem. Companies, government agencies and citizens are not individual islands in the net—to borrow from noted author Bruce Sterling—but interconnected organisms that rely on other members of the community to defend themselves and the network as a whole.
Because the Internet was not initially built to be secure, today, we have to bolt on security, but in a way that makes market sense for companies. A good start is to hold organizations responsible for security without specifically prescribing how to secure their systems. Rather than mandate certain technologies—such as antivirus software—government policy should obligate companies to maintain a certain level of security and guide them with best practices.
Generally Accepted Accounting Principles (GAAP) may provide an example that could be followed for cybersecurity. GAAP establishes a set of rules and guiding principles for financial accountability and transparency but … Next Page »