Note to Government: Mandate Cybersecurity, Then Get Out of the Way
The digital economy stands on uncertain ground.
From Target to Adobe, cybercriminals have infiltrated the networks of some of the largest businesses in the United States, turning 2013 into a record-setting year for data breaches. Companies lost more than 800 million records in nearly 2,200 incidents, doubling the loss of the previous highest year, 2011, according to an analysis of the data by Risk Based Security.
We can no longer afford to not take action. While the Internet has brought us immeasurable benefits, it has also increased the risks that individuals, businesses, and the government face on a daily basis. We can easily communicate with people in other countries and conduct business globally, but such digital proximity means that criminals and industrial spies are only a click away.
Each industry must develop best practices to defend their networks, data, and businesses, but the collective industry has little hope of defending against the variety of online attackers they face without help from the government. While the companies who are targeted by cybercriminals are also an easy target for blame, the government needs to start taking a hand, by assuming a firmer role in setting clear cybersecurity standards, imposing transparency, defining reputation and trust, and helping to secure critical infrastructure. In short, it needs to foster the development of a true secure business ecosystem.
Corporations, meanwhile, must be allowed to come up with solutions that make business sense in their own markets. But they have no choice but to get serious about cybersecurity—for example, by appointing top executives to come up with specific strategies for meeting the new standards.
The government needs to step up to help make it clear that cybersecurity is an economic imperative that companies must address on their own, but still offer help when the adversary is likely another nation. Creating public policy to support a cybersecurity ecosystem should be priority—but it needs to be done in the right way.
The past three administrations and Congress have been slow to take action. Starting with the Clinton administration and through the administration of President Bush, the government has typically espoused the concept of a public-private partnership. While such cooperation is necessary, it is not sufficient to build a secure ecosystem that will allow businesses to flourish. Companies need the opportunity and impetus to secure their own businesses.
The latest administration, which has presided during some of the most egregious breaches, has finally created momentum behind the concept of doing more for cybersecurity. In January, the House Committee on Homeland Security marked up the the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696), which would create information sharing programs and allow cybersecurity firms to obtain liability protections. The National Institute of Standards and Technology—in compliance with Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” issued by President Obama on Feb. 12, 2013—is currently leading a policy initiative to create a cybersecurity framework.
Yet, the current initiatives fall short of what is needed and may be too inflexible to deal with the fast-changing environment on the Internet.
Like France’s Maginot Line, which proved useless against Germany in 1940, static defenses erected against hackers—the firewalls, antivirus programs, and patching of vulnerable systems—do little but complicate their plans for attack. Using social engineering, attackers can quickly create a beachhead inside a network for extending a compromise deeper into the business’s systems.
Any policy created to deal with online threats also needs to be flexible. We should recognize that policy is always behind the times and that trying to regulate cybersecurity from the top down will always leave us lagging behind the attackers. In addition, while many of the strategies are similar, different companies need to put their own spin on their security plan. What Wells Fargo needs to do for cybersecurity may be different, in some respects, from what a public utility like PG&E may find necessary. Rigid specifications are out of date before the ink is dry, and when data moves at the speed of light, time is not our friend.
A Blueprint for a Cybersecurity Ecosystem
While public-private partnerships have been so often talked about as to become a cliche, cooperation is needed. Yet, any policy that calls for a public-private partnership also needs to spur the various stakeholders to take action. The creation of the information sharing and analysis centers (ISACs) are a prime example: Without incentives some ISACs, such as healthcare, have foundered, while others, such as financial services, have received broad support.
The Internet Security Alliance has recognized this fundamental truth in their efforts to promote the cybersecurity framework. In a statement on the development of the NIST framework, ISA CEO Larry Clinton said: “We have that rarest of all phenomena in Washington DC—we have consensus on a solution—we now need the political courage to turn that political consensus into practical reality. The framework is the engine to promote greater cybersecurity, the incentives are the fuel that will power that engine.”
For those that collaborate in securing our digital frontier, incentives may include low-cost cyber insurance if certain standards of performance are met.
Yet, incentives without coordination and collaboration are not enough. While government regulation is not the way forward, having an ad-hoc plan where each organization develops its own strategy is a recipe for disaster. In order to move forward, the United States needs a cybersecurity ecosystem. Companies, government agencies and citizens are not individual islands in the net—to borrow from noted author Bruce Sterling—but interconnected organisms that rely on other members of the community to defend themselves and the network as a whole.
Because the Internet was not initially built to be secure, today, we have to bolt on security, but in a way that makes market sense for companies. A good start is to hold organizations responsible for security without specifically prescribing how to secure their systems. Rather than mandate certain technologies—such as antivirus software—government policy should obligate companies to maintain a certain level of security and guide them with best practices.
Generally Accepted Accounting Principles (GAAP) may provide an example that could be followed for cybersecurity. GAAP establishes a set of rules and guiding principles for financial accountability and transparency but leaves many of the implementation details to each corporation, based on the nature of their business. Companies are required to publish their assessments, providing an an element of transparency. By holding organizations responsible for security without telling them how to secure their systems, we allow them to build a flexible cybersecurity ecosystem.
While a scattershot collection of rules is in place today, it is not working. The Securities and Exchange Commission has released guidance requiring that companies disclose breaches. But companies have, in many cases, only paid lip service to the rules. In a 2012 survey of financial filings, Reuters found that at least a half dozen companies had not disclosed known breaches. A comprehensive survey of the Fortune 1000 by insurance broker Willis found that 17 percent of companies offered no opinion on their cybersecurity risk in their SEC filings, and only 1 percent of Fortune 1000 firms mentioned specific incidents.
Focus on Risk, Not Technologies
Companies should start by prioritizing the mitigation of cyber risk. Many companies are creating the role of the Chief Risk Officer—reporting to the CEO and the board—who looks at cyber risk not just in terms of IT but more broadly in terms of corporate assets, intellectual property, and customer information and how these assets are managed and protected. Creating cross-disciplinary teams that distribute the responsibility for security among various stakeholders inside a company can help CROs and the firm’s chief information security officer succeed.
To enforce corporate disclosure, finding ways to externally evaluate and then rank companies’ security posture would be a start. If companies could measure the likely cybersecurity risk posed by their partners, in the same ways that banks look to a credit score, then businesses could limit their exposure. Moreover, such trusted ratings could give companies the ability to audit and check the certification of their suppliers. What goes into the measure of trust would be for the market to decide. Such a system would also help companies understand their suppliers’ security posture.
Some companies, such as BitSight, are already trying to develop a way to measure an organization’s security posture by detecting changes in external indicators. The government could help by standardizing what constitutes risk and what measures are considered due diligence for security.
The enumeration of trust levels could also benefit the nascent cyber insurance industry, which has failed to take off because risk, damages, and policy coverage are all poorly defined in the cyber realm. Insurance has helped many industries develop better safety standards and precautions. With government support against cyber disasters, insurance companies could create standard guidelines for companies on how to secure their businesses.
There should be a particular focus on securing critical public infrastructure, such as water utilities or electric generation and distribution companies, as these players affect every aspect of our economy and our daily lives. We depend upon them to function, and leaving them open to asymmetric actors in an unstable region of the globe is a real danger.
Unfortunately, these legacy systems are often old and not well understood. Further, their organizations lack the expertise and resources to improve their cybersecurity. A government fund, similar to the Works Progress Administration (WPA), could spur the effort needed to secure this infrastructure. A more privatized approach may be possible as well—the functional equivalent of the Export-Import Bank for financing to support the systematic upgrade of our critical infrastructure.
Information sharing is also essential. Defenders tend to be at a disadvantage in cyberspace because attackers share information, but defenders, for a variety of legal and business reasons, do not. President Obama’s Executive Order 13636 has already directed agencies to share information with the private sector, but their historical track record in this regard has been poor. Our only chance of success in securing our digital economy is through a shared defense. In addition, we still need a common framework in which to share information.
Finally, focusing on the future, the U.S. needs to establish better program to train the next generation of cybersecurity architects and workers. While U.S. colleges are already establishing programs to graduate security professionals, we should also use the government’s expertise in this area. Despite its sullied reputation from the Snowden leaks, the NSA remains our top resource for cybersecurity in the world. The NSA and other government experts need to be able to share their expertise with industry.
For our economy, our way of life, and the freedoms we hold dear, the stakes could not be much higher. Unless the United States adopts a comprehensive, integrated, and serious approach to cyber security, the bad guys will win. The evidence to date is clear—they are already way ahead of the good guys.