[ad_1]
“The good news is we really know how to tackle these problems,” says Glenn Gerstall, general counsel to the National Security Agency through 2020. “We can fix cybersecurity. It can be expensive and difficult, but we know how to do it. This is not a technology issue.”
Another recent major cyberattack proves this point once again: SolarWinds, a Russian hacking campaign against the US government and large corporations, could have been neutralized if the victims had followed well-known cybersecurity standards.
“There is a tendency to overestimate the capabilities of hackers responsible for major cybersecurity incidents, practically to the level of a natural disaster or other so-called acts of God,” Wyden says. “This easily relieves hacked organizations, their leaders, and government agencies from any responsibility. But once the truth is out, the public has repeatedly seen that hackers take their first steps because they often do not follow patches or configure their firewalls correctly.”
The White House is clear that many businesses are not and will not invest enough in cybersecurity on their own. In the last six months, the administration has enacted new cybersecurity rules for banks, pipelines, rail systems, airlines and airports. Biden signs cybersecurity deal executive order last year to support federal cybersecurity and enforce security standards on any company that sells to the government. Changing the private sector has always been a more challenging and arguably more important task. The vast majority of critical infrastructure and technology systems are privately owned.
Most of the new rules set very basic requirements and a slight government touch – but they still got backlash from companies. Even so, more is clear to come.
“There are three main things needed to rectify the ongoing sad state of US cybersecurity,” Wyden says. “Mandatory minimum cybersecurity standards enforced by regulators; Mandatory cybersecurity audits conducted by independent auditors who are not selected by the companies they audit, and whose results are communicated to regulators; and high fines, including jail time, for senior executives when failure to practice basic cyber hygiene results in a breach.”
The new mandatory incident reporting regulation, enacted on Tuesday, is seen as the first step. The law requires private companies to quickly share information about common threats they use to keep them private – this precise information can often help build a stronger collective defense.
Previous attempts to regulate it have failed, but the latest push for a new reporting law has gained momentum thanks to significant support from corporate giants like Mandiant CEO Kevin Mandia and Microsoft president Brad Smith. This is a sign that private sector leaders now see regulation as both inevitable and beneficial in key areas.
Inglis emphasizes that creating and enforcing new rules will require close cooperation at every step between government and private companies. And there is agreement, even from within the private sector, that change is necessary.
“For a long time, we’ve been working entirely on a voluntary basis,” says Michael Daniel, who leads the Cyber Threat Alliance, which is made up of tech companies that share cyber threat information to build better collective defence. “It’s not going as fast or as well as we need it to.”
A view across the Atlantic
White House’s Inglis argues that the US is lagging behind its allies. He points to the UK’s National Center for Cybersecurity (NCSC) as a leading government cybersecurity agency that the US should learn from. Ciaran Martin, founding CEO of NCSC, watches the American approach to cyberspace with confused disbelief.
“If a British energy company did to the British government what the colonialists did to the US government, we would verbally rip them off at the highest level,” he says. “The prime minister called the president and said, ‘What the hell do you think you paid the ransom and shut down this pipeline without telling us?’ I would like him to say.”
The UK’s cyber regulations have caused banks to have both a global financial shock and cyber stresses. Saying that the new security rules make telecom’s previous security flaws illegal, Martin says Britain is focusing on stronger regulation on telecoms as a result of a major British telecom being “wholly owned by Russian hackers”.
On the other side of the Atlantic, the situation is different. The Federal Communications Commission, which oversees telecommunications and broadband in the US, has significantly reduced its regulatory power during the Trump presidency and relies mostly on voluntary cooperation from internet giants.
The UK’s approach to addressing specific industries one at a time, based on the regulatory powers they already have, as opposed to a single new all-encompassing central law, is similar to how the Biden White House cyber strategy would work.
“We have to consume [regulation] authorities we already have,” says Inglis.
For Wyden, the White House strategy marks a much-needed change.
“Federal regulators across the board were afraid to use the authority they had or to ask Congress for new powers to regulate industry cybersecurity practices,” he says. “It’s no surprise that so many industries have terrible cybersecurity. Its regulators essentially allowed companies to regulate themselves.”
Why is the cybersecurity market failing?
There are three main reasons why the cybersecurity market, worth hundreds of billions of dollars and growing globally, is falling short.
Daniel says companies don’t understand how cybersecurity makes them money. The market fails to measure cybersecurity and, more importantly, often fails to attribute it to a company’s profitability – so they often fail to justify spending the necessary money.
The second reason is confidentiality. Companies didn’t have to report hacks, so important data about major hacks was kept under lock and key to protect companies from bad press, lawsuits, and lawmakers.
Third, there is the issue of scale. The price paid by the government and society for the colony invasion far exceeded the price the company would have paid itself. Just as with the pollution issue, “costs don’t show up in your profitability as a business,” Spaulding says, so market incentives to fix the problems are weak.
Reform advocates say a stronger government hand could change the equation on all of this, just as reform has done in dozens of industries over the past century.
Gerstall sees the pressure gradually build up to do something different from the status quo.
“I have never seen such close consensus and awareness before,” Gerstall says. “It looks and feels different. It’s not yet clear whether it’s enough to really force change. But the temperature is rising.”
The English point To the nearly $2 billion in cybersecurity money coming from Biden’s 2021 $1 trillion infrastructure bill as a “once-in-a-generation opportunity” for the government to boost cybersecurity and privacy.
“We need to make sure we don’t overlook the stunning opportunities we have to invest in the flexibility and robustness of digital infrastructure,” Inglis says. “We must ask what are the systematically critical functions on which our society depends? Will market forces take care of this alone? And when that is insufficient, how do we determine what we should do? This is the road before us. It doesn’t have to be a process that takes years. We can do this with a sense of urgency.”
[ad_2]
Source link