From Target to Adobe, cyber-criminals have infiltrated the networks of some of the largest businesses in the US, turning 2013 into a record year for data breaches.
Companies lost more than 800 million records in nearly 2,200 incidents, doubling the loss of the previous highest year, 2011, according to analysis by Risk Based Security.
We can no longer afford not to take action. While the internet has brought us immeasurable benefits, it has also increased the risks that individuals, businesses and governments face on a daily basis. We can easily communicate with people in other countries and conduct business globally, but such digital proximity means criminals and industrial spies are only a click away.
Each industry must develop best practices to defend their networks, data and businesses, but the collective industry has little hope of defending against the variety of online attackers without help from the government. While the companies targeted by cyber-criminals are also an easy target for blame, the government needs to start taking a hand, by assuming a firmer role in setting clear cyber-security standards, imposing transparency, defining reputation and trust, and helping to secure critical infrastructure. In short, it needs to foster the development of a true secure business ecosystem.
Corporations, meanwhile, must be allowed to come up with solutions that make business sense in their own markets. But they have no choice but to get serious about cyber-security – for example, by appointing top executives to come up with specific strategies for meeting the new standards.
The government needs to step up to help make it clear that cyber-security is an economic imperative that companies must address on their own, but still offer help when the adversary is likely to be another nation. Creating public policy to support a cyber-security ecosystem should be a priority, but it needs to be done in the right way.
The past three US administrations and the US Congress have been slow to take action. Starting with the Clinton administration and through the Bush administration, the government has typically espoused the concept of a public-private partnership. While such co-operation is necessary, it is not sufficient to build a secure ecosystem that will allow businesses to flourish. Companies need the opportunity and impetus to secure their own businesses.
The latest administration, which has presided during some of the most egregious breaches, has finally created momentum behind the concept of doing more for cyber-security. In January, the House Committee on Homeland Security marked up the National Cyber-security and Critical Infrastructure Protection Act of 2014, which would create information sharing programmes and allow cyber-security firms to obtain liability protections. The National Institute of Standards and Technology (NIST), in compliance with an executive order – Improving Critical Infrastructure Cyber-security, issued by President Obama in February last year – is currently leading a policy initiative to create a cyber-security framework.
Yet the current initiatives fall short of what is needed and may be too inflexible to deal with the fast-changing environment on the internet.
Like France’s Maginot Line, which proved useless against Germany in 1940, static defences erected against hackers – firewalls, antivirus programs and patching of vulnerable systems – do little but complicate their plans for attack. Using social engineering, attackers can quickly create a beachhead inside a network for extending a compromise deeper into the business’s systems.
Any policy created to deal with online threats also needs to be flexible. We should recognise that policy is always behind the times and that trying to regulate cyber-security from the top down will always leave us lagging behind the attackers. In addition, while many of the strategies are similar, different companies need to put their own spin on their security plan. What Wells Fargo needs to do for cyber-security may be different, in some respects, from what a public utility like PG&E may find necessary. Rigid specifications are out of date before the ink is dry, and when data moves at the speed of light, time is not our friend.
Blueprint for a cyber-security ecosystem
While public-private partnerships have been so often talked about as to become a cliché, co-operation is needed. Yet, any policy that calls for a public-private partnership also needs to spur the various stakeholders to take action. The creation of the information sharing and analysis centres (ISACs) are a prime example: Without incentives, some ISACs, such as healthcare, have foundered, while others, such as financial services, have received broad support.
The Internet Security Alliance (ISA) has recognised this fundamental truth in their efforts to promote the cyber-security framework. In a statement on the development of the NIST framework, ISA CEO Larry Clinton said: “We have that rarest of all phenomena in Washington DC – we have consensus on a solution. We now need the political courage to turn that political consensus into practical reality. The framework is the engine to promote greater cyber-security. The incentives are the fuel that will power that engine.”
For those that collaborate in securing our digital frontier, incentives may include low-cost cyber-insurance if certain standards of performance are met.
Yet, incentives without co-ordination and collaboration are not enough. While government regulation is not the way forward, having an ad hoc plan in which each organisation develops its own strategy is a recipe for disaster. In order to move forward, the US needs a cyber-security ecosystem. Companies, government agencies and citizens are not individual islands in the net – to borrow from author Bruce Sterling – but interconnected organisms that rely on other members of the community to defend themselves and the network as a whole.
Because the internet was not initially built to be secure, we now have to bolt on security, but in a way that makes market sense for companies. A good start is to hold organisations responsible for security without specifically prescribing how to secure their systems. Rather than mandate certain technologies – such as antivirus software – government policy should obligate companies to maintain a certain level of security and guide them with best practices.
Generally Accepted Accounting Principles (GAAP) may provide an example that could be followed for cyber-security. GAAP establishes a set of rules and guiding principles for financial accountability and transparency but leaves many of the implementation details to each corporation, based on the nature of their business. Companies are required to publish their assessments, providing an element of transparency. By holding organisations responsible for security without telling them how to secure their systems, we allow them to build a flexible cyber-security ecosystem.
While a scattershot collection of rules is in place today, it is not working. US financial regulator the Securities and Exchange Commission (SEC) has released guidance requiring that companies disclose breaches. But companies have, in many cases, only paid lip service to the rules. In a 2012 survey of financial filings, Reuters found that at least half a dozen companies had not disclosed known breaches. A comprehensive survey of the Fortune 1000 by insurance broker Willis found that 17% of companies offered no opinion on their cyber-security risk in their SEC filings, and only 1% mentioned specific incidents.
Focus on risk, not technologies
Companies should start by prioritising the mitigation of cyber-risk. Many companies are creating the role of the chief risk officer (CRO) – reporting to the CEO and the board – who looks at cyber-risk not just in terms of IT but more broadly in terms of corporate assets, intellectual property and customer information and how these assets are managed and protected. Creating cross-disciplinary teams that distribute the responsibility for security among various stakeholders inside a company can help CROs and the firm’s chief information security officer succeed.
To enforce corporate disclosure, finding ways to evaluate and then rank companies’ security posture externally would be a start. If companies could measure the likely cyber-security risk posed by their partners, in the same ways that banks look to a credit score, then businesses could limit their exposure. Moreover, such trusted ratings could give companies the ability to audit and check the certification of their suppliers. What goes into the measure of trust would be for the market to decide. Such a system would also help companies understand their suppliers’ security posture.
Some companies, such as BitSight, are already trying to develop a way to measure an organisation’s security posture by detecting changes in external indicators. The government could help by standardising what constitutes risk and what measures are considered due diligence for security.
The enumeration of trust levels could also benefit the nascent cyber-insurance industry, which has failed to take off because risk, damages and policy coverage are all poorly defined in the cyber-realm. Insurance has helped many industries develop better safety standards and precautions. With government support against cyber-disasters, insurance companies could create standard guidelines for companies on how to secure their businesses.
There should be a particular focus on securing critical public infrastructure, such as water utilities or electric generation and distribution companies, as these players affect every aspect of our economy and our daily lives. We depend on them to function, and leaving them open to asymmetric actors in an unstable region of the globe is a real danger.
Unfortunately, these legacy systems are often old and not well understood. Further, their organisations lack the expertise and resources to improve their cyber-security. A government fund, similar to the Works Progress Administration, could spur the effort needed to secure this infrastructure. A more privatised approach may be possible as well – the functional equivalent of the Export-Import Bank for financing to support the systematic upgrade of our critical infrastructure.
Information sharing is also essential. Defenders tend to be at a disadvantage in cyber-space because attackers share information, but defenders, for a variety of legal and business reasons, do not. President Obama’s executive order has already directed agencies to share information with the private sector, but their historical track record in this regard has been poor.
Our only chance of success in securing our digital economy is through a shared defence. In addition, we still need a common framework in which to share information.
Finally, focusing on the future, the US needs to establish a better programme to train the next generation of cyber-security architects and workers. While US colleges are already establishing programmes to graduate security professionals, we should also use the government’s expertise in this area. Despite its sullied reputation from the Snowden leaks, the National Security Agency (NSA) remains our top resource for cyber-security in the world. The NSA and other government experts need to be able to share their expertise with industry.
For our economy, our way of life, and the freedoms we hold dear, the stakes could not be much higher. Unless the US adopts a comprehensive, integrated and serious approach to cyber-security, the bad guys will win. The evidence to date is clear – they are already way ahead of the good guys.
Ackerman is speaking on Bitcoin and cyber-security at this month’s Global Corporate Venturing Symposium. This article first appeared on Xconomy