Senior Vice President for Cyber, Space, and National Security Policy, U.S. Chamber of Commerce
October 12, 2022
Cyberattacks can be catastrophic for businesses and individuals, crippling essential services and causing breaches of confidential business and personal information. In 2021, Americans were hit by an unprecedented rise in cybercrime, with nearly 850,000 reports to the FBI and combined losses nearing $7 billion. Cybercrime can steal valuable and sensitive data such as medical records, disrupt telecommunications and computer networks, and paralyze entire operating systems, making business and personal data unavailable.
Christopher Roberti, senior vice president for cyber, space, and national security policy at the U.S. Chamber of Commerce, has been talking to senior administration officials, law enforcement, business leaders, and news stations across the country about the cyber threat, risk management, and cyber resilience during National Cybersecurity Awareness Month. Read on for his insights on top cybersecurity questions.
What do businesses need to know about current cyber security threats?
Today, thousands of businesses will be successfully attacked by criminal gangs using ransomware, which is a malicious malware blocking access to a computer system until some form of ransom is paid to the attacker. Attackers can include individuals, criminal gangs, or hostile nation-states. The average downtime due to a ransomware attack is 21 days and, on average, it takes a business over 280 days to fully recover from this kind of attack. Businesses are outnumbered and law enforcement doesn’t have the resources to keep up.
The first step is acknowledging the reality of the situation. No entity—large or small, government or private sector—is immune to this threat. No company stands a serious chance facing an attack from a sophisticated nation-state actor, regardless of the resources it may devote to cybersecurity. Nor can the government fight these actors alone. It is often private sector networks that are attacked, and the private sector provides the innovation necessary to detect and defeat attacks.
It is time for the U.S. Government to act decisively against these criminal cyber attackers and stop them from operating with impunity. The U.S. and allied governments must work together with the private sector to confront these challenges head-on and create a credible deterrent to malicious cyber activity.
What are the most persistent cyber threats for businesses and individuals?
Two of the most common cyber threats are ransomware and business email compromise (BEC). Both usually leverage social engineering to gain access into victim’s networks. Ransomware is still the best-publicized cyber threat facing public institutions, but in monetary terms, fraud enabled by BEC has proven more costly (if less dramatic and disruptive). In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 complaints relating to BEC, with losses from these incidents totaling $2.4 billion.
Cyberattacks and ransomware attacks have disrupted public school systems, police departments, hospital systems and local governments around the country. Researchers have observed 34 successful cyberattacks on local governments in particular this year and since September 13 alone, at least seven state and local governments have reported cyberattacks. America’s second-largest nonprofit hospital chain recently announced that it is confronting an incident impacting facilities across the country, forcing ambulance diversions, system shutdowns, and rescheduled medical procedures.
Victims of ransomware attacks, BEC attacks, or traditional cyber intrusions (e.g., those designed to steal intellectual property or trade secrets, conduct espionage, or engage in disruptive or destructive activities) all can have debilitating effects on victim companies in terms of direct financial losses, brand damage, loss of customer confidence and, in some cases, physical harm. Despite all the bad news and threats, there are steps that all companies – large and small – can take to make themselves harder targets and prepare for an incident, should it occur.
How can businesses and individuals best defend themselves against cyber threats?
Here are some steps companies (and individuals) can take to harden their defenses and improve their chances for a full recovery if faced with a cyber or ransomware attack:
- Enable multifactor authentication organization-wide. Strong passwords are still a must, but multifactor authentication means that a password alone will not allow access to a network.
- Deploy endpoint protection, including antivirus, antimalware, or email filtering software to protect the network edge from known malicious activity.
- Regularly update and patch network software in keeping with the latest manufacturer supported versions.
- Educate employees about clicking on links in emails and text messages. Employees should be trained to be alert to suspicious activity and should have a clear reporting process about what to do when they receive what they believe could be a malicious link.
- Empower IT teams to make decisions quickly to protect networks. Teams should maintain secure offline backups that are not tied to primary systems. IT teams must also maintain an active inventory of company IT assets and related security configurations.
- Companies should establish relationships with local law enforcement agencies, the Cybersecurity and Infrastructure Security Agency (CISA), the Secret Service, the FBI, and others. The U.S. Chamber can help member companies build these critical relationships.
- Businesses should constantly be thinking about how they can move their systems and networks to "zero-trust architecture." This generally means granting access to corporate networks on a per-session basis and granting gradual levels of access based on a user's position and “need to know.”
What is being done at a local and national level?
There are two key activities at the local level I want to highlight.
First, Congress passed legislation to authorize $1 billion in cyber grants for applicable state and local cybersecurity enhancements. These grants, which will be available over the next five years, will facilitate meaningful IT modernization investments in local government infrastructure and beyond that, will greatly improve state cyber policy.
Second, this fall, the Cybersecurity and Infrastructure Security Agency is hosting listening sessions with the business and critical infrastructure community across the country. CISA wants to hear from businesses large and small on steps the public and private sectors need to embrace to close the visibility gap in cyber incidents and ransomware attacks.
What resources are available to learn more and to protect yourself?
CISA’s theme for this month is “see yourself in cyber.” The message to individuals and businesses is to take action to protect yourself online. This includes updating your software (to the most updated manufacturer supported versions), thinking before you click, using strong passwords or a password manager, and enabling multifactor authentication. According to CISA, implementing these four actions will significantly reduce cyber risk.
For more information visit the U.S. Chamber of Commerce website: uschamber.com/security.