Editor’s note: This article first appeared in the December issue of CSO Outlook.
Today we face a new global security situation, one in which the United States is facing near-peer adversaries like Russia and China while having to handle militant groups like the Islamic State.
It is a situation where we face multiple, simultaneous security challenges from both traditional state actors as well as networks of non-state actors—all of which are taking advantage of rapid technological changes.
A few years ago cyber attacks against the government and corporations were on the margins of news stories, but now it seems like we hear of a new hack every day. Following the high-profile data breaches at Target, Sony, Anthem, OPM, and others, people realize that these types of attacks are no joke, and they aren’t going away anytime soon.
Even more frightening, these high-profile hacks represent just a small portion of the criminal activity that is taking place.
Since its founding the World Wide Web has touched the lives of billions of people around the world and has fundamentally changed how we connect with others, we discover and share news and ideas, and we entertain ourselves. In short, the Internet has become an integral part of our every day lives. Because of this, our personal data—from credit card information to Social Security numbers—can end up at any place.
This wealth of data and information has not gone unnoticed by those who exploit security weaknesses for profit.
Unfortunately, the severity of these cyber threats will continue to intensify as the bad guys evolve and sharpen their skills and techniques. We know there is no perfectly secure network. In fact, no single strategy can prevent advanced and persistent threats from breaching an organization’s cyber defenses.
The White House released on February 12, 2014, the first version of the ‘Framework for Improving Critical Infrastructure Cybersecurity,’ capably developed by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) in close collaboration with the private sector.
Throughout the process of developing the framework, NIST treated the business community as a genuine partner and tackled a tough assignment in ways that should serve as a model for other agencies and departments.
The framework is largely a process—it’s designed to help organizations start a cybersecurity program or improve an existing one, and it features a number of industry-vetted actions that businesses can take to assess and strengthen their state of security over time.
Notably, the framework is not meant to be regulatory, which would add an extra burden and be troublesome to industry. Instead, it provides organizations—including their customers, partners, and suppliers—with common language for understanding their current cybersecurity posture, setting goals for cybersecurity improvements, monitoring progress toward their goals, and fostering communication with their internal and external stakeholders.
Using the framework is tantamount to improving one’s cyber fitness, and there’s a rough consensus among cybersecurity experts that a high percentage of unsophisticated or untargeted malicious activity can be stopped by implementing elements of the framework.
The framework, however, would be incomplete without enacting information-sharing legislation that removes legal and regulatory penalties to quickly exchange data about threats to U.S. companies. Recent cyber incidents underscore the need for legislation to help businesses improve their awareness of cyber threats and enhance their protection and response capabilities.
Congress needs to send a bill to the president that gives businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyberattacks. Legislation needs to safeguard privacy and civil liberties and establish appropriate roles for civilian agencies.
In April, the House of Representatives passed two cybersecurity information-sharing bills with robust majorities from both parties and broad industry support.
We need the Senate to build on the momentum generated in the House to move its cybersecurity bill, which cleared the Senate Intelligence Committee in March on a strong bipartisan vote. We don’t need another major cyber attack to tell us that congressional action cannot come quickly enough.
Many cybersecurity experts say that there are two types of businesses—those that have been hacked and know it, and those that have been hacked and don’t know it yet.
So whether your business is large or small, the keys to good security are the same: fostering employee awareness, having internal security policies, and utilizing technologies to help make sense of what is happening on your business’ networks.
Fast and efficient responses can lead to quick recovery, minimize damage, and help prevent future incidents. Contact local law enforcement authorities if you suspect that a crime has been committed. Similarly, work with law enforcement authorities who contact you because they suspect nefarious activity on your network.It’s important to remember that cyber crime is not somebody else’s problem, and how you prepare for, or respond to, an attack can define the future of your company.
Cyber attacks aimed at U.S. businesses and government entities are being launched by sophisticated hackers, organized crime, and state-sponsored groups with impunity—and that has got to stop. Even more frightening, these attacks are advancing in scope and complexity.
American companies should not be expected to shoulder the substantial costs of cyber attacks emanating from well-resourced bad actors—costs typically absorbed by national governments.
The United States needs to coherently shift the costs associated with cyber attacks in ways that are legal, swift, and proportionate relative to the risks and threats.
While no single strategy can prevent the most persistent bad actors, implementing the NIST cybersecurity framework, participating in an information-sharing and organization, and developing your organization’s cyber incident response plan are sensible risk management practices worthy of further review by any organization large or small.