Cybersecurity Today Is Treated Like Accounting Before Enron.
Last week, we learned that researchers had discovered two major flaws in microprocessors of nearly all the world’s computers. The revelation came on the heels of a distressing series of major hacks: In 2017, Yahoo revealed that all of its three billion accounts were compromised, WannaCry ransomware shut down hospitals across the globe, and an Equifax breach affected approximately 145.5 million consumers in the United States. The latest news about the computer security problems — whose names, “Spectre” and “Meltdown,” appropriately convey their seriousness — is just the latest evidence that true digital security remains out of our reach.
But when these vulnerabilities are exposed and damaging attacks occur, there are few lasting repercussions. Almost without fail, stock prices bounce back, customers return, executives keep their jobs or exit with golden parachutes, and government mostly looks the other way. After the news of Equifax’s massive breach, for example, the company’s stock dropped roughly 35 percent. But it’s already recovered nearly half of its lost market value, and Fortune reported that the former chief executive officer Richard Smith retired with as much as $90 million in compensation. Resilience is one of the hallmarks of stable, mature markets, but something isn’t right here.
The tepid consequences are part of a growing problem. From a corporate governance and accountability perspective, cybersecurity today is being treated like accounting was before the fallout from the Enron scandal inspired the Sarbanes-Oxley Act’s increased standards for corporate disclosures. With the privacy and personal data of hundreds of millions of people at risk, and especially now with the increasing ubiquity of connected devices in our lives, the security of digital assets is too important for that kind of treatment. We need to bolster a culture of responsibility around cybersecurity, combining stronger and more uniform corporate governance with a clearer government commitment to enact better defensive policies.
A complex hack may not be a C.E.O.’s fault, but it is absolutely his or her responsibility. Investors and consumers need to demand more from the executives to whom they entrust their digital lives. The same holds true for government. Protection of the welfare and livelihood of its citizens is a foundational principle of government, and yet for more than a decade there has been very little consequence for nation-states and state-affiliated groups who’ve pilfered the intellectual property, and violated the personal privacy, of citizens and companies around the world.
Strengthening a culture of responsibility will require changes by both companies and the government. Last year, the New York State Department of Financial Services took a promising step by implementing new data-security regulations for certain financial companies operating within the state. It includes rules for reporting cybersecurity events within 72 hours, annual proof-of-penetration tests, and, by 2020, third-party assessments — all designed to increase accountability and remove the fog of uncertainty that often surrounds breaches. The federal government would be wise to follow New York’s lead and implement similar laws on the federal level. Without federal action in this regard, increased regulation of cybersecurity practices will happen anyway, but in a fragmentary and disjointed way. More uniform regulations can help a more uniform standard to emerge, providing companies with the predictability and certainty they need in order to evaluate their risk management and security investments the right way.
While more must be expected of companies, more should be expected of government as well. American businesses are under attack by our nation’s geopolitical adversaries, and by nonstate groups affiliated with them. Just imagine if American shipping companies were battling foreign navies, or if domestic airlines were fighting an adversary’s air force. This asymmetry locks the businesses into fights they cannot win.
In its most dire scenario, the increasing velocity and severity of cyberattacks on American companies may encourage more firms to take matters into their own hands by “hacking back” against their attackers. This would open a Pandora’s box of ugly consequences. Even large Wall Street banks, spending hundreds of millions of dollars each year on security, cannot win against the Chinese or Russian militaries, so they escalate at their peril.
But if private companies and individuals are not to fight back in self-defense, then their government must do a better job on their behalf.
In short, the federal government must ensure that deterrence works in the digital domain. Cyberconflicts often pit the vast resources of nation-states against those of private companies. Businesses can only be reasonably expected to agree to increased cybersecurity regulation if they have confidence in the government to perform its basic function of protecting its citizens.
Just as policy frameworks exist to respond to, and dissuade, physical attacks on Americans and their interests, foreign and domestic, so the government must deter adventurism in cyberspace. Notably, this doesn’t merely mean that one hack justifies another — rather, the full range of diplomatic, informational, economic and military options should be on the table. Failure to make such consequences clear and credible contributes to a fundamental failure of deterrence in cyberspace and exposes the United States government, American businesses, and individual citizens to many more such attacks in the future.
Every business is now a digital business, and nearly every citizen is increasingly reliant on the connected world. We live in an era of mass targeted attacks where nation state-level resources are being directed against companies and private citizens, and until our security culture changes, we can expect to see more massive breaches throughout 2018 and beyond.
Written by Nathaniel Fick
Read the full Op-Ed piece at The New York Times.