To no one’s surprise, lots of big challenges chronically plague the cybersecurity world. But the biggest headache of all may be the relative inaction of the federal government, which unlike some other advanced nations simply isn’t doing its part.
For years, the U.S. has been periodically promulgating feckless mandates, including some issues from the White House, that accomplish virtually nothing. The half-hearted attempts at actionable measures contribute to weaknesses and help open the door to breaches.
Consider, for example, just a few instances:
- Last month, tens of thousands of images of travelers and license plates stored by the Customs and Border Protection agency were stolen in a digital breach. A federal contractor had transferred copies of the images to its network in violation of the contract. Then the subcontractor’s network was hacked – likely by a foreign government interested in tracking Americans or in the agency’s procedures.
- Tensions between the U.S. and Iran have been flaring regarding the latter’s stance on nuclear development, but this isn’t limited to two fuel tankers recently attacked in the Gulf of Oman and to Iran shooting down a U.S. intelligence drone. Iranian hackers have also ramped up campaigns around the world, particularly against U.S. targets, and it is unknown how effective we are in stopping them.
- Four months ago, Citrix Systems, a multinational technology company, found that hackers breached its internal network, later determined likely to be the Iridium hacker group, which also hit Citrix last December. In the latter attack, six terabytes of sensitive internal files were stolen, including email and blueprints.
It’s a brighter picture in the European Union, which last year implemented the ground-breaking General Data Protection Regulation. The law protects data and privacy for all EU citizens, empowering government to levy stiff fines on companies that fail to play by the rules. As a result, the EU is already investigating thousands of reported data breaches and has fined Google $57 million because of the way it processes user data around advertising.
Meanwhile, what is the U.S. government doing on the cybersecurity front?
Consider the Cybersecurity and Infrastructure Security Agency Act, signed into law by President Donald Trump seven months ago to better protect the nation’s critical infrastructure from physical and cyber threats. The law failed to cook up measures not already largely in place and, regardless, doesn’t have nearly enough money to be truly effective.
This sort of scenario more or less plays out in every federal government cybersecurity endeavor.
The Cybersecurity Act of 2015 – the first major piece of Congressional cybersecurity legislation – called upon businesses, government agencies and other organizations to share information about cybersecurity threats in the belief that this would help players better identify and defend against cyberattacks. It’s been a bust. Little information is being shared and most technology companies do not participate.
Then, roughly two years ago, there was President Trump’s cybersecurity executive order, largely aimed at protecting critical infrastructure nationwide, such as the electric grid and airports. This has also been a bust. In a recent survey by Cybersecurity 202, more than 75 percent of digital security experts said today’s critical infrastructure is no safer from cyberattacks than when Trump signed the order.
Protection of critical infrastructure, in particular, is woeful. A recent survey by Ponemon Institute found that 90 percent of respondents in this industry have been victimized by cyberattacks in the last two years, in some cases twice.
Such results and the relative lack of government support has become increasingly dangerous as our physical infrastructure becomes increasingly digitized and more vulnerable to cyberattacks. Russian hackers, for instance, have for years tried undermining U.S. electrical infrastructure and successfully cut off power to hundreds of thousands of Ukrainians in 2015 and 2016.
The upshot is obvious: Critical infrastructure — the core of our nation’s prosperity — is being threatened. A public/private sector cybersecurity partnership – a big piece of at least a partial solution – is not being realized.
Here are six steps I propose to begin fixing things:
- The government should define a level of expected cyber resiliency and produce a methodology to protect it. The NIST framework does this in an advisory capacity that is useful. What is still needed is a mandated level of preparedness with clear accountability and consequences for failure to meet standards. The cybersecurity at public companies should be audited by the government annually.
- It should also help to create a clearing center for the implementation of best practices in multiple arenas, including grid security. DHS offers this but its efforts are small. Some information is exchanged, but typically its too little, too late. Because time favors the adversary, threat intelligence, threat actor playbacks and remediation strategies need to be shared in real time. Currently, too many institutions are reluctant to share their most important intelligence, viewing it as a competitive advantage. This is akin to U.S. intelligence agencies not sharing their knowledge prior to 9/11. All the signals were there, but the dots were not connected. This is a huge advantage for the enemy.
- In tandem with this, the feds should begin building a private/public sector partnership, initially by persuading the private sector to proactively innovate cybersecurity measures in concert with the government. In one sensible step, the government has been awarding nearly $30 million in private sector grants to foment innovation and greater cybersecurity to protect the nation’s power grid and oil pipelines.
- The government should set standards of performance and hold industry accountable.
- The government needs to form an industrial bank to provide long-term financing to small utilities that need such help.
- Lastly, the government needs to take a broad perspective on infrastructure security improvement. This means better securing elections, for example, not just “hard” structures. To this end, scholars from Stanford University recently released a comprehensive strategy with 45 concrete recommendations to protect the integrity and independence of U.S. elections.
Once and for all, the federal government must start to get its cybersecurity act together. If it doesn’t, failure could be catastrophic.
Robert R. Ackerman Jr. is the founder and managing director of AllegisCyber Capital, a venture capital firm specializing in cybersecurity, and a co-founder and executive at DataTribe, a cybersecurity startup foundry in metropolitan Washington D.C.