leaves many of the implementation details to each corporation, based on the nature of their business. Companies are required to publish their assessments, providing an an element of transparency. By holding organizations responsible for security without telling them how to secure their systems, we allow them to build a flexible cybersecurity ecosystem.
While a scattershot collection of rules is in place today, it is not working. The Securities and Exchange Commission has released guidance requiring that companies disclose breaches. But companies have, in many cases, only paid lip service to the rules. In a 2012 survey of financial filings, Reuters found that at least a half dozen companies had not disclosed known breaches. A comprehensive survey of the Fortune 1000 by insurance broker Willis found that 17 percent of companies offered no opinion on their cybersecurity risk in their SEC filings, and only 1 percent of Fortune 1000 firms mentioned specific incidents.
Focus on Risk, Not Technologies
Companies should start by prioritizing the mitigation of cyber risk. Many companies are creating the role of the Chief Risk Officer—reporting to the CEO and the board—who looks at cyber risk not just in terms of IT but more broadly in terms of corporate assets, intellectual property, and customer information and how these assets are managed and protected. Creating cross-disciplinary teams that distribute the responsibility for security among various stakeholders inside a company can help CROs and the firm’s chief information security officer succeed.
To enforce corporate disclosure, finding ways to externally evaluate and then rank companies’ security posture would be a start. If companies could measure the likely cybersecurity risk posed by their partners, in the same ways that banks look to a credit score, then businesses could limit their exposure. Moreover, such trusted ratings could give companies the ability to audit and check the certification of their suppliers. What goes into the measure of trust would be for the market to decide. Such a system would also help companies understand their suppliers’ security posture.
Some companies, such as BitSight, are already trying to develop a way to measure an organization’s security posture by detecting changes in external indicators. The government could help by standardizing what constitutes risk and what measures are considered due diligence for security.
The enumeration of trust levels could also benefit the nascent cyber insurance industry, which has failed to take off because risk, damages, and policy coverage are all poorly defined in the cyber realm. Insurance has helped many industries develop better safety standards and precautions. With government support against cyber disasters, insurance companies could create standard guidelines for companies on how to secure their businesses.
There should be a particular focus on securing critical public infrastructure, such as water utilities or electric generation and distribution companies, as these players affect every aspect of our economy and our daily lives. We depend upon them to function, and leaving them open to asymmetric actors in an unstable region of the globe is a real danger.
Unfortunately, these legacy systems are often old and not well understood. Further, their organizations lack the expertise and resources to improve their cybersecurity. A government fund, similar to the Works Progress Administration (WPA), could spur the effort needed to secure this infrastructure. A more privatized approach may be possible as well—the functional equivalent of the Export-Import Bank for financing to support the systematic upgrade of our critical infrastructure.
Information sharing is also essential. Defenders tend to be at a disadvantage in cyberspace because attackers share information, but defenders, for a variety of legal and business reasons, do not. President Obama’s Executive Order 13636 has already directed agencies to share information with the private sector, but their historical track record in this regard has been poor. Our only chance of success in securing our digital economy is through a shared defense. In addition, we still need a common framework in which to share information.
Finally, focusing on the future, the U.S. needs to establish better program to train the next generation of cybersecurity architects and workers. While U.S. colleges are already establishing programs to graduate security professionals, we should also use the government’s expertise in this area. Despite its sullied reputation from the Snowden leaks, the NSA remains our top resource for cybersecurity in the world. The NSA and other government experts need to be able to share their expertise with industry.
For our economy, our way of life, and the freedoms we hold dear, the stakes could not be much higher. Unless the United States adopts a comprehensive, integrated, and serious approach to cyber security, the bad guys will win. The evidence to date is clear—they are already way ahead of the good guys.