Maksim Kabakou - Fotolia
The U.S. government has been very public about its concern for national cybersecurity. There have been grandiose speeches, presidential declarations and several attempts by the legislature to pass new cybersecurity laws. But the problem with America's national cybersecurity strategy is bigger than one-off hacks or data thefts. Crimes perpetrated by the likes of Edward Snowden, Chelsea Manning and the individual(s) who committed the alleged leak of the CIA's highly sensitive cyber warfare tools have resulted in mind-blowing losses.
Beyond those headline grabbers is a problem that gets less attention but poses a significant risk to critical national assets: the fact that private sector businesses operate -- but do not adequately protect -- a vast majority of the nation's critical infrastructure and data.
The federal government, and even the largest private sector enterprises, spend billions on cybersecurity investment but fail to extend those efforts into the SMBs that do much of the legwork. Laws are passed that promise to protect sensitive government information and "critical" systems, but the regulations are fine-tuned to work for the business community, effectively neutering enforcement mechanisms. Until there are real ramifications for cybersecurity failures in government and private sector entities that support the government, we will continue to see national security erode.
Consider, for example, the fallout from a 2013 report that found designs for some of the most sensitive, advanced U.S. weapons systems were hacked by a foreign country. Although it is a serious issue that those weapons systems are now compromised and have likely been duplicated by at least one foreign military, there is no sign of any punishment for the private companies that allowed the theft in the first place. In fact, the companies and their subcontractors that made the stolen systems will ultimately benefit from the espionage: There are a limited number of prime contractors that can perform this work, so the companies from which the systems were stolen will most likely build any replacement systems, if they have not already done so. There is no evidence that the contractors have lost work or otherwise paid for their failure. Until the cost of failure is higher than implementing real security technology, we will continue to see poor choices that lead us to cybersecurity failure.
Lack of private sector cyber accountability
I first wrote about the potential for a digital D-Day in 2005, then again in 2012. In the years since, we have sadly not come very far in advancing cyber protection of our most important systems. We are still allowing the private sector to decide what assets are critical and how they should protect them. This is true even where their product, service or infrastructure has a direct role in our national cybersecurity strategy and the U.S. government's operational continuity.
Private companies should be responsible for the public interest and implement precautions to minimize security failures that potentially undermine national defense. Cybersecurity professionals who falsely attest to security should be held accountable in the same way business executives are held accountable when their companies violate financial regulations.
But the reality is that the lack of resources within private companies, combined with no serious government enforcement, lead to little constructive action. As long as the U.S. continues to accept the lowest bids and/or sole-source providers in government contracting without serious consideration for their cyber hygiene, we will not see change.
The costs of cybersecurity investment
In defense of the contractors, I do believe companies should be able to include burdensome security expenses when submitting bids. Security should be rewarded as a competitive advantage and in the interest of national security.
But if a bidder is found to have not initiated the protections they attested to, they should be penalized. How is a failure to protect U.S. national secrets by not meeting minimum cybersecurity requirements, and, in some cases, committing blatant willful neglect, not considered criminal negligence?
Under International Traffic in Arms Regulations (ITAR) one can get a decade in prison for unlawfully exporting defense technology. Punishments for export violations range from criminal penalties of "up to $1 million per violation and up to 10 years in prison" and for civil violations "seizure and forfeiture of articles, revocation of exporting privileges" with fines of up to $500,000 per violation. One Tennessee professor received 14 months in prison for "exporting military technology" when he taught foreign students about information that the professor didn't even know was protected. In his case, the prosecuting Assistant U.S. Attorney said, "Prison time is appropriate to avoid the appearance of a mere slap on the wrist for so serious of an offense involving national security." A mere accident on the part of this professor is a severe crime in the eyes of the government, but a cyber breach that results in dozens of our most important weapons system being stolen results in no action? We should treat willful neglect of cybersecurity hygiene that results in national security breaches by foreign countries as export violations as well.
As a cybersecurity professional, I know there is no such thing as foolproof cybersecurity: Perfection is not achievable, and even a great defensive posture may not be enough against a determined actor. Organizations are all challenged with the cost and distraction of cybersecurity requirements, but may not be doing enough because, frankly, they just do not feel compelled to make a real effort when it comes to cybersecurity.
For example, some organizations are under such tight pricing constraints that realistic security measures are just not possible. In order to survive, these organizations must gamble on this lack of security and hope they are never a target for hacking, or even audited. Other organizations are simply woefully uneducated on their security obligations, and still others sincerely try to understand these obligations but still do not succeed.
The next steps
By design, U.S. cybersecurity laws and regulations are ambiguous and flexible. This flexibility, while intended to make it easier for organizations to comply, really makes it that much harder by not spelling out, in clear terms, what private sector organizations actually must do. We must insist that private sector companies work toward becoming secure, and then assist them when taking the necessary steps to help further the national cybersecurity strategy.
While I do not propose rushing into actions haphazardly, we must not just keep planning. We should start by:
- making the infrastructure upgrades being proposed by the current administration, and place a priority on safety, cybersecurity and resilience;
- more clearly defining cybersecurity investment requirements for industries that directly and substantially are part of critical infrastructure;
- figuring out where the physical and logical security teams can cooperate so we can leverage combined skills and budgets;
- providing full tax credits for cybersecurity investments made by SMBs; and
- cutting off those that refuse to comply with cybersecurity mandates, and make reasonable efforts to secure the systems they are responsible for managing.
With each administration there is a renewed commitment and refreshed cybersecurity directives that result in nothing of consequence. There has been a renewed cybersecurity focus as foreign actors show their cards, so it is time that we do something impactful. The bottom line is we are running out of time before cybersecurity threats to our critical infrastructure result in an actual catastrophic attack. The time for action is now.
More on national cybersecurity strategy: