How to get serious about building national cyber resilience
Wringing our hands while acknowledging our cyber risk problem isn’t helping. It’s generally agreed that we are falling farther behind in addressing the risk of catastrophic economy and infrastructure failures due to cyberattacks. The answer is in front of us if we will commit to do what it takes.
Most of us know by now that what we face is an enterprise risk problem, not one that can be solved completely by IT and technology. When 80 percent of IT security budgets are spent on perimeter defenses to address the 20 percent of the breaches caused by inadequate perimeters (according to Zeus Kerravala, principal analyst at ZK Research), we are unlikely to make much headway.
Starting out as a technologist, I once believed that every challenge could be addressed by more and better technology. While in theory it’s possible, it’s highly unlikely. Based on experience to date, we continue to be locked in a cyber arms race with those who attack and those who protect, and the bad guys continue to win the race.
Don’t misunderstand – we need bigger and better technology, but we can’t expect technology alone to address a threat that succeeds by exploiting imperfect human behavior.
According to Presidential Policy Directive PPD-21, “resilience is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.”
Evidence points to a widespread desire to grow national cyber resilience, yet no cohesive effort has emerged. Individual initiatives abound, including pending legislation at the federal and state level, executive orders, and statements of direction from industry associations. The agencies concerned with security would like to see a determined national effort to improve resilience, but they aren’t comfortable with forcing the issue through some form of compliance legislation.
The Department of Homeland Security (DHS), for example, has developed a new form of collaborative model called an Industry Sharing and Analysis Organization (ISAO) that encourages, but does not coerce, companies to share important cyber information.
Based on numerous conversations with agencies, associations, academicians, consultants, brokers and insurers, security vendors, and customers, our hopes seem pinned to new technologies, legislation, and motivators like differentiated cyber insurance rates, or some combination. However, only a concerted and coordinated set of steps will lead to significantly greater resilience:
Declare a national standard for assessing cyber resilience across all segments.
The de facto gold standard is the Cyber Security Framework (CSF) developed by NIST and released in 2013. Current pending actions in Congress (e.g., H. R. 1224), legislation in 35 state legislatures (e.g., Texas H. B. 8), a presidential Executive Order, and a recent recommendation by the U.S. Chamber of Commerce all promote NIST CSF. We may be on the verge of something akin to a “cyber Sarbanes-Oxley.”
Establish voluntary certification against the standard.
Management guru Peter Drucker famously said, “What gets measured improves.” The large number of businesses and agencies who aren’t yet serious about combatting cyber risk would be encouraged to certify their level of compliance with NIST CSF. Organizations, not individuals, would be certified based on information aggregated during a comprehensive self-assessment, with certification offered by ANSI-accredited certifiers. The certification could be made public to underscore the commitment of the organization to good cyber hygiene.
Encourage the insurance industry to motivate resilience through cyber insurance rates.
Discounted rates based on the level of cyber maturity are an important driver of better cyber practices, but insurers are hampered by the lack of available data to support more precise predictive analytics. Many insurers privately admit that they’re unsure whether they are charging too much or too little for cyber insurance. A combination of concerned agencies and companies should support efforts to create better ways to calculate risk.
Extend SAFETY Act coverage to all significant breaches, not just cyberterrorism.
Through the SAFETY Act, the Department of Homeland Security Science & Technology Directorate oversees identification of offerings that contribute to national cybersecurity.
“The purpose of the Act is to ensure that the threat of liability does not deter potential manufacturers or sellers of effective anti-terrorism technologies from developing and commercializing technologies that could save lives.”
Solutions go through a rigorous evaluation that can take up to a year before they can achieve the DHS designation. (Full disclosure: my company recently achieved designation by the Office of SAFETY Act.)
We can’t wave a magic wand to make the problem disappear. What we can do and should do is take rational steps that, broadly adopted, can raise the overall cyber resilience of the nation.