Now that the new administration is in office, I thought I’d use my column as a way to send a few thoughts towards our White House about key cybersecurity considerations. Perhaps I’ll get a tweet out of it.
Among the greatest security challenges that we, as a nation, are likely to face over the next several years, is protecting businesses and citizens from cybersecurity attacks which must be at the top of the agenda. I was pleased to hear this addressed during the campaign, and now, there are several steps that the administration can take to help the private sector in its fight against increasingly complex threats and attacks.
While cyber-espionage and cyber-warfare are important issues that tend to make headlines and demand attention, it’s important that the government play a cooperative role with the private sector to address cybercrime, fraud and identity theft. As someone who has been on the frontlines helping companies manage the fallout of major cybersecurity incidents, I humbly ask that the administration prioritize the following areas:
1. Continued and Increased Funding of Security Research and Development
To stay ahead of other countries that are bolstering their cyber-offensive capabilities, we need continued innovation in, and funding of, cyber products and services. As it stands, we’re behind. In a recent opinion piece by Bill Gates, he makes a similar call to action, stating that since 2000, South Korea’s overall innovation research and development spending has gone up 90 percent and China’s has doubled. In the EU, there’s been a $568 million push to set up a network of “digital innovation hubs” focused on unified R&D around 5G, digitalization and cybersecurity. Yet, here in the United States, we’ve “essentially flatlined.”
The good news is the government is making headway toward funding the private sector. Take for example 12 early- to mid-stage tech startups, including Phantom Cyber and ProtectWise, that are backed by government-affiliated and security-oriented U.S. investment firms. Additionally, the Defense Advanced Research Projects Agency (DARPA) is continuing to research and develop technologies that are used in the private sector, such as past projects to detect distributed denial-of-service (DDoS) attacks and enable Internet anonymity.
While these efforts are promising, it’s crucial that the government’s involvement continues to increase. With the government’s help to further incentivize, promote and fund cybersecurity R&D, our country can foster an environment that allows for the rapid development of new technology that will ultimately strengthen both our offensive and defensive cyber capabilities and protect our country from attacks.
2. Proactive Disruption of Criminal Cyber Operations
As we look to further protect citizens of the U.S., we need the cybersecurity plan to prioritize investigating and proactively preventing criminal cyber operations.
Take for example a recent multi-national operation in December 2016 where the FBI worked alongside law enforcement partners in 40 countries, and in cooperation with private sector parties, to dismantle the “Avalanche network.” This highly sophisticated network – designed to thwart detection by law enforcement – had been conducting malware campaigns and “money mule” money laundering schemes for years, infecting 500,000 computers worldwide with malware on a daily basis. Without the FBI’s relentless effort to target these cybercriminals by collaborating with partners, Americans would likely still be losing hundreds of millions to Avalanche attacks.
The frightening reality is that cybercriminals can victimize millions of people anywhere around the world, and they’re constantly communicating with one another in the dark web and other exclusive underground forums to build these types of networks. A collective effort is needed from both the government to investigate and deter organized crime, and organizations to properly protect their systems and data.
3. Increased International Cooperation on Data Breach Notification and Protections
Currently, new data breach laws are going into effect in many countries to ensure that individuals are being notified and assisted if impacted by a data breach. However, there’s an overall lack of cooperation and consistency in these breach notification expectations at an international level.
Take for example the EU’s General Data Protection Regulation (GDPR) that will go into effect in 2018. Under the GDPR, U.S.-based organizations that operate globally and conduct business with EU citizens will be legally required to report a data breach to supervisory authorities within 72 hours of becoming aware of it. Similarly, affected individuals must be notified without “undue delay” if the breach presents a high risk to their rights and freedoms.
Clearly, this becomes burdensome for international companies that must stay updated on and compliant with varying standards in each location they operate. Further complicating matters, there is no agreement over what types of protections, if any, should be offered to impacted customers. In fact, in some markets, protections are not even available due to local privacy laws.
As the economy becomes more globalized, the odds of experiencing an international data breach are now higher than ever, and it will be important to more closely align and collaborate with other world leaders regarding international breach expectations.
4. Promotion of Information Sharing Amongst the Private Sector
While more attention has recently been put on the importance of information sharing between the public and private sector, not a lot of sharing is taking place amongst the private sector itself – an equally important effort to prevent cyber-attacks. In fact, a recent Ponemon study found that less than half of U.S. organizations participate in an initiative or program for sharing information with the government and industry peers about data breaches and incident response.
Without organizations and entities sharing cyber threat indicators and defensive measures with one another, it’s more likely that others will fall victim to the same mistakes and common threat actors. The promotion of information sharing is crucial, but there’s one major deterrent standing in the way: a lack of legal protection for participating companies.
Currently, there’s an overarching fear among companies that sharing threat information between organizations makes them vulnerable to civil or criminal liability because of the information shared (think: antitrust violations). Another fear includes the possibility of competitors using shared information against a company.
The government has the power to address these concerns and provide both assurances and protections to companies that choose to participate. By doing so, organizations are provided with cyber threat intelligence that can help increase the overall security of the private sector, and therefore protect consumers regularly caught in the crosshairs of an attack.
5. Enhanced Security of the U.S. Government as an Industry
Last, but most definitely not least, is the need to clean up the government’s own house in terms of security. In April, SecurityScorecard issued its 2016 Government Cybersecurity Report that ranked U.S. federal, state and local government agencies last when compared to 17 major private industries, including, education, healthcare and retail.
Concerningly, SecurityScorecard tracked a total of 35 data breaches among all U.S. government organizations between April 2015 and April 2016, and areas where they scored the lowest included malware infections, network security and software patching cadence.
As the impacts of data breaches become more devastating, it’s crucial that the government improves its security procedures to protect our country’s critical infrastructure. This is especially important now, more than ever, as cyber conflicts and tension between countries escalate. Even more, Experian predicts that this year we’ll see these types of threats move from “espionage to full on cyber-war,” leaving consumers and businesses as collateral damage.
While businesses can take proactive steps to protect themselves in the meantime, it falls to the government to ensure their agencies are shoring up their defenses and meeting the standards to which all other industries are held.
So, Mr. President, my message to you is as you continue to build out your cybersecurity plan and team, I hope you keep these recommendations in mind. My purpose in writing to you is to advocate for U.S. businesses and citizens and protect our country from cyber criminals. We have a long journey ahead of us, but I’m confident that with a revised focus on cybersecurity, and increased collaboration between businesses and the government, we can make headway.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].