Holes in Our Cybersecurity Strategy

The National Cybersecurity Strategy of 2018 is one of the U.S. Government’s latest attempts to provide leadership and direction on cybersecurity for the nation. It was a positive step forward and showed vision. The strategy explains how the current Administration will:

  • Defend the homeland by protecting networks, systems, functions, and data;
  • Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;
  • Preserve peace and security by strengthening the ability of the United States — in concert with allies and partners — to deter and, if necessary, punish those who use cyber tools for malicious purposes; and
  • Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure internet.

It’s All About Execution

This strategy document strikes all the right chords. However, it takes a band to produce the music, and there are players missing in this ensemble. The government has suffered from an inability to marshal agencies, budgets, and resources towards one vision or harmonization. It is not the strategy itself, but the leadership of the strategy that is the difference-maker. Thus, the federal CISO position that was eliminated by the Trump Administration was so important to the future of our digital lives. This strategy and any strategy will only be as good as the commitment to see that it is actualized. If the government is not able to lead and effectively manage our cyber lives, individuals will need to play a crucial role in minimizing the implications of personal threats.

This can be accomplished by simply being aware of the threats present in the digital world and avoiding them. Once people become vigilant and learn the techniques needed to fend off these risks, the whole community will become safer and more productive. A group of businesses sharing cyber threat data with each other data them all safer. Some cyber event that happened to one should not happen to a business that is a sharing partner. 

Making Criminals Pay

One of the core reasons why cybercriminals have been so successful in conducting their underhanded practices has to do with the low rate of prosecution. The U.S. Department of Justice has been unable to catch these cybercriminals because most of them are foreigners. Hence, these hackers cannot be slowed unless there is cooperation from their native countries. Since these foreign individuals conduct their operations secretly and through encrypted pieces of software, there is little to no chance of them being exposed. It is extremely challenging to catch these individuals as they operate across numerous spoofed server sites and online portals. In many cases, by the time officials discover the hacker’s location, the hackers have already relocated to a distant city or country.

Plaing as a Team

The U.S. Government understands that with all these dynamics, we must approach cybersecurity with a risk-based partnership. This is the only way for us to have even the slightest chance of managing hackers. It is the only means of maintaining our way of life. We must play as a team until there are better cybercrimes laws and countermeasures to hacking. The “we” will change depending on the situation.

However, both government and private companies have found common ground in protecting critical infrastructure. If this type of partnership can be exported to local communities and organizations, there is hope. There are 16 critical sectors in the U.S., and in almost most of them, there are no cybersecurity laws or strong regulations except maybe the chemical and nuclear sectors. Banking and healthcare have laws and rules, but the value of a successful hack makes criminals ignore the threat of prosecution. 

Our Complicated System 

Limited prosecution on businesses not employing cyber protections has the counter effect. Infrastructure owners-operators can decide how much risk they want to accept, transfer, manage, or buy-down. It doesn’t help that 48 of the 50 states in the U.S. have different breach reporting laws that dictate required actions following a data breach. All these factors contribute to business decisions that affect customers in the end.

Breach reporting can be costly for a business entity, that’s if the right procedures are followed. Ironically, the cost of a breach reporting responsibility incentivizes corporations not to report. The cost of managing a breach could be as much as $300 million dollars. In all cases, law firms are intimately involved after a major breach becomes public.

Managing the breach notification laws in various states and the potential lawsuits that might follow requires skilled legal minds. That should signal that we have an issue with our national approach, and change is desperately required by Federal and local officials. Lawyers appear to be the most important players in the cyber breach response game. The question most people ask after a breach is “who do I call?” Traditional law enforcement personnel are not equipped with the necessary skills, tools, or laws to overcome the problem of cyber threats or intrusion. Cybersecurity calls for a dedicated team that specializes in cybersecurity and provides a haven to the people victimized by cyber-attacks. The old law enforcement strategies cannot help the victims of cyber-attacks.