Inside the plan to fix America’s never-ending cybersecurity failures

“The good news is that we really know how to deal with these issues,” said Glenn Gerstall, general counsel for the National Security Agency until 2020. “We can fix cyber security. It can be expensive and difficult but we know how to do it. This is not a technical problem. “

Another major recent cyber attack proves the point again: the Russian hacking campaign against Solarwinds, the US government and large companies, which could have been neutralized if the victims had complied with known cyber security standards.

“There is a tendency to publish the capabilities of hackers responsible for major cyber security incidents, practically to the level of natural disasters or other so-called acts of God,” says Wyden. “It frees hacked organizations, their leaders and government agencies from any liability. But once the facts come out, the public has repeatedly noticed that hackers often get their initial footprint because the organization has failed to keep up with the patches or configure their firewall properly. “

It is clear to the White House that many businesses do not and will not invest enough in cyber security on their own. In the last six months, the administration has enacted new cyber security rules for banks, pipelines, rail systems, airlines and airports. Biden signed the Cyber ​​Security Executive Order last year to promote federal cyber security and impose security standards on any company that sells to the government. Changing the private sector has always been a more challenging and important task. The vast majority of critical infrastructure and technology systems belong to the private sector.

Most of the new rules provide very basic requirements and a light government touch – yet they have received pushback from companies. Still, it’s clear that more is coming.

“There are three main things that need to be done to fix the ongoing plight of US cybersecurity,” says Wyden. “Mandatory minimum cyber security standards enforced by regulators; Mandatory cybersecurity audits are performed by independent auditors who are not audited by the companies they are auditing, and the results are communicated to regulators; And tougher penalties, including jail time for senior executives, while failing to study basic cyber hygiene results in violations. “

The new mandatory incident reporting regulation, which became law on Tuesday, is seen as a first step. The law requires private companies to quickly share information about shared threats that they use to keep secret – although that specific information can often help build a strong collective defense.

Earlier attempts at regulation have failed, but key support from corporate giants such as Kevin Mandia, CEO of Mandiant, and Brad Smith, president of Microsoft, has led to recent pressure for new reporting legislation. It is a sign that private sector leaders now see regulation as both inevitable and beneficial in key areas.

English emphasizes that co-operation between the government and private companies will be required at every step in formulating and enforcing the new rules. And even within the private sector, there is an understanding that change is needed.

“We’ve long been a full-fledged volunteer effort,” says Michael Daniel, who heads the Cyber ​​Threat Alliance, a collection of tech companies that share cyber threat information to better build collective defense. “It’s not going as fast or as well as we should.”

View from across the Atlantic

From the White House, Inglis argues that the United States has fallen behind its allies. He pointed to the UK’s National Cyber ​​Security Center (NCSC) as one of the leading governmental cyber security agencies from which the USA needs to learn. Ciaran Martin, the founding CEO of NCSC, looks at the American approach to cyber with puzzled surprise.

“If the British energy company had done to the British government what the colonialists did to the US government, we would have torn them up verbally at the highest level,” he says. “I would have called the Prime Minister to tell the President, ‘Do you think you are paying the ransom without telling us and shutting down this pipeline?'”

Similar Posts

Leave a Reply

Your email address will not be published.