The Private Sector is Best-Positioned to Lead Cybersecurity Policy
By Steven Titch
While most analysts agree that the U.S. needs to do more to defend its assets from potential cyberattack, policymakers are divided over how best to do this. This year in Congress, Sens. Joe Lieberman and Susan Collins proposed a new Cybersecurity Act, which would have consolidated the various Department of Homeland Security (DHS) cybersecurity programs into one office and authorized the DHS to work with private companies to create standardized cybersecurity protocols. The bill also would have required the private sector to share information on potential cyber-threats with the federal government.
Critics of the bill said its language was too vague, and would have locked companies into protocols and procedures that could quickly be outmoded by new threats. There were also concerns about the added cost the regulations would impose on businesses, as well as how effective they would be. The bill also leaned heavily on the deployment of expensive technology such as facial recognition software (FRS) and biometrics, which many find overly intrusive and, in the case of FRS, unreliable.
The bill ultimately failed to reach a vote in the Senate, although there is speculation that President Barack Obama may implement it as an executive order.
Cybersecurity is the protection of electronic data from attacks, which generally have one of two motivations. The first is espionage or theft. An organization or government breaks into a secure data system to gain information—whether for strategic intelligence, military, or just plain criminal purposes.
The second objective is sabotage or terrorism. For example, the hacking organization could attempt to infiltrate air traffic control, power companies, transportation networks and other critical infrastructure for destructive purposes.
While the latter captures popular imagination, the likelihood of a successful widescale cyberterrorist attack is extremely slim. Even if a terrorist infiltrated a power company network, its network infrastructure can be isolated from the larger Internet and any malware virus contained. The idea of a terrorist successfully shutting down electric power across entire regions of the country, or destroying worldwide banking networks, is the stuff of Hollywood blockbusters.
Nevertheless, cyberattackers can do damage on a more limited scale, such as by shutting down factories or pipelines, which in turn could affect supply chains critical to smooth day-to-day operation of the economy. The biggest concern for corporate chief information security officers remains theft of proprietary or confidential customer information.
However, the need for strong cybersecurity policies does not necessarily mean that the federal government should take a leadership role in setting standards, especially given the private sector’s strong record in cybersecurity compared to the government’s spotty record on data protection. For example, in August 2012, the U.S. Government Accountability Office (GAO) reported that federal data breaches involving unauthorized disclosures of personally identifiable information increased by 19 percent, or about 13,000 to 15,500, from 2010 to 2011. As if to punctuate the GAO findings, that same month, the Environmental Protection Agency separately disclosed that a security breach exposed social security numbers, banking information and home addresses of some 8,000 people.
Private Sector Skepticism
Research data suggests that U.S. businesses would rather see the private sector develop cybersecurity protocols and policies for the government, rather than the other way around. Information security professionals say private sector security protocols, honed bottom-up through multi-lateral, multi-stakeholder processes, are far better at securing data than over-reliance on technology and government-driven directives.
Bit9, a security market research firm, released its 2012 Cyber Security Survey of 1,861 IT professionals (1,533 in the U.S.) across a wide range of industries, including government, which found 58 percent of respondents said implementing best practices and better security policies would have the biggest impact on improving the state of cybersecurity. By contrast, only 7 percent said government regulation and law enforcement and 15 percent said better technology.
Information security professionals place a strong emphasis on best practices—that is, routine but specific guidelines and procedures that employees are expected to follow because rank-and-file personnel are the first line of defense against cyberattack. Cyberattackers rarely attempt to directly break through the hardware and software protections on a secured data system or network. The “evil genius hacker” who can break into sophisticated systems at will is largely a Hollywood creation. Real-life hackers use more prosaic methods to breach a system.
- Misrepresenting oneself as an employee, contractor or customer to gain confidential information, usually from a front-line employee such as a receptionist, executive assistant or customer service representative. This technique is called pretexting;
- Entering a secure area by quickly following someone who already has used a key or card to unlock a door. This technique is called “tailgating.” Once inside the attacker can view or steal documents, employee directories and other material that will be valuable aid in a cyberattack;
- Searching outdoor trash containers (“dumpster diving”) for documents containing confidential information;
- Outright theft, such as targeting individuals who take office laptops home.
When attackers do use electronic methods, the easiest approach is to plant viruses and malware through emails sent to employee addresses—harvested from documents obtained through the methods above.
If you work in the private sector, chances are you are routinely reminded never to open an attachment from a questionable source, and to take extra steps to verify the identity of visitors, or to never allow an individual to enter a building behind you after you’ve “badged in.” If you work with confidential data, you may also have rules for shredding documents and against taking laptops home.
The concern is real. Seventy one percent of respondents to Bit9’s survey from companies or agencies with more than 500 employees said they thought they would be targeted by a cyberattack within the next six months. At companies with 100 to 500 employees, 50 percent of respondents thought similarly.
Yet while the government sees threats to the nation’s industry and infrastructure from foreign governments, businesses themselves place “hacktivist” groups such as Anonymous and cybercriminals ahead of nations such as China. When asked to describe the three types of cyberattacker most likely to target their company, 61 percent named hacktivists, 55 percent named cybercriminals and just 31 percent named China. Russia was the only other nation-state specifically named, by 13 percent, and other nation-states in general garnered only 4 percent. Both were behind disgruntled employees (28 percent) and corporate competitors (20 percent).
It is not surprising to see the degree of the responsibility the private sector has taken for securing critical physical and cyber-infrastructure. As private entities, they literally own the problem. Their assets, property, competitiveness and reputation all hinge on their ability to protect both their data and the customer data with which they are entrusted. Good intentions notwithstanding, the government may never be able to reach this high a level of information security awareness because it faces nothing like the economic and legal consequences that a data breach poses to a commercial enterprise. This alone makes a strong case for letting the private sector lead the ongoing development of cybersecurity standards. Private enterprise understands the concerns, understands the threats and is in the best position to create effective cyber-threat prevention and response.