Ready, Fire, Aim!
The recent news cycle has been short on hard data and long on speculation about the headline-grabbing suspected security breaches affecting US targets as diverse as a stock exchange, a major airline, and a business newspaper.
The nationwide grounding of United’s entire fleet on July 8, its second in as many months, reportedly due to “automation issues” stemming from a “network glitch”, could have raised a few eyebrows on its own, especially in the wake of the largest compromise of US Federal systems in history – the OPM breach.
Same day’s unprecedented suspension of daily trading at the New York Stock Exchange started to stoke fears of a large-scale cyber attack against major commercial targets. The website outage at the World Street Journal same
afternoon was the third strike many a pundit seemingly needed before calling the day’s proceedings yet another round in the US-China cyber slugfest. Suspicions spiked again two days later on July 9 after news about TD Ameritrade suffering oddly similar “trading issues” due to a “software update”.
Unsurprisingly, the news cycle remains saturated with wild speculation about the origins and motivations for the attack, with many accusations pointing at China as the culprit for the entire NYSE-United-WSJ trifecta.
Despite indications of China’s involvement in the OPM breach, none have emerged to reliably identify the People’s digital warriors as the culprits in this latest string of cyber mayhem. Although evidence proving China’s involvement or complicity remains scarce, it has not deterred the media, the politicians, or security industry notables from jumping on the “Red Cyber Menace” bandwagon.
The knee-jerk reaction to blame China for every suspected cyber event denies us the opportunity to honestly and impartially examine our national information security posture and what must be done to improve it.
Whose network is it anyway?
There are a couple of fundamental problems in the general public’s understanding and perception of cyberspace and cyber risk:
- Cyberspace is a national asset and must be defended as such – think “Department of Cyber Homeland Security” or “Federal Bureau of Cyber Investigations”, and
- Being “secure” is a binary condition – we’re either “secure” or we are not, which breeds the false notion that being completely safe at any cost is an achievable or even desirable goal.
For starters, the vast majority of US cyberspace lives in private hands – meaning commercial enterprise environments outside the reach of direct government control or oversight. Continuing expansion of the Internet-of-Things and cloud technologies makes it even more difficult to define clear national and geopolitical boundaries, with commercial interests driving further expansion and proliferation of global connectivity and collaboration capabilities. Global multinationals complicate things to an even greater extent, living up to their recognized designation as “non-state actors”.
These private entities have had little incentive, save for bad publicity concerns, to invest into cybersecurity – despite their frequent statements to the contrary. It’s rather easy to point the finger at China instead of holding up the mirror to ourselves for the consistent failure to secure our national cyberspace. The public remains largely unaware of the complex issues and has next to zero leverage to compel action by companies to do the right thing. Any efforts by the US government, either at the executive or the legislative branches, to create meaningful, enforceable cyber frameworks are thwarted and blunted by the powerful business lobby actively working to avoid regulation of any kind under the premise of “avoiding compliance overhead”.
Compelling incentives hard to come by
One of the wilder speculations about this week’s events suggested the attack on NYSE was the work of “wealthy Chinese investors” attempting to manipulate the US stock market as part of a larger “pump and dump” scheme brought on by margin calls in the midst of China’s market freefall. I’m compelled to give this idea some points for being creative.
Plausible? Not exactly.
The sad truth is that the only effects upon the stock
market brought on by cyber attacks are largely confined to spikes in security firms’ shares. This week proved no exception, with several high-profile cyber firms enjoying a significant uptick as the attacks on NYSE and WSJ unfolded.
Victims of cyber attacks? Not so much.
Even after Target suffered one of the largest breaches in history, losing 70+ million credit card records and 46% in quarterly profits in the process, its stock barely dipped and then quickly rebounded as soon as the CEO resigned in the wake of his abortive expansion into Canada, compounded by the reputational impact of the breach.
Today there’s not enough understanding in the investment markets about the cascading effects of cyber threats upon companies’ asset valuation. The lack of significant negative effect upon breached companies’ stock price following even major incidents underscores this reality. Investors simply don’t understand that the companies whose shares they hold may be exposed to significant risks well outside their own scope of knowledge, let alone the markets at large.
It is baffling that in 2015, following some of the biggest breaches to date, we still have no reliable means to judge – and compare against the broader market – a company’s cyber risk posture as an integral component of our investment decisions. Why can we not produce a composite cyber risk index or a minimum baseline of acceptable cyber maturity, similar to commercial debt and credit ratings commonly held by publicly traded companies?
Shared goals, shared responsibilities
Despite loud calls for regulatory oversight and new legislation to govern our national cyberspace, and the propensity to focus on bad actors, national and otherwise, we must work to develop a holistic approach to national cyber security. While cyber warfare dominates imaginations, DoD’s capabilities focus on military assets and objectives. Civilian cyber space far exceeds Pentagon’s reach and operational purview.
Acknowledging the role private enterprises play in our digital economy should lead us to realize that the solution for securing our critical national information technology assets must combine private-public partnerships, smart regulation, law enforcement support, and active participation of public advocacy organizations to ensure privacy and liberty concerns are well-balanced against security objectives.
If the majority of our infrastructure is controlled by private enterprise, we must focus our attention there first. How do we create powerful incentives to ensure corporations do the right thing at the right time when it comes to investing in information security maturity?
We must work towards a common framework for assessing and reporting enterprise cyber risk posture with transparency, integrity, and clarity. Cyber risk must be included in public company annual reports, and breach notices must be published on a quarterly and annual basis. We don’t need all the gory details – just the fact that it happened would be a giant leap forward in ensuring companies are held to account for the deficient and negligent practices.
Firms failing to invest into security should soon find themselves on the losing end of commercial tenders and regulatory inquiries, facing customer attrition. Shareholders will follow with derivative lawsuits, joined shortly by institutional investors looking for new management or a less risky market bet.
Goodwill impairment charges and intangible asset write-downs could be just a few of the ways for a public firm to quantify losses suffered during a breach, in addition to direct costs incurred in the course of responding to the incident – frequently running well into tens of millions during large-scale attacks.
We don’t need to reinvent the wheel. SOX, SEC, FTC, False Claims Act, and state and federal whistleblower protection laws already provide plenty in the way of legal and regulatory frameworks for both the reporting of issues and ensuring that it happens reliably. We can take a page out of our finance colleagues’ book to create the necessary incentives for doing the right thing in the private sector – what it should’ve been doing all along.
When investment decisions can be made based on the known cyber security posture of an enterprise, and revenue streams are directly impacted due to its immature cyber risk management capabilities, corporations will no longer have the option to delay or underfund their security programs.
Who benefits when companies invest in security? They do, as do their shareholders, partners, customers, and end-users of their products and services. More importantly, this model drives adoption of sound security practices in the marketplace, making cyber maturity a matter of measurable competitive advantage and core business competence – a virtual prerequisite to market entry and sustained success.
When companies who run our digital lives get smarter and more diligent about cyber maturity, we as a nation enjoy a higher standard of privacy, resilience, security, and market confidence. I know I’ve read somewhere these are good things.
We have the tools to make this happen. Let’s work together to see it through.
View the original content and more from this author here: http://ift.tt/1RtjRov
from cyber security caucus http://ift.tt/1JdsDNy
via IFTTT
No comments:
Post a Comment