[BreachExchange] We’re hitting rock bottom in cyber — let’s do something

[Audrey McNeil]

https://techcrunch.com/2017/11/29/were-hitting-rock-bottom-in-cyber-lets-do-
something/

When it comes to the cybersecurity problem, where is rock bottom?

Was it WannaCry, a ransomware attack unprecedented in scale that held
hostage computers in 150 countries in May, including Britain’s National
Health Service? Or a similar and perhaps even worse attack that hit
countries around the world just weeks later?

Was it the Yahoo breaches tied to a state actor that affected 1.5 billion
user accounts? Is it that cyber intruders are actively going after water,
power and utility grids with growing frequency and sophistication? Surely,
it had to be Russian interference in the U.S. election — the alleged
hacking of Democratic party emails and 21 state election systems — right?

Internet security is in a state of crisis. With their shocking scope and
targeting of some of society’s most critical infrastructure, recent attacks
are making some of the incidents that used to alarm us — the Target breach
a few years ago, for example — almost seem quaint by comparison.

It seems cyberspace not only remains an environment prone to compromise but
is hurtling toward a state of chaos where, as Columbia University scholar
Jason Healey has put it, the internet “would no longer be merely the Wild
West, but a failed state like Somalia.”

And yet, where is the outrage? Reeling from one attack after another, we
sometimes appear dazed and confused rather than mustering a collective
commitment that treats cyber insecurity as a crisis of the highest order.

The world will spend $90 billion this year on information security, but
continues to live in fear every day that the internet is on the verge of
being taken down by cyber criminals.

Ultimately, the problem is bigger than governments or private industry can
solve in isolation or with piecemeal solutions. What’s needed is concerted
global action.

Cybersecurity must be a top-of-agenda item for world and corporate leaders.
We need fresh, practical approaches to protecting an internet that has
rapidly become the central nervous system of the planet.

In a perfect world, the international community would level sanctions
against countries harboring cyber criminals. This would be very delicate,
though, since two world powers — Russia and China — are considered to be
U.S. cyber adversaries and part of the problem.

But some sort of international accord to agree on rules and reduce risk
would be a big step forward. Perhaps a good first step that all nations
could agree upon is that certain types of critical infrastructure are
off-limits for attack.

It would alleviate the tenuous situation described by the Carnegie
Endowment for International Peace: “In many countries, national laws
governing this space are either absent, vague or difficult to
operationalize. International understanding and conventions to harmonize
national responses are also largely absent, complicating efforts to manage
cross-border incidents with political ramifications.”

In fact, existing institutions such as NATO should maintain and look for
ways to expand their role in ensuring strong and resilient cyber defense.
With capabilities for malicious activity evolving faster than
business-as-usual can adapt, NATO can play a role in making better
cybersecurity a top global priority.

For example, NATO could become a central point for allies to share advice,
best practices and the latest technologies to combat cyber attackers.

But more than that, NATO could shift its focus from a strictly defensive
stance to offensive. As a recent article by the Atlantic Council correctly
noted, “Defensive measures might hold off an individual cyberattack, but
they do not address the underlying threat. Although the protection of NATO
members’ national networks should be a priority, the most effective way to
provide sustainable and long-term protection against cyberattacks is
through offensive capabilities and the destruction of opponent networks and
systems.”

Beyond NATO, there are other serious steps that can be taken.

Government should promote better disclosure on cybersecurity health to
investors. Another example could be found by better promoting the
availability and coverage of cyber insurance. For example, the insurance
industry has historically been at the forefront of incentivizing society to
adopt better and safer ways of living, from quitting smoking to wearing
seat belts to installing smoke detectors. The same can hold true in
cybersecurity, with greater adoption of cyber insurance eventually spurring
policyholders to adopt cybersecurity best practices.

Companies and universities should aggressively explore programs to help
fill the cybersecurity job shortage, estimated at nearly 2 million open
positions worldwide. A good example is IBM’s recent initiative to promote
alternative education models that reach a broader pipeline of employees
based on skills, experience and aptitudes rather than traditional hiring
models focusing solely on degrees. And organizations around the world
should absolutely be focusing on bringing more women and minorities to fill
these positions.

It’s often said that we’re very good at appreciating the cybersecurity
problem. But by coming together and collectively taking these sorts of
concrete steps, the world can shed the false narrative that solving this
problem is too hard or confusing.

The internet’s very existence is at stake.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171130/49462889/attachment.html>