As reported on The Wall Street Journal pages over recent years, but otherwise underreported across most major news/media outlets save for the occasional high profile cyber breach, the bad guys are out there in cyber-land; their numbers are growing, they’re winning and they’re going to be around for a long time. According to recent reports, the trending rise in cyber-attacks against medical offices and hospitals to gain access patient medical records is costing the industry a staggering $6 billion annually.
This market fact alone startlingly drives home the alarming urgency of this issue. Anecdotal information and real time information-sharing among the good guys is the key to effectively combating this far reaching and pernicious threat to our national commercial-industrial-security interests and posture.
Many corporate CIO’s and CISO’s in tandem are already working aggressively albeit quietly behind the scenes with their otherwise competitor counterparts and in conjunction with multiple government agencies to deliver real time critical information on the attempted electronic breaches they are seeing daily. If Company A sees a new or never-before seen hack attempt then it’s in its own long term interest to get that information out to as many good guys as possible, and fast; equally, if Company A was able to thwart/defend against a cyber-attack utilizing a new and innovative technique, then that information must be disseminated to as wide a friendly audience as possible. Why should Company A be so magnanimous in sharing this sensitive information? Because, when Company K two weeks later detects a new first-time breach, Company A will benefit from receiving that anecdotal and analytical information as a collaborative partner.
This is hard but vitally important stuff. To be sure it’s not natural for companies to actively share their exposed points with their competitors. Long term success will require a paradigm shift in how corporate management teams, in connection with their respective legal departments, work collaboratively with their traditional market competitors. It will require leadership.
We as a nation must forge a strong public-private linkage to combat the daily cyber onslaught to our national security and commercial interests; one that spans multiple federal agencies and encourages active voluntary participation by corporate entities.
Commerce Secretary Penny Pritzker is doing commendable work in leading the charge on behalf of the Administration, and in conjunction with the Department of Homeland Security, in creating altogether new policy initiatives to promote and enhance a strong national cyber counter-infrastructure. The Cybersecurity Framework launched early last year, under a 2013 Executive Order, brings together leading minds across industry, academia and government to help businesses effectively address and manage cyber risk. Equally, the The Congressional Cybersecurity Caucus, chaired by Representatives Jim Langevin and Mike McCaul, and the US Senate Committee on Homeland Security and Governmental Affairs, chaired by Senator Tom Carper, with (until his recent retirement) Senator Tom Coburn as his wingman, have for some time been out in front on this strategically important issue. On the private side, insurance companies must be continually innovating to create new cyber-risk coverage products to meet growing demand for a fortified backstop in case of calamity. And as Redpoint Ventures partner John Walecka wrote in a WSJ Op-Ed (2/25/14), venture and private equity dollars are flowing in abundance to the increasing number of emerging cybersecurity companies forming seemingly daily. Some of these companies will fail, but many more will succeed, either on their own or later having been acquired by a larger organization. To be sure many leading US multinational corporations have already stepped in to the cyber breach regarding cyber information sharing and collaborative guidance. But there is much more work to do, with particular aim at the mid and small sized corporate sectors, where necessary intellectual and capital resources are relatively limited.
Strategically, Congress should enact legislation that effectively breaks out US Cyber Command from its parent US Strategic Command, and establishes US Cyber Command as a standalone and distinct unified combatant command structure, modeled much like US Northern Command, which has as its mandate to provide command and control of DOD homeland defense efforts and to coordinate defense support of civil authorities, with direct reporting to the President via the Secretary of Defense. For benchmark guidance, we should look to our Israeli friends. Israel is widely regarded as the global epicenter for inbound foreign cybersecurity attacks on commercial and government/defense entities. The corollary here of course is that Israel is the leader among nations in combating cyberterrorism in a coordinated manner across public agencies and private organizations. Meaningful cyber legislation that comes before Congress must be flagged with bi-partisan support for fast-tracking through both chambers.
Further, more members of Congress need to involve themselves to a greater extent, through active participation in and promotion of important cyber initiatives at both the federal and state level. Indeed the vast majority of private companies are standing at the waterline, fearing unintended missteps that might invoke legal repercussions. Fear of being sued for sharing too much or not enough information is not a valid excuse for non-participation in the growing community of daily shared threat assessments.
It’s up to our Congressional leaders to provide clear, appropriate and comprehensive legislative guidance in this regard. Cyber bad guys by their very nature are non-partisan and non-political. And therein lies the opportunity, for cybersecurity then can be the forum for our Congressional leaders to converge, collaborate and do extraordinary work together in shepherding a strong and united national public-private cyber defense.