There is a severe and growing cyber threat to the U.S. private sector, stemming largely from hackers in China. Part 1 of this article revealed how the ongoing hacking of U.S. business networks is robbing America of its hard-earned intellectual property and innovation. The attacks are lining hackers’ pockets and allowing Chinese corporations and the government to quickly and illegally catch up to U.S. technological capabilities. This needs to end, and to achieve it, all U.S. businesses need to get serious about cybersecurity.
While cyber threats can be technologically sophisticated, there are some basic approaches all companies can take to elevate their security posture. Dr. Steven Bucci is a senior research fellow for defense and homeland security at the Heritage Foundation, previously working as a cybersecurity consultant to IBM. (He also has had a distinguished military career, including service in special operations forces, and was a civilian appointee to a deputy assistant secretary of defense.)
The 21st century American workforce is on the front line of a tough cyber battle.
Given the onslaught of cyber attacks on American businesses, Bucci noted important steps for elevating private sector cybersecurity. One, he said, is awareness and education, and this goes beyond a “one-pager on threats or once-a-year cyber training.”
“I could go to almost any company in America and the majority of the employees would not be able to articulate the threat their company is under,” he said, adding that despite company security policies, threatening programs are still found throughout business networks.
“This means something is wanting in their programs – if not in substance, then in execution,” he said. “Businesses need dynamic education that changes with the changing threat.”
Employees must know what to look for when deciding if an email, link or website poses a threat. Updating software, attending to computer security notices, being selective in surfing the Internet, and approaching unfamiliar communications with caution are things every employee can and should do. Many of the attacks noted above originated with one poor choice that compromised the entire network. With up-to-date knowledge and training, these errors can be avoided.
The execution of cyber policies and programs must be matched with company leadership that makes the needed investments in technology and training, said Bucci. There are security programs that protect networks and human resources that can actively guard the company data. These are important investments. Business leaders need to understand the threats, follow their own security best practices and ensure they are enforced throughout the organization.
“The next thing the private sector should do is be a good partner to the public sector, particularly law enforcement,” said Bucci. “When a business does get hit with something, they need to report it and let forensics come in a figure out how they did, fix it and get the word out to other companies so they don’t get hit as well.”
Companies are worried about customer and investor confidence, as well as public image, and so sometimes sweep cyber attacks under the corporate rug. But this only perpetuates the illusion that businesses are not under frequent assault, ultimately causing more damage to the company because the existing vulnerability is not resolved.
“Way too many companies have their IT people – those who run the networks – separate from their security people,” said Bucci. “If they have a security breach that causes an attack on the network, the IT guys are running 100 mph to get it fixed and get the network back up. Meanwhile, forensics show up, and there’s no crime scene anymore.”
Bucci said there have been many examples like this where even after an attack, the company is as vulnerable as the day before. The absence of evidence prohibits forensics from analyzing how the penetration occurred.
Despite some U.S. private-sector cybersecurity efforts, many businesses have been lax in recognizing and addressing the threats. To be sure, Congress is going to regulate cybersecurity standards. The questions being debated in Washington regard what shape those mandates will take.
“For a long time, everyone said, ‘just let the marketplace deal with it,’ and there are a lot of folks who have concluded the marketplace has failed in that regard, so we must do something,” said Bucci. “Anyone in business who thinks there’s not going to be some government regulation is crazy. It will happen, but we hope it happens in a way that doesn’t kill the goose that laid the golden egg.”
There are two pending cybersecurity bills that could come to a Senate floor debate in July. The Cybersecurity Act of 2012 (S. 2105) would give the U.S. Department of Home Security (DHS) authority for certain network security standards; the SECURE IT Act (S. 2151) focuses on information sharing and would give the intelligence community the lead.
“I am concerned that a regulatory solution might end badly,” said Bucci. “DHS is not a regulatory agency, but it seems to be the prime candidate to write and enforce the regulations. Given their lack of experience in an area like this, that could be problematic. Also, regulations do tend to be slow and static, which is the exact opposite of the pace in cyber, which is fast and highly dynamic.”
To explain the potential regulatory approaches, Bucci used an analogy to military maps, with arrows noting how a field attack presses forward. One is a line of advance (a stick arrow) that defines exactly how the subordinate proceeds. The other is a direction of advance (“a big fat arrow”), and the subordinate can advance anywhere within the broader area.
Regarding private sector cyber regulation, Bucci said: “We have to give them the general direction and the end point. But Congress also needs to give some degree of flexibility in how businesses get there, some room to make it fit into their system. With cyber, there are a lot of ways to address these problems. That’s the kind of guidance the government should give.”
A Collective National Imperative
No matter what regulation is ultimately handed down, the onus of meeting the rules will remain with the employees and business leaders working within their company network. Their day-to-day decisions play a significant role in maintaining the integrity of their company data security. The Internet has brought myriad advantages and opportunities for the private sector, but it has also put proprietary information in the crosshairs of unceasing and clever adversaries.
Effective homeland security demands widespread public participation. It is not sufficient to assume government agencies can prevent the escalating cyber threat to U.S. businesses on their own. The 21st century American workforce is on the front line of a tough cyber battle. Governments can write regulations and work to define international cyber laws; intelligence, law enforcement, and other security agencies can trace attacks and return the insult; but every citizen, employee, and business leader must understand their central role in protecting information, national security, and America’s economic potential.
Individuals and organizations in China (and elsewhere) are using digital capabilities to steal unearned advantages. The massive damage being done to American businesses is perhaps less glaring because it comes in smaller (sometimes unnoticed) cuts rather than in one fell swoop. But the competition for economic and global leadership began decades ago, and the contenders evidently have no qualms about cheating and stealing to catch up.
American business: Hackers in China are targeting you; they and their supporters (both governmental and corporate) want to steal what you have worked hard to build. The evidence for this and the ramifications of inaction are easy to find and study. All of us – from the smartphone user to the CEO – need to wake up, fast. The thieves are already inside the gates, and if we don’t start holding the line, they are going to cut our private-sector and national security to pieces.