with Aaron Schaffer
Similar attacks — in which hackers lock up the victim’s computer systems and demand a hefty payment to unlock them — have hit hospitals, schools, state and local governments and a slew of vital industries. But only a handful of the 16 industry sectors that government deems most critical to national and economic security are required by the government to meet minimum cybersecurity requirements.
The survey findings reflect an emerging new consensus that the light-touch approach simply isn’t sufficient to keep the nation safe.
“Critical infrastructure is exactly that — critical — and we can't afford it being taken down or made unavailable because of a cyber incident,” said Chris Painter, the State Department’s top cyber official during the Obama administration.
Chris Finan, an Obama administration national security official, called the current state of cybersecurity protections in critical industries “a clear market failure that will only be remedied with regulation.”
The Network is a panel of more than 100 cybersecurity experts who participate in our ongoing informal survey. (See the full list of experts here).
The Obama administration tried to set such standards in 2012, but the effort was beaten back by industry.
“In the time since, the record speaks for itself: near or at failing,” said Megan Stifel, executive director for the Americas at the Global Cyber Alliance nonprofit group and a former National Security Council cybersecurity official.
Until recently, government officials typically argued that voluntary cybersecurity standards were sufficient because companies would be eager to invest in security to avoid the expense and embarrassment of a major hack.
But that approach “has not produced the appropriate level of cybersecurity in many organizations,” said Michael Daniel, who was White House cyber coordinator during the Obama administration.
“The degree of cybersecurity that makes sense from a purely private-sector point of view may not be sufficient when public interests are taken into account,” said Daniel, who now leads the Cyber Threat Alliance industry group.
The barrage of cyberattacks against critical industries is “eroding consumer trust in everything from banking to the beef industry,” said Jay Kaplan, co-founder of the cybersecurity company Synack. “As a society, we've gone to great lengths to establish environmental, food, automotive and housing standards that private industry must abide by to help ensure public safety. It's time to apply those same principles to cybersecurity.”
There are some signals the government is preparing for broader cybersecurity requirements for industry.
President Biden’s nominee to lead the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Jen Easterly, said during her confirmation hearing yesterday that “voluntary standards are probably not getting the job done.”
Chris Inglis, Biden’s nominee to be national cyber director, said the government may need to mandate cybersecurity protections for companies that are “conducting critical activities upon which the nation’s interests depend.”
DHS has already begun the process of establishing minimum cybersecurity protections for the pipeline industry in the wake of the Colonial Pipeline attack. But officials have declined to speculate about new regulations in other industries.
Some experts advocated for blanket rules that all critical industry should follow.
“The U.S. government should mandate that all companies in critical sectors phase out the use of reusable passwords and require their suppliers to do so, as well,” said John Pescatore, director of emerging security trends at the SANS Institute cybersecurity training organization. “This one move … will prevent 99.9% of phishing-based attacks from succeeding.”
Others urged a major review of critical industry sectors to figure out what cybersecurity changes are most important.
“The focus should be on systemically important critical infrastructure,” said Suzanne Spaulding, the top DHS cybersecurity official during the Obama administration. “Start by identifying functions that are critical to the nation. Then determine which specific systems, assets, or networks enable those functions. Those should be the priority.”
Several experts suggested the government go even further to force companies to adopt better cybersecurity.
- Tom Cross suggested the government should consider prohibiting paying hackers ransoms. Cross has worked in cybersecurity at IBM and OPAQ Networks and is now entrepreneur in residence at Company, a tech start-up community.
- Cindy Cohn, executive director of the Electronic Frontier Foundation, suggested expanding companies’ legal liability so that “anyone impacted by security breaches should have standing and a cause of action to bring [a] civil suit.”
- Lance Hoffman, who founded the Cybersecurity and Privacy Research Institute at George Washington University, suggested collecting and publishing statistics for how well companies are meeting cybersecurity standards to shame them into doing better.
Fourteen percent of Network experts opposed new mandates.
Many of them doubted the government would be nimble enough to ensure its requirements protected against hackers’ latest innovations.
“The idea that the federal government — which has its own significant cybersecurity challenges — could effectively set standards that would keep up with the threat in a rapidly moving field like cybersecurity and would not be outdated before the ink is dry on the page, seems pretty hard to believe,” said Jamil Jaffer, senior vice president at IronNet Cybersecurity.
Others argued there are a lot of things government should do to remedy the ransomware problem before it starts imposing new burdens on companies.
The government could begin by publishing lists of the safest technology for companies and making it easier to collect and share information about hacking, said Niloofar Razi Howe, a technology investor and board member at the cybersecurity firm Tenable.
The government should also work with allies to disincentivize Russia and other nations from allowing criminal hackers to operate on their territory, Howe said.
“Once all of that is done, then it can consider what regulating and imposing minimum standards would look like,” she said.
— More responses to The Network survey question about whether the government should impose cybersecurity mandates:
- YES: “At best, companies invest in cybersecurity at a level that is consistent with their own business needs. But the cybersecurity requirements for critical infrastructure requires an even higher level of investment because cybersecurity failures affect the entire nation, not just the company.” — Herb Lin, senior research scholar for cyber policy and security at Stanford University
- NO: “I have serious doubts that the U.S. government is sufficiently nimble to develop mandatory cybersecurity standards that would be effective.” — Paul Rosenzweig, a top Department of Homeland Security official during the George W. Bush administration who now runs Red Branch Consulting
- YES: “I am hard-pressed to see a rationale where this is not needed. Regulations can and should be outcome-focused, not prescriptive in approach, and there are clear 'cyber 101' basics that everyone should be using.” — Norma Krayem, vice president and chair of the cybersecurity, privacy and digital innovation practice at Van Scoyoc Associates
- NO: “The devil is in the details. What standards? How will compliance be measured? What will be the consequences of failing to meet these standards?” — Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation
- YES: “We have minimum standards for fire safety because there is collateral damage to adjacent structures from fires and limited public resources for fighting fires. We are now seeing the same risks coming to cybersecurity.” — Chris Wysopal, chief technology officer at the cybersecurity company Veracode
- NO: “While the government should issue guidance to help, the likely weight of a minimum set of cybersecurity standards is probably too burdensome for many of the businesses who would be caught up in such regulation. The standards would likely go through many drafts to become an attempt at an ill-inclusive program, which might not even provide the desired safety while increasing costs significantly.” — Andy Ellis, Operating Partner at YL Ventures
Senate Homeland Security Committee leaders are launching a bipartisan effort to revamp how government deals with ransomware attacks.
Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and ranking Republican Sen. Rob Portman (Ohio) are asking the Biden administration for a slew of input about current efforts to counter ransomware and new authorities that Congress should grant it, according to a letter shared exclusively with The Cybersecurity 202.
The lawmakers may use the administration’s answers to develop new legislation in the coming months, the letter to national security adviser Jake Sullivan and Shalanda Young, the acting director of the Office of Management and Budget, states. They're asking for answers to their questions within 30 days.
The move comes after a call from Senate Majority Leader Charles E. Schumer (D-N.Y.) for Peters and other senators to determine what legislation is needed to counter a wave of damaging hacks and “bring the fight to the cyber criminals.”
Police disrupted a cybercrime marketplace responsible for more than $200 million in losses.
Users on the marketplace traded stolen online accounts and passwords for nearly a decade before the international operation to take it down, the Justice Department said.
Authorities in Germany, the Netherlands and Romania worked with U.S. authorities on the operation, they said.
FBI Director Christopher A. Wray walked back his comparison of ransomware to the Sept. 11, 2001, terrorist attacks.
“I don't think any attack, ransomware or January 6, can fairly be compared to the horror of September 11 and the 3,000 or so individuals who lost their lives that day,” Wray told the House Judiciary Committee. “My reference to September 11 in the context of ransomware was not about the attack but about how the country came together in response.”
Wray also reiterated that the government discourages companies from paying hackers ransoms.
- Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, discusses cybersecurity at an American Enterprise Institute event today at 10 a.m.
- Gen. Paul Nakasone, the director of the National Security Agency and commander of U.S. Cyber Command, testifies before a House Armed Services Committee panel alongside the director of the Defense Intelligence Agency, Lt. Gen. Scott Berrier, and Undersecretary of Defense for Intelligence & Security Ronald Moultrie today at 11 a.m.
- Senate Intelligence Committee chairman Mark R. Warner (D-Va.) discusses cybersecurity and other issues at a Washington Post Live event on June 14 at 11 a.m.
- House Homeland Security Committee panels hold a hearing on lessons learned from the U.S. government response to a ransomware attack on Colonial Pipeline on June 15 at 2:30 p.m.
- Dustin Moody, the head of the National Institute for Standards and Technology’s cryptographic technology group, discusses the future of cybersecurity and quantum technology at a Center for Strategic and International Studies event on June 15 at 3 p.m.
- A Senate Homeland Security and Governmental Affairs Committee panel holds a hearing on cybersecurity threats to state and local governments on June 17 at 10:15 a.m.
- Jeff Greene, the director of the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence who has been detailed to President Biden’s National Security Council, discusses Biden’s recent cybersecurity executive order at a National Security Institute event on June 18 at 1 p.m.