“The good news is that we actually know how to solve these problems,” says Glenn Gerstall, general counsel at the National Security Agency until 2020. “We can fix cybersecurity. It may be expensive and difficult but we know how to do it. This is not a technology problem.”
Another major recent cyberattack proves the point again: SolarWinds, a Russian hacking campaign against the US government and major companies, could have been neutralized if the victims had followed well-known cybersecurity standards.
“There’s a tendency to hype the capabilities of the hackers responsible for major cybersecurity incidents, practically to the level of a natural disaster or other so-called acts of God,” Wyden says. “That conveniently absolves the hacked organizations, their leaders, and government agencies of any responsibility. But once the facts come out, the public has seen repeatedly that the hackers often get their initial foothold because the organization failed to keep up with patches or correctly configure their firewalls.”
It’s clear to the White House that many businesses do not and will not invest enough in cybersecurity on their own. In the past six months, the administration has enacted new cybersecurity rules for banks, pipelines, rail systems, airlines, and airports. Biden signed a cybersecurity executive order last year to bolster federal cybersecurity and impose security standards on any company making sales to the government. Changing the private sector has always been the more challenging task and, arguably, the more important one. The vast majority of critical infrastructure and technology systems belong to the private sector.
Most of the new rules have amounted to very basic requirements and a light government touch—yet they’ve still received pushback from the companies. Even so, it’s clear that more is coming.
“There are three major things that are needed to fix the ongoing sorry state of US cybersecurity,” says Wyden. “Mandatory minimum cybersecurity standards enforced by regulators; mandatory cybersecurity audits, performed by independent auditors who are not picked by the companies they are auditing, with the results delivered to regulators; and steep fines, including jail time for senior execs, when a failure to practice basic cyber hygiene results in a breach.”
The new mandatory incident reporting regulation, which became law on Tuesday, is seen as a first step. The law requires private companies to quickly share information about shared threats that they used to keep secret—even though that exact information can often help build a stronger collective defense.
Previous attempts at regulation have failed but the latest push for a new reporting law gained steam due to key support from corporate giants like Mandiant CEO Kevin Mandia and Microsoft president Brad Smith. It’s a sign that private sector leaders now see regulation as both inevitable and, in key areas, beneficial.
Inglis emphasizes that crafting and enforcing new rules will require close collaboration at every step between government and the private companies. And even from inside the private sector, there is agreement that change is needed.
“We’ve tried purely voluntary for a long time now,” says Michael Daniel, who leads the Cyber Threat Alliance, a collection of tech companies sharing cyber threat information to form a better collective defense. “It’s not going as fast or as well as we need.”
The view from across the Atlantic
From the White House, Inglis argues that the United States has fallen behind its allies. He points to the UK’s National CyberSecurity Centre (NCSC) as a pioneering government cybersecurity agency that the US needs to learn from. Ciaran Martin, the founding CEO of the NCSC, views the American approach to cyber with confused amazement.
“If a British energy company had done to the British government what Colonial did to the US government, we’d have torn strips off them verbally at the highest level,” he says. “I’d have had the prime minister calling the chairman to say, ‘What the fuck do you think you’re doing paying a ransom and switching off this pipeline without telling us?’”
The UK’s cyber regulations work so that banks must be resilient against both a global financial shock and cyber stresses. The UK has also focused stronger regulation on telecoms as a result of a major British telecom being “completely owned” by Russian hackers, says Martin, who says the new security rules make the telecom’s previous security failures illegal.
On the other side of the Atlantic, the situation is different. The Federal Communications Commission, which oversees telecommunications and broadband in the US, had its regulatory power significantly rolled back during the Trump presidency and relies mostly on voluntary cooperation from internet giants.
The UK’s approach of tackling specific industries one at a time by building on the regulatory powers they already have, as opposed to a single new centralized law that covers everything, is similar to how the Biden White House strategy on cyber will work.
“We have to exhaust the [regulation] authorities we already have,” Inglis says.
For Wyden, the White House strategy signals a much needed change.
“Federal regulators, across the board, have been afraid to use the authority they have or to ask Congress for new authorities to regulate industry cybersecurity practices,” he says. “It’s no wonder that so many industries have atrocious cybersecurity. Their regulators have essentially let the companies regulate themselves.”
Why the cybersecurity market fails
There are three fundamental reasons why the cybersecurity market, worth hundreds of billions of dollars and growing globally, falls short.
Companies have not figured out how cybersecurity makes them money, Daniel says. The market fails at measuring cybersecurity and, more importantly, often cannot connect it to a company’s bottom line–so they often can’t justify spending the necessary money.
The second reason is secrecy. Companies have not had to report hacks, so crucial data about big hacks has been kept locked away to protect companies from bad press, lawsuits, and lawmakers.
Third is the problem of scale. The price that the government and society paid for the Colonial hack went well beyond what the company itself would pay for. Just like with the issue of pollution, “the costs don’t show up on your bottom line as a business,” Spaulding says, so the market incentives to fix the problems are weak.
Advocates for reform say that a stronger government hand can change the equation on all of that, exactly the way reform has in dozens of industries over the last century.
Gerstall sees pressure building slowly to do something different than the status quo.
“I have never seen such near unanimity and awareness ever before,” says Gerstall. “This looks and feels different. Whether it’s enough to really push change is not yet clear. But the temperature is increasing.”
Inglis points to the nearly $2 billion in cybersecurity money from Biden’s 2021 $1 trillion infrastructure bill as a “once in a generation opportunity” for the government to step up on cybersecurity and privacy.
“We have to make sure we don’t overlook the stunning opportunities we have to invest in the resilience and robustness of digital infrastructure,” Inglis argues. “We have to ask, what are the systemically critical functions that our society depends on? Will market forces alone attend to that? And when that falls short, how do we determine what we should do? That’s the course ahead for us. It doesn’t need to be a process that lasts years. We can do this with a sense of urgency.”