“The good news is that we do know how to solve these problems,” says Glenn Gerstall, National Security Agency 2020 General Counsel. “We can fix cybersecurity. It can be expensive and difficult, but we know how to do it. It’s not a technological problem.”
Another recent major cyberattack further confirms this: the Russian SolarWinds hacking campaign against the US government and large companies could have been neutralized if the victims followed known cybersecurity standards.
“There is a tendency to inflate the capabilities of hackers responsible for major cybersecurity incidents to almost the level of a natural disaster or other so-called natural disasters,” Wyden says. “This conveniently relieves hacked organizations, their executives and government agencies of any liability. But once the facts are out, the public is repeatedly convinced that hackers often get their first foothold because the organization doesn’t have time to release patches or properly configure their firewalls.”
It is clear to the White House that many businesses are not and will not invest enough in cybersecurity on their own. Over the past six months, the administration has introduced new cybersecurity rules for banks, pipelines, rail systems, airlines and airports. Biden signs cybersecurity agreement order last year to strengthen federal cybersecurity and introduce security standards for any company that sells to the government. Changing the private sector has always been more difficult and perhaps more important. The vast majority of critical infrastructures and technological systems are owned by the private sector.
Most of the new rules came down to very simple requirements and light government touches, but they were still met with resistance from companies. However, it is clear that there is more to come.
“There are three main things that are needed to fix the ongoing dismal state of US cybersecurity,” Wyden says. “Mandatory minimum cybersecurity standards enforced by regulators; statutory cybersecurity audits conducted by independent auditors, who are not selected by the companies they audit, with the results reported to regulators; and hefty fines, including jail time for senior executives when basic cyber hygiene fails to result in a hack.”
The new mandatory incident reporting provision, which became law on Tuesday, is seen as a first step. The law requires private companies to quickly share information about common threats they would normally keep secret, even though accurate information can often help build stronger collective defenses.
Previous attempts at regulation have failed, but the latest push for a new accountability law has gained momentum with key support from corporate giants such as Mandiant CEO Kevin Mandia and Microsoft President Brad Smith. This is a sign that private sector leaders now see regulation as both inevitable and beneficial in key areas.
Inglis emphasizes that the development and implementation of new rules will require close cooperation at every stage between the government and private companies. And even within the private sector, there is agreement that change is needed.
“We’ve been trying to act purely voluntarily for a long time now,” says Michael Daniel, who leads the Cyber Threat Alliance, a group of technology companies that share information about cyber threats to build better collective defenses. “It’s not happening as fast or as well as we need it to.”
View from across the Atlantic
From the White House, Inglis argues that the United States has fallen behind its allies. He points to the UK’s National Cybersecurity Center (NCSC) as a pioneering government cybersecurity agency that the US should learn from. Ciarán Martin, founding CEO of NCSC, looks at the American approach to cybersecurity with bewildered amazement.
“If a British energy company did to the British government what Colonial did to the US government, we would verbally rip the stripes off of it at the highest level,” he says. “I would have the prime minister call the chairman and say, ‘Why the hell do you think you are paying a ransom and turning off this pipeline without telling us about it?