Mr. President, the status quo in cybersecurity is failing the U.S. It is failing the commercial sector, which is being publicly breached on a weekly basis, and it is failing the government as well. It is time to take bold and decisive action to stop these dangerous and embarrassing hacks before they cause further damage and erode the confidence that is vital to the U.S. economy.
The recent Sony hack was a nightmare — embarrassing for the company, costly for shareholders and challenging for America’s foreign policy. It was only the latest of a series of high profile cyber attacks, but for cybersecurity experts, it was also a big opportunity. It shined a light on the activity that we’re seeing everyday: networks of hackers exploiting the U.S.’s weak and incapable cybersecurity defences… and doing real economic harm.
Unfortunately, your proposal comes up short in addressing the deficiency. While bolstering law enforcement capabilities and reporting requirements are good steps that will help us punish offenders and mitigate embarrassing mega-hacks — important elements of reform — they’ll do little to stop data breaches in the first place.
It’s the equivalent to putting up more security cameras instead of buying a better safe. It’s clear we need to enforce the laws better: less than 2 percent of cyber criminals are ever successfully prosecuted. But even if information-sharing and other resources are freed up, the U.S. will continue to be plagued by weak, easily-hackable computing devices and networks that rely on dated and vulnerable software-based security. If there is one thing that we’ve learned, just about any software can eventually be hacked if there is enough incentive for groups with the right resources to do so. We need to take advantage of the hardware-based solutions that are ready and available today. Solutions such as the Trusted Platform Module (TPM) chip that is already deployed on almost a billion computers and computing devices. These devices are dramatically more difficult to compromise, as proven by their impressive record over the last several years in the field.
The costs of inaction (or weak action) go well beyond flopped movie releases and embarrassing headlines. These hacks erode consumer confidence just as we look for greater consumer participation in the recovering economy. They slow innovation as consumers and enterprises hesitate in using new services, devices and platforms. They threaten national security as enemies see new pathways to injure the economy and even critical infrastructure such as power grids, pipelines or power plants.
Now is our opportunity to confront these threats. If it doesn’t happen now, the same conversations will continue for years as the consequences of inaction become only more severe — and the U.S. will be that much farther behind in addressing them.
Congress has an opportunity to work across party lines, and with you, to put together forward looking legislative reforms that don’t just regulate the reporting of hacks — but actually mandate minimum requirements for government IT systems and establish National Standards so these hacks don’t happen in the first place. That’s not partisan — it’s common sense.
Any cybersecurity legislation should require the immediate use of two, simple components that are a fundamental part of any overall solution aimed at stopping data breaches in corporations and government agencies:
1. Multifactor authentication. Basically, you start with “something you know,” like your user identity (user ID and a password or PIN), and then add “something you have,” like a physical token or a virtual token based on hardware in your computer like the TPM chip. By having multiple identifying factors, it is dramatically harder for a hacker to gain entry to the system. Essentially with this kind of solution in place a hacker would not only have to gain possession of an employee’s valid user credentials but would also need to take physical control of their computer (in a TPM-based solution) or the security token itself. Only then could they gain access to the IT environment and initiate their hack. This effectively eliminates the most common remote hacking attempts and now requires an element of physical presence for a malicious intrusion to succeed.
2. Security rooted in hardware. Too many corporations rely solely on software-based security solutions that protect sensitive data as long as the integrity of the software itself isn’t tampered with. As we have seen, software remains vulnerable anytime there is sufficient incentive to crack it. Hardware-backed security such as the Trusted Platform Module (TPM) provides a highly tamper-resistant location to store encryption keys and unique identity credentials.
Both of these steps can be taken immediately, using technologies that are proven to be effective and have been commercially available for years. It’s not rocket science — it just takes leadership and the will to do what’s sometimes hard: asking corporations and bureaucrats to change.
The transition costs will be minimal — many companies already take both of these steps and the technology already exists in most machines.
Mr. President, the long term costs of inaction — to both a company’s bottom line and the future of the U.S. — are high. We count on our leaders to have the wisdom and forethought to change the status quo and take bold action to harden cybersecurity now — before those who would do harm find a way to seriously cripple the economy and government.