A colleague asked me recently if I thought the FBI had finally experienced enough of the cyberattacks plaguing the United States and would now more aggressively pursue the attackers. My answer was “no.” Cybercriminals are operating against the United States with impunity, and no one should assume that any federal law enforcement, intelligence, or defense agency is coming to the rescue.
Combating cybercrime is exponentially more difficult than combating traditional criminal activities, as technologies and techniques make it very easy for cybercriminals to hide their true identities, locations, and allegiances. It’s a sobering situation, one that has resulted in extensive intellectual property theft, enormous financial losses, and the disruption of supply chains that deliver essential goods.
As a Marine veteran and CIO of a global software company, my approach to cybersecurity mirrors many of the principles I practiced in the military. Much like the corporate world, the Marines emphasized expertise, accountability, results, and leadership. With skilled teams, strong leaders, and tangible goals, it is much easier to deal with the daily uncertainty that is inherent in managing the cybersecurity of a large enterprise.
So, how does the United States better position itself to combat this growing threat? Through a more visible, coordinated, and concerted effort with measurable goals that involves the government, the private sector, educational institutions, and everyday citizens. Some of the highest priorities requiring action are below.
- Deliver meaningful consequences: The federal government needs to ensure there are at least some repercussions for hackers, or at least the hostile nations supporting their criminal activities. It’s a delicate situation, as we don’t want what essentially is a new Cold War to escalate into a hot conflict. But without repercussions, there’s simply no reason to believe hackers won’t continue to severely damage U.S. interests. And it’s likely these hackers can already disrupt our civil infrastructures as well, but have chosen not to only because it’s an act they believe would demand a punishing response. The bar for consequences needs to be lowered and acted upon when crossed, which will be an event that will require courageous and deft leadership.
- Offer economic incentives to strengthen cyber defenses: Strengthening cyber defenses is an expensive undertaking, requiring considerable talent and technologies to implement and operate the capabilities needed to successfully parry cyberattacks. Congress should act swiftly to craft tax incentives for companies to invest in these much-needed defenses.
- Strengthen cyber defenses for civil infrastructure: It’s quite likely hostile actors can disrupt our civil infrastructures – electricity generation and distribution, waterworks, transportation systems – and we know they’ve at least probed many of these environments. The impact of cyberattacks on these systems could be existential for some citizens in the impacted areas. Municipalities, especially smaller ones, could benefit from federal funding to support the needed improvements, along with technical expertise from the private sector.
Private enterprise: IT providers
- Build secure IT products & services: Hackers typically gain illicit access through social engineering or by exploiting flaws in software code or application configurations. With millions of lines of code, it can seem nearly impossible for IT vendors to identify and address every potential security flaw. The stakes are too high not to invest in secure coding practices, white hat hacking, and configurations that are easier for IT administrators to understand and implement in a secure fashion.
- Make security solutions easier to implement for SMBs: Large enterprises often have the means to implement and maintain complicated security solutions, but that’s not always the case with SMBs. Delivering turnkey security solutions and services that are easier to implement, maintain, and whose efficacy is validated would go a long way to better protecting a particularly vulnerable element of our country’s business sector. These solutions could also be used by the myriad public institutions and non-profits that are also challenged by the cost and complexity of securing their systems and data.
- Craft a strong partnership with government agencies: Some of the bigger names in IT security appear during cyberattack responses, and it’s good to see. If they haven’t already, the relationships should be codified, with the private sector and governmental agencies clearly defining their roles, capabilities, and means of communications. Both sides can do things the other isn’t – technically and legally. With tight coordination, they can deliver potent cyberattack detection, remediation, and counterattack capabilities.
Private enterprise: IT consumers
- Make security a priority: Understanding the cybersecurity challenge, much less how to solve it, is something that vexes practically every company. As daunting as the challenge may seem, every company must take this seriously, and implement the capabilities to thwart attacks. If enough companies do so, it’s conceivable we’ll reach some level of herd immunity. At a minimum, it will allow us to focus our remediation efforts on a smaller number of cyberattack victims.
- Be vigilant about data backups: Aside from creating multiple layers of cyber defenses to thwart attackers, every company should be vigilant about backing up systems and data and safeguarding these backups. It’s one of the surest ways to recover from a ransomware attack and avoid paying a ransom.
- Educate a new generation of cybersecurity experts: Educators, starting in middle school, should look to train and graduate a new generation of cybersecurity experts. It’s a skill set that requires many years to obtain, and the middle and high school years provide an excellent opportunity to jump start the process, launch graduates into meaningful careers, and enable them to accelerate their learning at the collegiate level.
- See something, say something: Almost every citizen uses information technology in some fashion. Developing an awareness of how cybercriminals target individuals, and how to parry those attacks, is as important as private and public institutions building out cyber defense capabilities. Opening phishing emails has led to some of the most damaging cyberattacks of all time.
During my military service, I learned quickly that clear operational objectives and a reliable team pays off when an event – such as a cyberattack – knocks the team off course. Regarding measurable goals – I suggest keeping it very simple: fewer attacks, less loss of intellectual property, fewer ransoms paid.
The number and severity of cyberattacks can make it feel like the dark days associated with an early conflict. Letting folks know we’re fighting back: not paying blackmail, arresting the culprits when we can, and winning can improve morale. These are the ingredients for success.