70.8 F
Washington D.C.
Saturday, April 20, 2024

U.S. Agencies Lean into Cybersecurity Enforcement, but Is It the Right Approach to Reduce Risk?

In January, FBI Director Christopher Wray testified before Congress with stark warnings about the threats to U.S. critical infrastructure from Chinese hackers. While the briefing will not surprise cybersecurity professionals, his urgency reminds us that American companies and their customers are being targeted by increasingly sophisticated cyber threats every day—victimized by nation-state level cyber tradecraft and highly professionalized extortion.

A wave of government action threatens to alienate U.S. companies as they commit ever increasing resources to cybersecurity and have embraced public-private collaboration. Despite growing cybersecurity budgets, industry leaders struggle to understand the cybersecurity “goalposts” without clear, consistent government direction on what “good” looks like. Business and security leaders will be more willing to align to common sense cybersecurity standards that are predictable and risk-based.

Inconsistent government intervention or overreach can erode mutual trust and voluntary information sharing from industry, which the government relies upon from the operators of eighty percent of our nation’s critical infrastructure. The Department of Defense recognizes this in a 2023 U.S. Cyber Command memo, stating “the relationships we have built with our industry partners, is game-changing” with calls for increased data-sharing.

The 2020 SolarWinds breach was a watershed moment for its cybersecurity implicationsand the U.S. government’s response. The espionage attack, attributed to Russian state actors, impacted as many as 18,000 customers and highlighted the dangers of weaponized software updates. In response, the Biden administration issued the sweeping Executive Order 14028, intended to address software supply chain vulnerabilities and the nation’s broader cybersecurity gaps.

Three years later, the fallout from SolarWinds continues. In October, the Securities and Exchange Commission (SEC) filed a civil complaint against SolarWinds, extraordinary in its scope and severity. The complaint alleges that SolarWinds and its chief information security officer (CISO) defrauded investors by misstating the company’s cybersecurity practices and by concealing poor cybersecurity practices and its heightened cybersecurity risks, thereby violating federal securities laws.

This complaint arrives on the heels of an expansive new SEC rule on cyber oversight and governance for public companies, significantly increasing cybersecurity expectations. While these government measures are intended to drive cybersecurity transparency and accountability, they are not consistently accompanied by traceable, risk-based performance metrics for companies to achieve.

This lack of clarity is even evident in the SolarWinds civil complaint, in which the SEC conflates the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication (SP) 800-53 — two very different documents. This ambiguity from regulators can breed confusion and disincentivize cyber defense. The aggressive action against SolarWinds’ CISO could also have a chilling effect on attracting the most talented practitioners to security leadership roles.

SolarWinds is pushing back on the SEC complaint to “set the record straight.” In a recent blog post, the company insists that the “SEC’s misguided complaint threatens to impair our industry’s collective security.” The January compromise of the SEC’s Twitter account is reminiscent of the axiom, “Don’t throw stones if you live in a glass house.”

Demonstrating collective commitment

Both the government and the commercial sector share a consensus view of the threats our country faces from Russia, China and non-state, financially motivated hackers. Given this mutual appreciation, government must balance between establishing a standard of care and marginalizing the progress that has been made in independent commercial commitment and voluntary cybersecurity initiatives between the public and private sectors.

While attacks are on the rise, the propensity for victims of ransomware to pay has fallen dramatically as companies invest more in response and recovery capabilities. The FBI’s broadened priorities from pursuing bad actors to assisting victims has also improved ransomware defense outcomes.

Safeguarding our nation from cyber threats requires lawmakers to appreciate a few essential truths: U.S. companies are constantly victimized by our gravest adversaries who apply nation-state-level sophistication; private-sector and critical infrastructure in particular, invest substantial resources to safeguard themselves and their customers from state and non-state actors; and our best hope for countering cyber adversaries is a blend of enforcement, incentives and more precise metrics that advance cybersecurity imperatives.

Restoring a balance

The 2023 National Cybersecurity Strategy reflects a carrot-and-stick approach with a blend of regulation and commercial protections. The strategy calls for incentivizing better software security both through shifting liability to software providers and using the government’s purchasing power to drive the adoption of modern frameworks.

Appreciating the potential need for government support in severe cyber incursions, the strategy also calls for exploring a “federal cyber insurance backstop” for catastrophic events that could support the existing private cyber insurance market.

We can turn risk into opportunity by coalescing around mechanisms to measure cybersecurity performance in a more consistent, transparent way. Leveraging federally funded frameworks that are embraced by private-sector practitioners (such as Department of Homeland Security’s Cybersecurity Performance Goals), MITRE ATT&CK Framework or the National Institute of Standards and Technology’s Security Measures for EO-Critical Software can increase authoritative performance measurement.

We can work to codify best practices and reflect them as baseline requirements in technology procurements. This will create business opportunities for companies that can demonstrate greater cybersecurity maturity and effectiveness. The government can also use consensus best practice standards to establish a safe harbor for companies that demonstrate a requisite level of program maturity. This liability protection and shield from enforcement action can incentivize security investment.

In 2014, our government released the NIST Cybersecurity Framework, widely viewed by both federal and commercial practitioners as a sea change in organizing and expressing cybersecurity practices. Ten years later, the framework is an essential — but not sufficient — resource for advancing cyber objectives.

Government and the private sector must work towards applying more transparent, accurate and precise standard of cybersecurity effectiveness that supplements the framework’s principles. By doing so, we will acknowledge our collective progress but also establish mutual incentives for achieving US cybersecurity and resilience.

author avatar
Michael Chertoff & David London
As Secretary of the U.S. Department of Homeland Security from 2005 to 2009, Michael Chertoff led the country in blocking would-be terrorists from crossing our borders or implementing their plans if they were already in the country. He also transformed FEMA into an effective organization following Hurricane Katrina. His greatest successes have earned few headlines – because the important news is what didn’t happen. At Chertoff Group, Mr. Chertoff provides high-level strategic counsel to corporate and government leaders on a broad range of security issues, from risk identification and prevention to preparedness, response and recovery. “Risk management has become the CEO’s concern,” he says. “We help our clients develop comprehensive strategies to manage risk without building barriers that get in the way of carrying on their business.” Before heading up the Department of Homeland Security, Mr. Chertoff served as a federal judge on the U.S. Court of Appeals for the Third Circuit. Earlier, during more than a decade as a federal prosecutor, he investigated and prosecuted cases of political corruption, organized crime, corporate fraud and terrorism – including the investigation of the 9/11 terrorist attacks. Mr. Chertoff is a magna cum laude graduate of Harvard College (1975) and Harvard Law School (1978). From 1979-1980 he served as a clerk to Supreme Court Justice William Brennan, Jr. In addition to his role at Chertoff Group, Mr. Chertoff is also senior of counsel at Covington & Burling LLP, and a member of the firm’s White Collar Defense and Investigations practice group. David works with clients to strengthen cyber governance, drive control transparency and prioritize security investments. He assists operational personnel and senior decision-makers to effectively mitigate and communicate cyber risk. He has led high-profile cybersecurity engagements in energy, financial services, retail, health care, and technology sectors. Prior to joining The Chertoff Group, David spent nine years at Booz Allen Hamilton where he led the design and development of some of the highest-profile cyber exercises in the world including NERC’s Grid Security Exercise Series. He also directed company-specific incident management engagements to exercise operational, tactical, and executive-level cyber readiness. In November 2022 David was appointed as a cybersecurity expert to the Advisory Board of NowNow, a digital banking system founded in Nigeria.
Michael Chertoff & David London
Michael Chertoff & David London
As Secretary of the U.S. Department of Homeland Security from 2005 to 2009, Michael Chertoff led the country in blocking would-be terrorists from crossing our borders or implementing their plans if they were already in the country. He also transformed FEMA into an effective organization following Hurricane Katrina. His greatest successes have earned few headlines – because the important news is what didn’t happen. At Chertoff Group, Mr. Chertoff provides high-level strategic counsel to corporate and government leaders on a broad range of security issues, from risk identification and prevention to preparedness, response and recovery. “Risk management has become the CEO’s concern,” he says. “We help our clients develop comprehensive strategies to manage risk without building barriers that get in the way of carrying on their business.” Before heading up the Department of Homeland Security, Mr. Chertoff served as a federal judge on the U.S. Court of Appeals for the Third Circuit. Earlier, during more than a decade as a federal prosecutor, he investigated and prosecuted cases of political corruption, organized crime, corporate fraud and terrorism – including the investigation of the 9/11 terrorist attacks. Mr. Chertoff is a magna cum laude graduate of Harvard College (1975) and Harvard Law School (1978). From 1979-1980 he served as a clerk to Supreme Court Justice William Brennan, Jr. In addition to his role at Chertoff Group, Mr. Chertoff is also senior of counsel at Covington & Burling LLP, and a member of the firm’s White Collar Defense and Investigations practice group. David works with clients to strengthen cyber governance, drive control transparency and prioritize security investments. He assists operational personnel and senior decision-makers to effectively mitigate and communicate cyber risk. He has led high-profile cybersecurity engagements in energy, financial services, retail, health care, and technology sectors. Prior to joining The Chertoff Group, David spent nine years at Booz Allen Hamilton where he led the design and development of some of the highest-profile cyber exercises in the world including NERC’s Grid Security Exercise Series. He also directed company-specific incident management engagements to exercise operational, tactical, and executive-level cyber readiness. In November 2022 David was appointed as a cybersecurity expert to the Advisory Board of NowNow, a digital banking system founded in Nigeria.

Related Articles

Latest Articles