In January, FBI Director Christopher Wray testified before Congress with stark warnings about the threats to U.S. critical infrastructure from Chinese hackers. While the briefing will not surprise cybersecurity professionals, his urgency reminds us that American companies and their customers are being targeted by increasingly sophisticated cyber threats every day—victimized by nation-state level cyber tradecraft and highly professionalized extortion.
A wave of government action threatens to alienate U.S. companies as they commit ever increasing resources to cybersecurity and have embraced public-private collaboration. Despite growing cybersecurity budgets, industry leaders struggle to understand the cybersecurity “goalposts” without clear, consistent government direction on what “good” looks like. Business and security leaders will be more willing to align to common sense cybersecurity standards that are predictable and risk-based.
Inconsistent government intervention or overreach can erode mutual trust and voluntary information sharing from industry, which the government relies upon from the operators of eighty percent of our nation’s critical infrastructure. The Department of Defense recognizes this in a 2023 U.S. Cyber Command memo, stating “the relationships we have built with our industry partners, is game-changing” with calls for increased data-sharing.
The 2020 SolarWinds breach was a watershed moment for its cybersecurity implicationsand the U.S. government’s response. The espionage attack, attributed to Russian state actors, impacted as many as 18,000 customers and highlighted the dangers of weaponized software updates. In response, the Biden administration issued the sweeping Executive Order 14028, intended to address software supply chain vulnerabilities and the nation’s broader cybersecurity gaps.
Three years later, the fallout from SolarWinds continues. In October, the Securities and Exchange Commission (SEC) filed a civil complaint against SolarWinds, extraordinary in its scope and severity. The complaint alleges that SolarWinds and its chief information security officer (CISO) defrauded investors by misstating the company’s cybersecurity practices and by concealing poor cybersecurity practices and its heightened cybersecurity risks, thereby violating federal securities laws.
This complaint arrives on the heels of an expansive new SEC rule on cyber oversight and governance for public companies, significantly increasing cybersecurity expectations. While these government measures are intended to drive cybersecurity transparency and accountability, they are not consistently accompanied by traceable, risk-based performance metrics for companies to achieve.
This lack of clarity is even evident in the SolarWinds civil complaint, in which the SEC conflates the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication (SP) 800-53 — two very different documents. This ambiguity from regulators can breed confusion and disincentivize cyber defense. The aggressive action against SolarWinds’ CISO could also have a chilling effect on attracting the most talented practitioners to security leadership roles.
SolarWinds is pushing back on the SEC complaint to “set the record straight.” In a recent blog post, the company insists that the “SEC’s misguided complaint threatens to impair our industry’s collective security.” The January compromise of the SEC’s Twitter account is reminiscent of the axiom, “Don’t throw stones if you live in a glass house.”
Demonstrating collective commitment
Both the government and the commercial sector share a consensus view of the threats our country faces from Russia, China and non-state, financially motivated hackers. Given this mutual appreciation, government must balance between establishing a standard of care and marginalizing the progress that has been made in independent commercial commitment and voluntary cybersecurity initiatives between the public and private sectors.
While attacks are on the rise, the propensity for victims of ransomware to pay has fallen dramatically as companies invest more in response and recovery capabilities. The FBI’s broadened priorities from pursuing bad actors to assisting victims has also improved ransomware defense outcomes.
Safeguarding our nation from cyber threats requires lawmakers to appreciate a few essential truths: U.S. companies are constantly victimized by our gravest adversaries who apply nation-state-level sophistication; private-sector and critical infrastructure in particular, invest substantial resources to safeguard themselves and their customers from state and non-state actors; and our best hope for countering cyber adversaries is a blend of enforcement, incentives and more precise metrics that advance cybersecurity imperatives.
Restoring a balance
The 2023 National Cybersecurity Strategy reflects a carrot-and-stick approach with a blend of regulation and commercial protections. The strategy calls for incentivizing better software security both through shifting liability to software providers and using the government’s purchasing power to drive the adoption of modern frameworks.
Appreciating the potential need for government support in severe cyber incursions, the strategy also calls for exploring a “federal cyber insurance backstop” for catastrophic events that could support the existing private cyber insurance market.
We can turn risk into opportunity by coalescing around mechanisms to measure cybersecurity performance in a more consistent, transparent way. Leveraging federally funded frameworks that are embraced by private-sector practitioners (such as Department of Homeland Security’s Cybersecurity Performance Goals), MITRE ATT&CK Framework or the National Institute of Standards and Technology’s Security Measures for EO-Critical Software can increase authoritative performance measurement.
We can work to codify best practices and reflect them as baseline requirements in technology procurements. This will create business opportunities for companies that can demonstrate greater cybersecurity maturity and effectiveness. The government can also use consensus best practice standards to establish a safe harbor for companies that demonstrate a requisite level of program maturity. This liability protection and shield from enforcement action can incentivize security investment.
In 2014, our government released the NIST Cybersecurity Framework, widely viewed by both federal and commercial practitioners as a sea change in organizing and expressing cybersecurity practices. Ten years later, the framework is an essential — but not sufficient — resource for advancing cyber objectives.
Government and the private sector must work towards applying more transparent, accurate and precise standard of cybersecurity effectiveness that supplements the framework’s principles. By doing so, we will acknowledge our collective progress but also establish mutual incentives for achieving US cybersecurity and resilience.