In a simpler time, not long ago, looking at threats to your business would mean examining your competitors, customers, and supply chain. Foreign intrigue and espionage probably only entered the picture if you were reading a spy novel after hours. But today, any organization that relies on intellectual property or trade secrets needs to take account of mushrooming threats from state-led cyber theft. We as a country can do much more to provide incentives for business to face this threat — and penalties for those that do not.
Recent cyber-attacks like the Russian-directed SolarWinds operation or the Chinese-directed exploitation of Microsoft Exchange servers are just the latest examples of the danger evolving from malcontent hackers in basements to methodical efforts run by some of the world’s most aggressive and well-resourced governments. Our adversaries openly connect industrial espionage with state power. Targets are no longer limited to defense contractors and national laboratories. Even the smallest organizations can attract the attention of hostile foreign cyber operations — or coincidentally be swept up in them, with the same damaging effect.
The objective of attacks can include the simple theft of intellectual property, obtaining insider competitive information like sales strategy and customers, or actively hobbling the ability of the organization to compete. Sometimes the goal is all three outcomes.
For example, consider a company that competes with Huawei and uses a law firm to help with patent applications or new and changing export-control regulations. It is easily conceivable that the Chinese government might deploy resources to penetrate a law firm serving Huawei’s competition. The result may be catastrophic, and not just for one client of the law firm: cyber-attackers backed by China could theoretically gain access to all of the law firm’s data, including intellectual property owned by multiple American clients. Even worse, other cyber criminals could ride on the initial attackers’ coattails, helping themselves to data that more sophisticated thieves already exposed. Beyond damage to the targeted company, the law firm itself could face catastrophic litigation risk.
Hostile governments seeking intelligence and industrial information are long accustomed to exploiting the weakest link of a chain. Unfortunately, the nature of business today, which relies heavily on outsourcing expertise, passes too much risk to those who may not see themselves as targets. In the aforementioned example, it does not matter how secure the systems are of the company that holds intellectual property if the law firm servicing that company has inadequate systems and practices.
Therefore what we need as a country is a change in practice to help all of business and related fields that have information of interest to our adversaries — not just what some characterize as the defense-industrial base or critical infrastructure. We need a carrot-and-stick approach: a set of both incentives and expectations to protect our economy and national security.
For the carrot, government and other organizations with knowledge and skill in thwarting cyber-attacks from our adversaries should start with expanded outreach to businesses and research organizations. They should make it easier for even the smallest businesses on Main Street to access high-quality, inexpensive information security expertise and resources. Government and grant providers should also encourage more basic research into secure-by-default technologies, such as end-to-end encrypted platforms and cryptographically-based decentralized identity systems. Finally, we should provide tax breaks and grants to businesses for strong and safe cyber infrastructure. Did you just retire a vulnerable MS Exchange 2007 server and acquire Microsoft 365 or Exchange 2019? Uncle Sam will cover part of your costs! This is just a modern version of funding civil defense.
On the flip side, there should be disincentives to hazardous conduct — the sticks, which should only be deployed if business can avail themselves of the carrots above. Policymakers should enable private rights of action on data breach and privacy bills: injured parties should be able to recover losses from gross negligence. To discourage the externality of a company’s vendors and partners compromising its technologies through carelessness, litigation risks should be spread so the full supply chain of goods and services is motivated to protect information. Finally, if an organization needs government services to recover from attacks that could have been avoided by reasonable and widely available advice, such as discontinuing use of vulnerable tools when replacements are practical, then the organization should have to reimburse the government, at least partially.
This approach of shared responsibility for protecting our economy from Chinese and Russian cyber-attacks will leverage not only the tools of government, but ensure that businesses and other organizations are also a productive part of the fight.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.
