“The good news is that we actually know how to solve these problems,” says Glenn Gerstell. “We can fix cybersecurity. It can be expensive and difficult, but we know how to do it. This is not a technological problem.”
Another major recent cyberattack proves the point again: SolarWinds, a Russian hacking campaign against the US government and major companies, could have been neutralized if the victims had followed well-known cybersecurity standards.
“There is a tendency to exaggerate the capabilities of the hackers responsible for major cybersecurity incidents, practically to the level of a natural disaster or other alleged acts of God,” says Wyden. “That conveniently absolves the hacked organizations, their leaders, and government agencies of any responsibility. But once the facts come out, the public has repeatedly seen that hackers often get their initial foothold because the organization didn’t keep up with patches or didn’t properly configure their firewalls.”
It is clear to the White House that many companies do not and will not invest enough in cyber security on their own. In the past six months, the administration has enacted new cybersecurity rules for banks, pipelines, rail systems, airlines and airports. Biden signed a cybersecurity agreement executive order last year to tighten federal cybersecurity and impose security standards on any company that makes sales to the government. Changing the private sector has always been the most challenging and possibly the most important task. The vast majority of critical infrastructure and technology systems belong to the private sector.
Most of the new rules have become very basic requirements and a slight government touch, but have still met with pushback from business. Still, it’s clear more are to come.
“There are three major things that are needed to fix the current sorry state of US cybersecurity,” says Wyden. “Mandatory minimum cybersecurity standards applied by regulators; mandatory cybersecurity audits, conducted by independent auditors who are not chosen by the companies they are auditing, with the results provided to regulators; and hefty fines, including jail time for top executives, when failure to practice basic cyber hygiene results in a violation.”
The new mandatory incident reporting regulation, which became law on Tuesday, is seen as a first step. The law requires private companies to quickly share information about shared threats that they used to keep secret, though that exact information can often help build a stronger collective defense.
Previous attempts at regulation have failed, but the latest push for a new reporting law gained momentum due to key support from corporate giants like Mandiant CEO Kevin Mandia and Microsoft Chairman Brad Smith. It is a sign that private sector leaders now see regulation as inevitable and, in key areas, beneficial.
Inglis stresses that crafting and enforcing new rules will require close collaboration at every step between government and private companies. And even from within the private sector, there is agreement that change is needed.
“We’ve been trying this on a purely voluntary basis for a long time,” says Michael Daniel, who runs the Cyber Threat Alliance, a collection of tech companies that share information about cyber threats to form a better collective defense. “It’s not going as fast or as well as we need.”
The view from across the Atlantic
From the White House, Inglis argues that the United States has fallen behind its allies. He points to the UK’s National Cyber Security Center (NCSC) as a pioneering government cybersecurity agency that the US needs to learn from. Ciaran Martin, the founding CEO of the NCSC, views the American approach to cyber with confused amazement.
“If a British energy company had done to the British government what Colonial did to the US government, we would have verbally ripped them out at the highest level,” he says. “I would have had the prime minister call the president and say, ‘What the hell do you think you’re doing paying a ransom and shutting down this pipeline without telling us?'”