Cybersecurity in the private sector – playing catch-up

The U.S. private sector may lead the world in many regards, but when it comes to insulating itself from cyber attacks, its performance has been weak.

While guidance for the 16 ‘critical infrastructure’ sectors was met with a positive reaction from industry leaders, the U.S. government mistakenly stopped short of compelling compliance.

{mosads}The private sector has had ample opportunity to act unilaterally on the issue and the stakes with regards to American security and prosperity are too high to procrastinate. Moreover, while some are investing appropriately in their cyber infrastructure, the mood of the private sector at-large remains one of ambivalence.

This ambivalence is best embodied by Target, the U.S. retailer whose cyber breach in late-2013 led to the hacking of more than 40 million credit card numbers and the personal details of more than 70 million customers.

Target had in place a $1.6 million system for detecting cyber breaches – a paltry investment for a company with more than $72 billion in revenues in 2013. Yet, when alerted to a major threat to their data protection, their internal response never materialized. The result: $61 million in costs for responding to the breach (as of February 1), a 46% fall in profits over the holiday period and a major loss of consumer trust in their brand.

Yet Target is far from unique in its idleness. As an article in Businessweek details:

“Government agencies often build their own Security Operations Centers, as do big banks, defense contractors, tech companies, wireless carriers, and other corporations with centralized stockpiles of high-value information. Retailers, however, tend not to. … A three-year study by Verizon Enterprise Solutions found that companies discover breaches through their own monitoring in only 31 percent of cases. For retailers, it’s 5 percent.”  

Why is this the case? Because from a short-term perspective, retailers view the risk as a minor one. Not until they are attacked are significant costs realized. By this time it is too late for both them and their consumers.

Given that their combined consumers comprise the vast majority of U.S. citizens, the U.S. Government has a role to play in compelling companies to protect consumer data.

Moreover, the Federal Trade Commission (FTC) is best placed to aggregate information about cyber threats and, consequently, best placed to provide guidance on what standards should be implemented.

Unfortunately, federal guidance and standards have been slow to materialize, leading former Senator Evan Bayh (D-IN) to declare that “it will probably take a cyberattack succeeding in some way that significantly harms the country before we’ll be able to reconcile the debate in Washington.”

Hopefully he is wrong.

As things stand, two competing proposals have been introduced in the Senate. The first, by Sen. John Thune (R-S.D.), would allow the FTC to retroactively punish companies that do not adopt ‘reasonable’ data security practices, while retaining Congress’s authority to determine what these practices should be.

Sen. Jay Rockefeller (D-W.Va.) goes further in proposing to give the FTC rulemaking authority in setting and enforcing comprehensive cybersecurity standards for the private sector – bypassing the need for Congress to legislate the standards.

While both proposals would be a significant improvement on the status quo, the Rockefeller proposal is preferable for three reasons:

Firstly, it would provide concrete, a priori guidance to the private sector on what standards must be adopted, as well as penalties for non-compliance. If structured correctly, this would encourage them to place long-term security ahead of short-term costs.

Secondly, it would place the standard-setting authority in the hands of the FTC, which has the most current and comprehensive information about potential cyber threats.

Thirdly, it would bypass the need for Congressional approval to adjust these standards – particularly important given the rapidly evolving nature of the threats.

Regardless of which proposal is adopted, it’s essential that the U.S. government compels action from the private sector. Beyond consumer data, the intellectual property of a generation of American research and development is at risk.

For American industry to succeed in the global marketplace, for American consumers to be safe from identity fraud and for American companies to retain their world leading status, America’s cyberspace must be secure. 

American leaders have acknowledged these facts. It is time for their rhetoric to be matched with action.

Botting is a Washington, DC-based adviser to a range of governments and commercial entities in Europe, Eurasia and Central Asia.