One of the undercurrents from this election season has to be cybersecurity. Or in many cases, the lack of it — or a lack of understanding of what it means to be “cyber secure.” There were breaches and thefts of information that were noticed (like the DNC hack). Maybe some that went unnoticed. Things happened in this election regarding cybersecurity that were likely unprecedented and unseen in any prior election.
Perhaps seizing on this point, a good friend noted to me yesterday that cybersecurity is the next “Space Race.” The presence of superpowers and nation states make the cybersecurity race actually very analogous to the Space Race. On September 12, 1962 President John F. Kennedy’s declared that “We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.”
Many readers may not remember that the mission to the Moon was not made just out of scientific or intellectual curiosity, but because at the time the US and the Soviet Union were in the midst of the Cold War, and the year prior the Soviet Union had sent the first man into space, an astronaut named Yuri Gagarin. As noted by a famous NASA historian, “So we decided to engage in this major scientific and technological endeavor and prove to the world that we were second to none.”
So we went to the moon. And thereafter well beyond to the outer reaches of the universe. One of the problems with cybersecurity, however, is that unlike the public spectacle of Neal Armstrong walking on the moon (which even today I still remember watching with my Dad and Mom), “spectacles” regarding cybersecurity range from the “silent but deadly” to “just plain awful.” Very few medals get awarded for being right all the time in cybersecurity defensive tactics. Coupled with a topic like cybersecurity that is squishy and malformed at best, cybersecurity would be voted in High School (in 1962) as the topic most likely to be ignored or forgotten. But we know now from plenty of experience that cybersecurity cannot be ignored nor forgotten. It is a topic that needs to be respected and feared, because many organizations are likely only one hack away from disaster. Time and time again we have seen organizations pay less attention to cybersecurity than they should. And that has always been a bad idea. We as a nation simply cannot afford to lose $100 billion (or more) a year to cybercrime, let alone the billions of dollars of lost intellectual property of US companies that might now reside someplace else.
Taking a page from the “avoidance of disaster handbook” here are 7 strategies that both your company (and government of the United States) could pursue to better protect its networks, intellectual property and personally identifiable information. Yes, some of these strategies involve government funding, tax credits, or government involvement. But isn’t that the point of the cybersecurity race? We need to prove our cybersecurity and cyber defense is second to none.
1. Government funding/support and involvement of the private sector in educating more people in cybersecurity and cyber defense: This is the low-hanging fruit. The government needs more trained cybersecurity personnel. The private sector needs more cybersecurity personnel. And we have the best schools in the world (from STEM education through colleges and universities) to educate people. Let’s do it. Before the trained cybersecurity skills shortage worsens and we don’t have enough runners for the cybersecurity race.
2.. Federal tax credits for small to mid-sized business to convert to AI, Machine Learning, cloud and encryption technologies. They are the ones most vulnerable to attack. They are the most vulnerable to a death blow if the attack is severe enough. AI and Machine Learning cybersecurity platforms will soon be the new standard. The cloud can be a safe haven for many who simply can’t find enough budget for cybersecurity. And encryption technologies must be considered for the protection of personally identifiable information.
3. Federal IT – A “Cloud First” approach must continue. Expansion of Fed Ramp program should continue as a baseline method of cloud security. Maintenance spending only on legacy systems until migration to the cloud.
4. Â Funding to create good housekeeping seal of approval, UL listing or other validation for the NIST”s “security by design” program. The attacks on Brian Krebs and Dyn proved we must do a better job securing the internet of things.
5. The Next Administration should consider an “Office of Cybersecurity” as a cabinet level position.
6. Security by design funding requirement for any new missile or weapons program; expansion of security by design program to military sector.
7. Finally, the government and the ISP’s, along with private industry (like top level domain name providers) should begin immediate dialogue on prevention of large-scale DDoS attacks.
We invite discussion on this topic, as there are undoubtedly more than 7 strategies. Expert dialogue is needed at all levels of government, and with all stakeholders. As we noted above, the strategy of not paying attention to cybersecurity needs or assessments simply is a bad one. We need to do better.
Co-authored by Paul Ferrillo, Counsel in Weil, Gotshal & Manges’s Litigation department, and Shawn Tuma, Cybersecurity & Data Privacy Partner at Scheef & Stone.