“The good news is that we actually know how to solve these problems,” says Glenn Gerstell. “We can fix cybersecurity. It may be expensive and difficult but we know how to do it. This is not a technology problem.”
Another major recent cyberattack proves the point again: SolarWinds, a Russian hacking campaign against the US government and major companies, could have been neutralized if the victims had followed well-known cybersecurity standards.
“There’s a tendency to hype the capabilities of the hackers responsible for major cybersecurity incidents, practically to the level of a natural disaster or other so-called acts of God,” Wyden says. “That conveniently absolves the hacked organizations, their leaders, and government agencies of any responsibility. But once the facts come out, the public has seen repeatedly that the hackers often get their initial foothold because the organization failed to keep up with patches or correctly configure their firewalls.”
It’s clear to the White House that many businesses do not and will not invest enough in cybersecurity on their own. In the past six months, the administration has enacted new cybersecurity rules for banks, pipelines, rail systems, airlines, and airports. Biden signed a cybersecurity executive order last year to bolster federal cybersecurity and impose security standards on any company making sales to the government. Changing the private sector has always been the more challenging task and, arguably, the more important one. The vast majority of critical infrastructure and technology systems belong to the private sector.
Most of the new rules have amounted to very basic requirements and a light government touch—yet they’ve still received pushback from the companies. Even so, it’s clear that more is coming.
“There are three major things that are needed to fix the ongoing sorry state of US cybersecurity,” says Wyden. “Mandatory minimum cybersecurity standards enforced by regulators; mandatory cybersecurity audits, performed by independent auditors who are not picked by the companies they are auditing, with the results delivered to regulators; and steep fines, including jail time for senior execs, when a failure to practice basic cyber hygiene results in a breach.”
The new mandatory incident reporting regulation, which became law on Tuesday, is seen as a first step. The law requires private companies to quickly share information about shared threats that they used to keep secret—even though that exact information can often help build a stronger collective defense.
Previous attempts at regulation have failed but the latest push for a new reporting law gained steam due to key support from corporate giants like Mandiant CEO Kevin Mandia and Microsoft president Brad Smith. It’s a sign that private sector leaders now see regulation as both inevitable and, in key areas, beneficial.
Inglis emphasizes that crafting and enforcing new rules will require close collaboration at every step between government and the private companies. And even from inside the private sector, there is agreement that change is needed.
“We’ve tried purely voluntary for a long time now,” says Michael Daniel, who leads the Cyber Threat Alliance, a collection of tech companies sharing cyber threat information to form a better collective defense. “It’s not going as fast or as well as we need.”
The view from across the Atlantic
From the White House, Inglis argues that the United States has fallen behind its allies. He points to the UK’s National CyberSecurity Centre (NCSC) as a pioneering government cybersecurity agency that the US needs to learn from. Ciaran Martin, the founding CEO of the NCSC, views the American approach to cyber with confused amazement.
“If a British energy company had done to the British government what Colonial did to the US government, we’d have torn strips off them verbally at the highest level,” he says. “I’d have had the prime minister calling the chairman to say, ‘What the fuck do you think you’re doing paying a ransom and switching off this pipeline without telling us?’”