“The good news is that we really know how to solve these problems,” said Glenn Gerstall, general counsel at the National Security Agency through 2020. “We can solve cybersecurity. It may be expensive and difficult, but we know how to do it. This is not a technology problem.”
Another major recent cyberattack proves the point again: SolarWinds, a Russian hacking campaign against the US government and large corporations, could have been neutralized if the victims had followed well-known cybersecurity standards.
“There is a tendency to hype the capabilities of the hackers responsible for major cybersecurity incidents almost to the level of natural disaster or other so-called divine acts,” Wyden says. “That conveniently relieves the hacked organizations, their leaders and government agencies of any responsibility. But once the facts come out, the public has repeatedly seen that the hackers often get their first foothold because the organization didn’t keep up with the patches or configure their firewalls correctly.”
It is clear to the White House that many companies themselves do not invest enough in cybersecurity and will not invest enough. In the past six months, the government has introduced new cybersecurity regulations for banks, pipelines, rail systems, airlines and airports. Biden signed a cybersecurity deal executive order last year to strengthen federal cybersecurity and impose security standards on any company that sells to the government. Changing the private sector has always been the bigger challenge and arguably the most important. The vast majority of critical infrastructure and technology systems belong to the private sector.
Most of the new rules came down to very basic requirements and a light touch from the government, but they still got a boost from the companies. Yet it is clear that there is more to come.
“There are three key things that are needed to resolve the ongoing devastation of US cybersecurity,” Wyden said. “Mandatory minimum cybersecurity standards enforced by regulators; mandatory cybersecurity audits, conducted by independent auditors not selected by the companies auditing them, the results of which are provided to regulatory authorities; and hefty fines, including jail time for senior executives, when failure to adhere to basic cyber hygiene results in a breach.”
The new mandatory reporting scheme, which came into effect on Tuesday, is seen as a first step. The law requires private companies to quickly share information about shared threats they used to keep secret, even though that exact information can often help build stronger collective defenses.
Previous attempts at regulation have failed, but the latest push for a new reporting law has gained momentum thanks to significant support from corporate giants such as Mandiant CEO Kevin Mandia and Microsoft president Brad Smith. It’s a sign that private sector leaders now see regulation as both inevitable and, in key areas, beneficial.
Inglis emphasizes that drafting and enforcing new rules requires close cooperation at every step between government and private companies. And even the private sector agrees that change is needed.
“We’ve been trying on a purely voluntary basis for a long time,” said Michael Daniel, who leads the Cyber Threat Alliance, a collection of technology companies that share cyber threat intelligence to form better collective defenses. “It’s not going as fast or as well as we need it to.”
The view from across the Atlantic Ocean
From the White House, Inglis argues that the United States has fallen behind its allies. He points to the UK’s National CyberSecurity Center (NCSC) as a pioneering government cybersecurity agency that the US needs to learn from. Ciaran Martin, the founder and CEO of the NCSC, watches the US approach to cyber with confused amazement.
“If a British energy company had done to the British government what Colonial had done to the US government, we would have verbally ripped them off at the highest level,” he says. “I would have had the prime minister call the chairman and say, ‘What do you think you’re doing to pay ransom and shut down this pipeline without telling us?'”