While they may still lurk in the shadows, cybercriminals are changing their tactics. Rather than exclusively target government agencies or individual corporations to steal data or extort funds, malicious actors have increasingly sought opportunities to cause damage to as many U.S. citizens as possible.
We saw a record number of data breaches in healthcare last year that impacted 45 million people around the U.S., according to Critical Insight. Other high-profile attacks, like the SolarWinds and Colonial Pipeline breaches have taken services offline and inconvenienced millions of Americans in the last 24 months.
The change in behavior from our adversaries — both those acting independently and those sponsored by nation-states — will soon necessitate a change in how we, as a country and as an industry, work together to protect our data and critical systems from cyberattacks.
Our leading cybersecurity experts agree. Chris Krebs, founding director of the government’s Cybersecurity and Infrastructure Security Agency (CISA), said this month at the BlackHat Conference in Las Vegas that business leaders aren’t properly prioritizing cybersecurity in their boardrooms, and many don’t know which government agency to turn to when they experience a cyber incident. In the meantime, cyber criminals are “eating our lunch,” said Krebs.
But we already have the tools we need to get to work at our disposal. To put up a more cohesive defense against cybercriminals, the cybersecurity industry and the federal government must do a better job of sharing information with each other and holding businesses accountable that aren’t compliant with minimum cybersecurity standards.
Both sides can take action to improve our national cybersecurity posture. For the U.S. government, clarifying and centralizing breach reporting requirements, as well as increasing incentives for sharing information, will make it easier and more worthwhile for private businesses to disclose their breaches and the information they collect on cybercriminals.
In turn, the cybersecurity industry can enhance the security hygiene of the private sector by standardizing and incentivizing participation in ISAC information sharing. Working together, the private sector can partner with the Federal Trade Commission to expand regulation that would punish companies found negligent in their security practices after breaches.
The private sector and the public sector can also work together to raise our baseline cybersecurity knowledge as a society. Federal funding and industry support for programs that promote cybersecurity in high school, offer scholarships to cybersecurity-oriented college students and amplify cybersecurity trade programs would go a long way toward closing the talent gap we have in this industry. To help businesses without resources or knowledge of proper cybersecurity practices stay safe, the federal government could create a FEMA-like organization to provide guidance, or a cyber assistance program that employs government-trained cybersecurity experts to assist private companies at little or no cost to customers.
The federal government also doesn’t necessarily require the consent of the cybersecurity industry to take positive action against the changing tactics of cybercriminals. The administration could assign the Office of the National Cyber Director the authority and resources to coordinate all cyber activity across law enforcement, military, civilian, state, and local government organizations into a holistic program. This would represent a huge step toward enhancing communication and information-sharing across the country. Such a program could remove bureaucratic obstacles and encourage outside-the-box thinking, but there are smaller steps we as a country can take.
No matter how the cybersecurity industry and federal agencies work together, we must strengthen the public’s understanding of cybersecurity basics. According to the Verizon Data Breach Investigation Report, more than 80% of successful data breaches either involved compromising credentials or hacking unpatched systems and software, two fairly basic categories of exploit. This means that we should focus on “the basics” of cyber hygiene and information security for the majority of organizations and for the people who educate our organizations.
We need to get this right. Even though they are not advanced or “sexy,” we continue to fail on these relatively simple security controls and they continue as some of the greatest risks organizations and individuals face. Purchasing compromised credentials, phishing, and social engineering, and scanning for unpatched systems and software are how these techniques are being deployed in real life. It becomes a challenge because organizations and people want new explanations and exciting new solutions, but the fact remains we are still not getting the fundamentals right and until we come together as a country, the attackers will continue to exploit us.
Adam Marrè, chief information security officer, Arctic Wolf