by Ian Donner
In the past year, “cyber threats” went from being an abstract news headline to a tangible, personal issue for me. Within three months, I received two separate letters, one from a large health insurer and the other from the US Office of Personnel Management indicating that my protected health information had been stolen. In this instance, protected health information included my last ten years of employment, social security information, housing details, phone numbers and email addresses of friends, etc., and my fingerprints. Yes, my digital fingerprints!
The digital revolution has complicated the public’s understanding of their personal data and, more importantly, how to protect it. Prior to the digital age, personal assets were primarily physical and the exposure and risk associated with physical asset protection was easily comprehendible. The theft of my fingerprints opened my eyes to the notion that any digital information can be stolen, not just the data I enter on a website or the information that is provided by online bank. Motivated by the theft of my personal information, I looked into exactly how the public and private sectors are protecting my information and what gaps are left unfilled.
Cyber Attacks On The Rise
Cyber attacks on large multinational institutions jeopardize our economy, domestic and international security, and other items critical to our existence as a national institution of the free. To paint a more complete picture, here are a few interesting facts that put into context the growing concern over cyber attacks and security:
- Cyber terrorism is estimated to be at least 6X the global financial exposure as a nuclear attack
- 100% increase in the average number of breaches to businesses since 2013
- 2015 represented the most attacks by at least two-fold from the previous year
- The average cost to the private sector per record stolen is at least $345USD
- Average of 229 days for a company to identify attack
- There are limited to no regulations enforcing the private sector’s prevention of a cyber attack
Public and Private Sector Response
Due partially to the fact that I live and work in Washington DC, I started my research by asking how the U.S. government is enforcing existing cyber security policy and ensuring that the private sector is executing the right levels of risk management to protect against the risk. In 2013, President Obama passed an executive order, “Improving Critical Infrastructure Cybersecurity". This executive order resulted in several actions from Congress and the Government, such as guiding the National Institutes of Standards (NIST) to develop a cyber security framework, the House of Representatives passing two separate versions of the legislation, Protecting Cyber Networks Act (H.R. 1560 and H.R. 1731), on April 22, 2015, and the Senate passing a similar bill called Cyber Security Information Sharing Act (CISA) (S. 754), which passed on October 27, 2015. This movement by the Government causes me to ask, what is next and what can be done to improve government, business, and consumer security?
The private sector continues to lead the cyber attack prevention charge by evolving frameworks, developing organizations, and applying technology to protect our digital information. Yet, without governance in place, cyber security measures are limited to isolated institutions. Policy that promotes aggregating information across companies would facilitate faster and more accurate identification of attackers and the ability to identify patterns and trends. Such policy must also require large global institutions to support scenario modeling and demonstrate business continuity capabilities. Currently, if Company A and Company B are attacked by the same individual or group using the same method, no connection is made between the two attacks. The lack of information sharing between companies combined with the fact that, on average, it takes 229 days for a company to even identify that they have been hacked, is a gap in cyber policy.
Cyber security policy should leverage risk management lessons learned from other industries. The sub-prime mortgage crisis in 2009 led to the creation of the Dodd-Frank act. Dodd-Frank requires large multinational institutions to simulate threats (earthquake, nuclear attack, etc.), to demonstrate that they have enough credit to balance against their debt/risk. For example, if all of your customers decided to withdraw all of their money from a checking account on the same day, could you provide enough cash to manage this risk? By requiring companies to demonstrate their understanding of risk exposure, Dodd-Frank has led to the creation of institutional risk management policies. Similar legislation is needed to set a precedent for cyber security.
The goal of cyber security is not absolute prevention; we must accept that attacks are inevitable. The goal of cyber security is the ability to identify and contain threats while mitigating impacts. Businesses critical to the US economy and national security must demonstrate their ability to continue to operate key components of their business architecture in the event of an attack. For example, hospitals are required to simulate scenarios in which their internal systems fail. Nurses, doctors, technicians, etc. must revert back to using a notepad and pen so the hospital can continue providing care. Federal policy needs to require all key businesses institutions demonstrate their business continuity capabilities and provide ongoing training of personnel.
Ask yourself what your organization is doing to protect its customers and what you are doing to protect yourself. Historically, there has been limited available coverage insurance for protecting your digital assets. Insurance companies have started to offer cyber insurance to fill this gap. I encourage you to review your insurance policies and notice whether only your physical assets are covered. While both the public and private sectors are moving in the right direction, the threat of cyber attacks remains more mature than the defense. Individuals shouldn’t remain at risk while waiting for defensive measures to catch up.