Many of the good actors of cybersecurity are implementing new technical measures to improve information security while they build institutional mechanisms to coordinate government and private sector work throughout the world. These twin steps of technical innovation and institutional reform are the pillars of any successful cybersecurity strategy going forward.
These are the “good guys” of cybersecurity, and it’s important to distinguish players like these from the bad actors of informational security, a point that was highlighted at two recent information security conferences in Washington, D.C. At the Visa Security Summit in early October, Visa’s Ellen Richey promised a regime of “responsible innovation” where new payment products would be introduced with security “built in from the start.” At the Washington Post Live’s Cybersecurity Summit, Microsoft’s Craig Mundie noted the global nature of these evolving threats and called for new international mechanisms, a “World Health Organization for networks,” to coordinate effective government and private sector responses.
Providing good information security is a constant battle between the real bad guys, who want to break into, disable or destroy complex computer systems and networks, and their victims, who must constantly innovate to keep up with a continuously changing threat landscape. The good guys in government and the private sector are playing a deadly game with an implacable foe.
They need public support for their efforts, not public shaming when their reasonable efforts fall short. Unfortunately, many assume that if the bad guys have been good enough to get into a computer system, the good guys must have done something wrong. This uninformed reaction typically follows well-publicized breaches, and some of the reaction to recent revelations involving several major companies is no exception.
This tendency to blame the victim misunderstands the nature of cybesecurity threats and responses. Providing good information security is a risk-based task of assessing threats and vulnerabilities and taking reasonable steps to mitigate them. It is a matter of proportion and balance, not absolutes. Reasonable policies and procedures must be taken in proportion to the size and nature of the threats and the value of the assets that need to be protected. These risks cannot be reduced to zero. As the FTC has asserted, as far back as 2005, “…there is no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution.”
The blame-the-victim mentality can do real harm too. As speakers at the Washington Post Live’s Cybersecurity Summit repeatedly pointed out, when companies think they will be the object of public shaming for being the target of a hacker, they often wait until the last minute to be absolutely sure they have a problem before telling other private sector parties or the government. During that delay, the same hackers who have victimized them are victimizing others. Good guys need incentives for sharing information about attacks and vulnerabilities, not punishment. Wider understanding of the difference between the victims and the perpetrators would help, as would government legislative action to limit liability for firms who share cyber threat information with each other and the government. The House has passed such legislation and movement in the Senate is on the horizon.
The fact that valuable computer source code was stolen in one of these attacks suggests an additional coordinating role for government – moving in the international direction suggested by Microsoft’s Mundie at last week’s Washington Post Live conference. The U.S. government needs to take global steps to mitigate the theft of U.S. trade secrets. The elements of an Administration strategy in this area, announced last February, include:
• Increasing U.S. diplomatic engagement. This includes conveying concerns to countries where there are high incidents of trade secret theft with coordinated and sustained messages from the most senior levels of the Administration; building coalitions with countries that share U.S. concerns; urging foreign law enforcement to do more; and using trade policy tools to press other governments for better protection and enforcement.
• Supporting industry-led efforts to develop best practices to protect trade secrets and encouraging companies to share with each other best practices that can mitigate the risk of trade secret theft.
• Continuing to make the investigation and prosecution of trade secret theft by foreign competitors and foreign governments a top priority.
• Providing warnings and threat assessments to the private sector on information and technology that are being targeted for theft by foreign competitors and foreign governments.
• Conducting a review of U.S. laws to determine if further changes are needed to enhance enforcement, and working with Congress to make any necessary changes.
This is still a good strategy and implementing it should be one of the primary reactions to the recent news of the theft of trade secrets and private information from U.S. companies.
Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy