Despite the mounting risks we face in cyberspace, there remains resistance to fully addressing these problems today, as well as preventing and preparing for future threats with the most potential for widespread harm. We must improve communication between the public and private sector about threats and vulnerabilities, and institute requirements for responsible protections when necessary for
Every day intellectual property vital to our national defense and economic competitiveness is targeted and stolen in cyberspace. These threats are rapidly becoming more damaging and extensive, as highlighted through reporting from private companies that have chosen to speak up about this ongoing crisis.
A 2010 study found the average cost of a data breach for a business to be $7.2 million, but the increasing value of intellectual property makes these losses marginal in comparison to the long-term damage to America's ability to remain the world leader in innovation. A lax corporate -- and often agency -- attitude towards cybersecurity and the investments required to mitigate IT risks have led to a system that discourages transparency and incentivizes inaction.
As we have seen in the flood of recent news reports about targeted "hacktivism," far too often, existing products and procedures are not used by companies to protect their customers' data from the most basic threats. I support the request made by Senator Rockefeller and his colleagues who asked the Securities and Exchange Commission (SEC) to clarify corporate disclosure requirements for cybersecurity breaches. If federal securities law already requires publicly traded companies to disclose "material" risks and events, including cyber risks and network breaches, then a significant number have failed these requirements. The SEC has responded affirmatively to this push and now should follow through to ensure investor access to this information.
This is not an effort to punish those who have had an intrusion. Instead, it offers a way to provide transparency to consumers and allows the market to address this problem through customer choice.
The government, which possesses the greatest knowledge of the most sophisticated cyber threats, also has a role to play. However, existing laws intended to provide important privacy protections are ambiguous about allowing the private sector to share information with the government about threats – information that would help lead to solutions. Government is similarly constrained, as the cyberthreat information it collects is most often classified and must go through a lengthy review before it can be shared with private industry.
About Jim Langevin
TITLE: Democratic Congressman
COMPANY: House of Representatives, Rhode Island's 2nd Congressional District
- Co-chair of the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency
- Co-founder and co-chair of the first-ever Congressional Cybersecurity Caucus.
- In the 110th Congress, served as chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology; held eight hearings on cybersecurity and conducted over a dozen investigations.
- Introduced the Homeland Security Network Defense and Accountability Act, which passed the House on July 30, 2008
- Introduced legislation in support of the goals of National Cybersecurity Awareness Month
The Department of Homeland Security (DHS) currently works with owners and operators of critical infrastructure on a voluntary basis to share information about threats to industrial control systems, but there is only a limited process for collecting threat information from public companies and many worry about legal liability or business repercussions from thorough reporting.
The Pentagon has implemented a pilot program that provides some Internet service providers with threat information to disseminate to select participating defense companies, but these efforts are currently only targeted at protecting our defense industrial base. A future model could use DHS authorities to help protect a broader customer base.
We must ramp up our efforts to provide the greatest possible threat visibility, while maintaining a strong privacy regime that prevents the government from having unnecessary access to private citizen and company data.
In the case of critical infrastructure on which we rely for public safety or national security, the risks are too serious for the government not to take some active responsibility for protecting our citizens. The threat to these entities lies in massive vulnerabilities in control systems and institutional mindsets that do not prioritize security. We already know the technology exists to cause massive damage, and we know there are numerous actors who would not hesitate to acquire it and use it against us. We cannot wait until these forces combine before we establish preventive and reactive procedures.
In some areas, such as the electric grid, the status quo is failing, while others, including the financial sector, have made substantial progress as the threat has grown. The White House's recent legislative proposals set up a useful template for dealing with these disparities by segmenting each sector under different frameworks shaped with full cooperation of that specific industry. For example, the types of threats facing smart grid technology are fundamentally different from the challenges of financial fraud. DHS should partner with sector-specific agencies and industry to institute the right mix of mandatory requirements, with penalties and incentives that make upgrading cybersecurity more cost-effective. I am looking to build off these recommendations and work with my House and Senate colleagues to move legislation forward this year.
With the increased focus on cyber issues by Congress, the Administration, and our citizens, we have an opportunity to bring all the relevant parties together and establish real solutions now before this silent crisis becomes a digital disaster.
The Security 7 Awards recognize the efforts, achievements and contributions of practitioners in the financial services/banking, telecommunications, manufacturing, retail, government/public sector/non-profit, education and health care/pharmaceutical industries. Click here to learn more about the Security 7 Awards and to see a list of all the winners.
This was first published in September 2011