Crosscurrents of Crisis

One central message that emerged from the broad conversation: Deep collaboration is needed between the private and public sectors.

“Companies and government are still operating, to some extent, in what I think is an old paradigm, that of a traditional firewall between government and the private sector,” Mr. Little says. “Both sides are still figuring out how to work together. And I worry that we’re very far off.”

Another message that rang clear: Nothing about cybersecurity is easy. Each sector, each company, has unique vulnerabilities and widely varied degrees of preparedness.

“There are certain threats that everyone needs to worry about, in the same way that everyone needs to worry about COVID-19,” Mr. Isles says. “Ransomware would fall into that category. Beyond that though, certain categories of companies, based on what they do or where they operate, are going to have additional levels of inherent risk.”

In addition, some specific threats are moving targets, he says.

“We’ve seen that with respect to water and water treatment plants,” Mr. Isles says. “A year ago, we might have been talking about them as a kind of hypothetical scenario. Six months ago, we would have been pointing to Israel where there were several attempted compromises of water treatment facilities. And today it’s no longer unique to the Middle East, as we saw in February with the impact on a water treatment plant in Florida.”

Ms. Ricardel points to aerospace and defense as examples of industries that are more prepared for this moment. “There, you’re already thinking in the mindset of threats, and how do you deal with them, even your own networks as a company because of the attempts to penetrate and exfiltrate data. But other sectors are newer to it and they will have to ramp up because they are vulnerable.”

That vulnerability extends all the way down to individual employees. While the individual worker has always been a weak link in organizations’ cyber defenses, over the past year they have become targets for a broader set of cyber threats, from uninvited pranksters barging in on video conferences (known as “Zoom bombing”) to credit card theft and personal ransomware attacks.

“The pandemic itself prompted a sudden and massive shift in online behavior—not just in telework, but in telehealth and teleschooling,” Mr. Little says. “So in addition to private sector, cybersecurity has become a very personal issue as well.”

On the company level, ransomware attacks have escalated in frequency and scale over the last year and a half, Mr. Little says.

“Companies have had to grapple with ransom requests for as much $20 million, and have faced operational issues, issues with their data—all while they’re trying to operate a business in the new virtual world,” Mr. Little says.

Ricardel notes that companies have to realize that they are at a strategic disadvantage. “It’s easier to deploy a cyberattack than it is to protect against it,” she says. “Leaders need to think about this as a daily, routine issue, much as the physical security that you would have. You might use cameras to monitor who’s coming into the building, taking out documents. It’s harder to see who’s coming into your operating system on your computers.”

That already complex problem has been made much more complicated by pandemic and the transition to remote working. Even dealing with the consequences of an attack have grown harder in the current environment, says Mr. Isles. “Normally, it would be ‘OK, we want to go image a server.’ Well, physically you can’t go anywhere because of pandemic restrictions. Incident response and crisis management is a process that has also needed to go through its own fairly dramatic transformation.”

The Spaghetti Problem

The Biden executive order alone may seem a small step, the three agreed, but is a necessary part of a larger, ongoing government response that appears to be on the right track.

“The US government has accurately identified the threats—that’s always step one,” Ms. Ricardel says. “The responses have been somewhat ad hoc. Frankly, nobody was thinking about what might happen in this environment. Businesses, governments were focused on other things and then comes a SolarWinds attack or something and you say, ‘Oh, my gosh. We need to look at this.’”

The issue of cybersecurity for the country and its business community is a bipartisan one, and previous executive orders have similarly addressed concerns. Some are not yet fully implemented, Ricardel says, citing a telecommunications supply chain executive order as an example, where regulations are still being rolled out.

“It’s not complete,” she says, of the government response. “But at this point, there’s no matrix we can point to say, have we covered every threat? It’s more like a bowl of spaghetti. And you have to pull apart the spaghetti and see what actually is done and where things connect.”

Ms. Ricardel also notes that, while the risks and consequences vary, the fight is the same across all. “You can't look at cybersecurity in a silo,” she says. “It is really part of the landscape. And it will have to be addressed no matter what type of business you have, no matter what part of government you’re in. We don’t have the option to hope it goes away.”

Speaking from his experience in the homeland security sector, Mr. Isles sees three tools that government has to incentivize industries more broadly: rules related to procurement, industry regulations and underwriting by insurance companies. The Biden administration is moving forward on the first of these with the Cybersecurity Maturity Model Certification (CMMC) program, originally launched by the previous administration, which will require cybersecurity programs at defense contractors to be validated by independent third parties.

“That is a model that we’ve seen in banking and payments sectors for years. We’re taking a basic approach that is not new to industry and applying it to this sector,” he said.

In regulation, longstanding public-private partnerships, such as outlined by the Maritime Transportation Security Act in the context of port facilities, have had security expectations for years and can act as models for cybersecurity requirements elsewhere.

“One of the most interesting areas to watch right now is cyber insurance,” Mr. Isles says. “There is enormous pressure from the many kind of ransomware claims that are coming in. But in addition, we have seen some steps, particularly by the New York State Department of Financial Services, to try to go beyond exposure and claims, to have the insurance industry incentivize strong performance as well.”

The Lonely and the Heroes

The SolarWinds break-in held examples of the benefits of strong cooperation with the government, Mr. Isles said. Cybersecurity solutions company FireEye was the first to report the problem.

“Notwithstanding that they were compromised, FireEye were the heroes,” Mr. Isles said. “By disclosing what had happened they disrupted a much larger plot and helped a whole bunch of other companies figure out that they had an issue as well.”

Part of the reason a spirit of collaboration and disclosure are so important, Mr. Little said, is that the government doesn’t have the same kind of authority on cybersecurity that they might elsewhere. 

“Cybersecurity is very lonely space for companies,” Mr. Little said. “You can't call 911 for a cybersecurity incident, generally speaking. Most companies cannot rely on the US government for cybersecurity support.

“But we have to get to a point where we recognize that we face some common threats and work to address them in a way that’s going to benefit us all. The companies that lean forward on these issues could find that it is a competitive discriminator—it will build trust, not only with their immediate clients and customers but also with the government and others that they work with.

“Cybersecurity should not be viewed as a competitive issue for most companies. This is something that affects us all.”

--