With cybersecurity front-and-center in the board rooms and executive suites of virtually every major corporation, it stands to reason that some of the thought leaders at the 2015 Milken Institute Global Conference would have a few things to say on the topic.
Companies are starting to understand the business community has reached a “new normal” when it comes to cybersecurity, according to Brunswick Group CEO Susan Gilchrist. CEOs are becoming more engaged and are understanding they need to invest.
Ray Rothrock, chairman and CEO of cyber defense firm RedSeal, said a great deal of spending has transitioned from prevention to incident response and recovery. However, Rothrock cautioned that the solution is more complex than just boosting cybersecurity budgets. Rothrock said JPMorgan Chase is a prime example: The firm spends hundreds of millions of dollars per year on cybersecurity and it still got hit.
There are many relatively inexpensive best practices that firms can deploy to improve their cybersecurity. The most significant is information sharing. This falls in line with the latest efforts from the White House and across various industries to help thwart attacks. Alex Stamos, chief information security officer for Yahoo!, said information sharing is critical because it is “shocking” how often hackers re-use the same methodologies.
Suzanne Spaulding, Under Secretary, National Protection and Programs Directorate, U.S. Department of Homeland Security, also weighed in, saying that one silver lining from what she calls the “Year of the Breach” is the increased interest from the private sector in collaborating on solutions. Spaulding cited groups like the Cyber Threat Alliance that bring service providers together to share information about threats they see across all business verticals. The hope is that such organizations will partner with government agencies to enhance greater facilitate information sharing. “If we can have near-real-time situational awareness, things will improve,” Spaulding explained.
What else can governments do?
One area where the U.S. government has helped business was in the establishment of the Cybersecurity Framework. The Framework, put forth by the National Institute of Standards and Technology, outlines guidelines for sound cyber defenses, but intentionally stops short of offering granular details.
“The Cybersecurity Framework is helpful, but it intentionally stops short of setting standards because the government knows there is no one-size-fits-all for various companies,” Spaulding said.
Stamos applauded the move to avoid specific standards because an unintended consequence would be some companies only aiming for a certain, likely low, threshold of defense just so they can say they meet the government standard. Stamos cited the example of the credit card payment processing system, which requires retailers to certify their systems. When certification standards are specific and public, they tell hackers where to aim. According to Stamos, Target and Home Depot were certified before they suffered attacks that made headlines.
Stamos had some stinging words for the cybersecurity legislation currently making its way around Capitol Hill. Describing the bill as an effort at only tackling the “low-hanging fruit” on the cybersecurity tree, Stamos said, “Of the Top 10 things I would want the government to do, the current legislation on cybersecurity is probably No. 12.”
Spaulding explained that some of the bill’s perceived shortcomings can be attributed to politics, particularly the contentious mood about all things big and small on Capitol Hill. “The cyber bill has been successful in the current Congress because we decided to not be too ambitious.”
“Standard Level of Care”
Spaulding says another benefit of the Cybersecurity Framework is that it moves the conversation closer to a “standard level of care.” Such a development would have major ramifications for corporations because courts have thus far been hesitant to hold companies liable for cyber breaches that harm customers. If a “standard level of care” is introduced and a company is proven to have not met that level of care, then judges and juries will be far more likely to award damages.