Two leading cybersecurity professionals — one whose firm offers cyber products, the other a high-profile industry advocate for cyber strategies grounded in economics — cited extensive security developments in the private sector in the year since the Equifax hack, amid slow, often imperceptible responses from federal policymakers.
The Equifax hack, affecting 150 million Americans, was revealed on Sept. 7, 2018, and at the federal level triggered Federal Trade Commission and Bureau of Consumer Financial Protection investigations, and rekindled long-stalled congressional efforts on data security and breach notification legislation. But outcomes have been sparse from these efforts.
Larry Clinton, president of the Internet Security Alliance, offered private-sector actions as a contrast to government responses to Equifax and the cyber challenge in general.
“The private sector has continued to make strides toward improving cybersecurity both at the senior cyber risk oversight level and the nuts and bolts cyber risk management levels — most of which have been largely unnoticed inside the beltway possibly because there has been little government involvement in these innovations,” he told Inside Cybersecurity.
And Tom Gann, McAfee’s chief public policy officer and head of government relations, in a separate interview cited “growing awareness” of cyber needs among CEOs and the growth in hiring of chief security officers as two examples of positive developments over the past year.
He said a uniform — and “aggressive” federal data security and breach notice standard is needed — “no less stringent than” tough standards in states like California and Massachusetts, he said. But the federal government should also provide incentives such as liability “safe harbors” for “implementing good security practices” including using encryption to secure personally identifiable information.
But Gann said there is now “a real focus” in the private sector on “creating cybersecurity platforms so organizations are protected from the cloud to the end point. That’s the next step beyond firewalls.”
Increasingly popular “open cybersecurity platforms allow you to integrate the next big innovation — at the end point or wherever appropriate,” Gann said. “The private sector is doing what it should be doing: innovating.”
In addition to the enormous attention around the Equifax hack, Gann said the recently implemented European Union General Data Protection Regulation has also heightened awareness of cybersecurity issues among corporate leaders.
“Due to GDPR, companies realize they have to look at cybersecurity from a high level,” Gann said. “I see positive trend lines here.”
He said the Equifax incident also should prompt a look at the use of Social Security numbers “as both unique identifiers and authenticators,” which he called “very disturbing” in light of the millions of those numbers potentially being released into the wild by the Equifax and other breaches.
“Fixing the Social Security vulnerability is part of the get-well plan,” Gann said.
Larry Clinton: Cybersecurity starts at the top
ISA’s Clinton discussed ways companies are organizing themselves to address cyber challenges, saying: “One of the initiatives is to address the cybersecurity issue by starting at the top — at the board level — rather than fixating almost exclusively at the operational level. So organizations representing corporate boards have worked independently with cyber experts to develop their own oversight framework which has been independently assessed and shown to generate tangible cyber security outcomes including improved cyber security budgeting, better risk management, closer alignment of cyber security with overall business goals and helping to create a culture of security.”
Clinton said he was “not aware of any similar independent validation for any of the government based operational programs — although if they were subjected to independent analysis they too might demonstrate success, this sort of testing simply has not been done yet, and probably ought to be.”
This board level process, Clinton said, “was begun by the National Association of Corporate Directors but over the past year has spread internationally with multiple organizations in Europe and Latin America collaborating to develop a sustainable and coherent global cyber risk oversight framework for boards based on the NACD model.”
Clinton said: “Perhaps even more important has been an evolution in the private sector toward far more sophisticated methods of cyber risk assessment and modeling. The dominant process historically, and largely still embraced by government, has been basically a check list model of various standards and practices. While these methods were the best we could do initially some of us in the private sector have long called for a more modern model that is uniquely calibrated to the risk posture of a particular organization, adds context to cyber risk management and uses contemporary analytical tools that can include the economics of cyber security into risk management calculations.”
He said: “Over the past year or so we have seen very encouraging innovations in far more sophisticated cyber risk management that is a paranematic leap over the outmoded (and unproven) check list methods. Various analytics-based approaches like the X-Analytics system or FAIR or the work of Geer and McClure are now being adopted by thousands of companies who are taking cyber risk management to a whole new level — virtually without any government involvement.”
Clinton concluded that, “In light of these innovations in the market it is actually a good thing that government has resisted the urge to mandate one-size fits all requirements on industry — especially since there is no evidence these check-lists actually improve security.”
That doesn’t mean there’s no role here for government, Clinton said, explaining: “It just means that government’s role in the 21st century is different than the simple regulatory model of past centuries. Government needs to provide incentives for the private sector to continually innovate in the face of ever evolving and sophisticated cyber threats and where cyber security for the nation cannot be achieved via commercially justifiable security investment, government needs to provide market incentives so the private sector can make adequate security investments without undermining the productivity, innovation and growth from the private sector that the nation relies on.”