What is the greatest cyber threat that the United States is facing today?
Most headlines today are focused on nation-state hackers with a political agenda. Russia, for example, has been implicated in penetrating the servers of the Democratic and Republican National Committees, along with social media influence campaigns to affect the outcome of political elections. The prospect of “a repeat of 2016” has U.S. political cycles so worried that money is being poured into think tanks that can help “defend digital democracy” and “develop strategies, tools, and technology to protect democratic processes and systems from cyber and information attacks.”
But while protecting the integrity and security of our political system is undoubtedly extremely important, these incidents are interestingly few and far between; it is like worrying about a shark attack every time you dip your toe into water—in the real world, you are far likelier to be harmed in a car crash. In the cybersecurity world, the equivalent of a car crash is an economic cyber intrusion.
The numbers speak for themselves: cybercriminals are estimated to cost the global economy more than $6 trillion each year, which is double the amount when compared to only four years ago. And with the steady proliferation of devices being connected to the Internet—the so-called “Internet of Things”—people can only expect the number of penetrations to increase in the upcoming years. As the average cost of a corporate cybersecurity breach amounts to $8.19 million in the United States, it’s no wonder that cyber insurance premiums keep on rising.
Unfortunately, for most companies and government agencies, action and investment in cybersecurity only follow a devastating hack. For instance, last year, Marriott International disclosed data from over five hundred million customers had been lost in a hack that stretched back to 2014. In addition, just this September, food delivery company DoorDash revealed four months after the fact that 4.9 million customers, delivery workers, and merchants had had their information stolen by hackers. This stolen information included names, email addresses, delivery/home addresses, order histories, phone numbers, hashed & salted passwords, and over one hundred thousand drivers’ license numbers.
The usual refrain for addressing this enormous threat to the nation’s economic security would be a call for a “whole-of-government” response from Washington paired with the U.S. government leveraging the private sector to its advantage. There is some merit to this: legislative responses to the endless data breaches have been piecemeal, thanks in part to competing laws at the federal and state levels, and the number of enforcement agencies/regimes involved. This has meant that the United States is now, in the words of the New York Times, “the only developed nation without a comprehensive data protection law and an independent agency to enforce it."
Yet, government support should not mimic the regulatory form similar to the European Union’s General Data Protection Regulation (GDPR), which unfortunately evolved into a tool that is used to punish companies who have fallen prey to cybercrime. For example, this past year, British Airways was fined an astounding $230 million after a data breach exposed data of five hundred thousand clients. Marriott International faced a $123 million fine because of lax standards that allowed the aforementioned hack to occur. For the highest level of data-loss “crime,” GDPR can fine an enterprise as much as €20 million or 4 percent of its annual worldwide turnover (whichever is greater). Ultimately kicking firms while they are down, GDPR places much of the blame and responsibility of a hack on the data holder. But in a world of big data that is only getting bigger, is it helpful to impose draconian penalties on those who generate and thereby hold data?
The California Consumer Privacy Act—the most similar American version of GDPR—has been hailed by some consumer advocacy groups and tech industry players alike as a model for more states and the federal government to adopt. Additionally, Oregon’s Sen. Ron Wyden has put forward a bill, amusingly entitled the “Mind Your Own Business Act,” that proposes to empower the Federal Trade Commission—which technically has the legal authority to handle data-security practices, though many companies are pushing back against it—so that it can tackle more cases and pursue more enforcement actions against negligent companies. While individual data rights should be better defined and respected, the government’s focus should be on halting bad actors who commit the data breaches. Government support should help augment security protocols and provide advanced tools for companies and individuals to defend themselves.
In the FY 2020 White House budget, $17.4 billion was earmarked for cybersecurity. Yet this remains a fraction of what the private sector spends annually: the research firm Gartner forecasted global cybersecurity spending stood at $124 billion in 2019. As damage to the U.S. economy continues to increase, it is evident that more funding to help both the federal and private sector will be needed. Equally important would be to produce a shift in how this money is used. To change the tide of the cyberwar, American corporations, citizens and especially their government must hold hands to tackle impending threats with the same agility that its attackers pride themselves on. Today, it seems that as soon as patches are made to enhance security, new “zero-day” vulnerabilities are being discovered, thus exposing data once again.
Cyber defense must be paired with a federally supported cyber offense. Hackers should not feel comfortable sitting behind host countries that either turn a blind eye or directly encourage and sponsor this mode of modern-day privateering. Laws must be rewritten to punish more severely malicious hacking, hackers located abroad should be extradited, and some targeted retaliation should perhaps be considered. States that harbor cybercriminals and utilize internal hacking groups cannot continue to be given free rein over the internet for the next decades.
In recent years, the cybersecurity industry has been accused and reprimanded for spreading FUD (fear, uncertainty, and doubt) in order to drum up business. While cyber threats should not become a sensationalist attraction, the lack of awareness and general interest is an enormous hurdle with potentially deep economic ramifications. In response to headline hacks, corporations have increasingly been creating the position of Chief Information Security Officer to help lead the charge of securing networks and data.
Yet outwardly, this has mainly led to mandatory cybersecurity educational courses that are often seen as cumbersome exercises that interns and junior staff can help with. While government support hopefully increases, the private sector should consider approaching cybersecurity in a more systematic manner and adopt newer technologies. Porous firewalls and after-the-fact hack-notifying dashboards have failed time and time again. With or without federal support, companies need to pursue alternative manners to protect and track their data.
Ultimately though, it may be impossible to fully prevent all economic cyber intrusions. Like car accidents, they seem to be a fact of life: there will always be a reckless driver out there that can endanger the rest of us. What can be done, however, is to ensure that all cars are equipped with all the available safety measures—seatbelts save lives—and that criminals are held accountable for their harmful actions.
Caspian Tavallali is the Chief Operating Officer of Active Cypher, a cybersecurity startup utilizing AI, advanced encryption, and blockchain technologies.