We’re hitting rock bottom in cyber — let’s do something

When it comes to the cybersecurity problem, where is rock bottom?

Was it WannaCry, a ransomware attack unprecedented in scale that held hostage computers in 150 countries in May, including Britain’s National Health Service? Or a similar and perhaps even worse attack that hit countries around the world just weeks later?

Was it the Yahoo breaches tied to a state actor that affected 1.5 billion user accounts? Is it that cyber intruders are actively going after water, power and utility grids with growing frequency and sophistication? Surely, it had to be Russian interference in the U.S. election — the alleged hacking of Democratic party emails and 21 state election systems — right?

Internet security is in a state of crisis. With their shocking scope and targeting of some of society’s most critical infrastructure, recent attacks are making some of the incidents that used to alarm us — the Target breach a few years ago, for example — almost seem quaint by comparison.

It seems cyberspace not only remains an environment prone to compromise but is hurtling toward a state of chaos where, as Columbia University scholar Jason Healey has put it, the internet “would no longer be merely the Wild West, but a failed state like Somalia.”

And yet, where is the outrage? Reeling from one attack after another, we sometimes appear dazed and confused rather than mustering a collective commitment that treats cyber insecurity as a crisis of the highest order.

Cybersecurity must be a top-of-agenda item for world and corporate leaders.

 

The world will spend $90 billion this year on information security, but continues to live in fear every day that the internet is on the verge of being taken down by cyber criminals.

Ultimately, the problem is bigger than governments or private industry can solve in isolation or with piecemeal solutions. What’s needed is concerted global action.

Cybersecurity must be a top-of-agenda item for world and corporate leaders. We need fresh, practical approaches to protecting an internet that has rapidly become the central nervous system of the planet.

In a perfect world, the international community would level sanctions against countries harboring cyber criminals. This would be very delicate, though, since two world powers — Russia and China — are considered to be U.S. cyber adversaries and part of the problem.

But some sort of international accord to agree on rules and reduce risk would be a big step forward. Perhaps a good first step that all nations could agree upon is that certain types of critical infrastructure are off-limits for attack.

It would alleviate the tenuous situation described by the Carnegie Endowment for International Peace: “In many countries, national laws governing this space are either absent, vague or difficult to operationalize. International understanding and conventions to harmonize national responses are also largely absent, complicating efforts to manage cross-border incidents with political ramifications.”

In fact, existing institutions such as NATO should maintain and look for ways to expand their role in ensuring strong and resilient cyber defense. With capabilities for malicious activity evolving faster than business-as-usual can adapt, NATO can play a role in making better cybersecurity a top global priority.

For example, NATO could become a central point for allies to share advice, best practices and the latest technologies to combat cyber attackers.

Where is the outrage?

 

But more than that, NATO could shift its focus from a strictly defensive stance to offensive. As a recent article by the Atlantic Council correctly noted, “Defensive measures might hold off an individual cyberattack, but they do not address the underlying threat. Although the protection of NATO members’ national networks should be a priority, the most effective way to provide sustainable and long-term protection against cyberattacks is through offensive capabilities and the destruction of opponent networks and systems.”

Beyond NATO, there are other serious steps that can be taken.

Government should promote better disclosure on cybersecurity health to investors. Another example could be found by better promoting the availability and coverage of cyber insurance. For example, the insurance industry has historically been at the forefront of incentivizing society to adopt better and safer ways of living, from quitting smoking to wearing seat belts to installing smoke detectors. The same can hold true in cybersecurity, with greater adoption of cyber insurance eventually spurring policyholders to adopt cybersecurity best practices.

Companies and universities should aggressively explore programs to help fill the cybersecurity job shortage, estimated at nearly 2 million open positions worldwide. A good example is IBM’s recent initiative to promote alternative education models that reach a broader pipeline of employees based on skills, experience and aptitudes rather than traditional hiring models focusing solely on degrees. And organizations around the world should absolutely be focusing on bringing more women and minorities to fill these positions.

It’s often said that we’re very good at appreciating the cybersecurity problem. But by coming together and collectively taking these sorts of concrete steps, the world can shed the false narrative that solving this problem is too hard or confusing.

The internet’s very existence is at stake.