It is impossible not to be concerned about cyber attacks if you are following the news. The question is what to do about it.
Last week Richard Levick, CEO of Levick, Andres Franzetti, chief strategy officer of Risk Cooperative, and Bryan Finch, a partner at Pillsbury Winthrop Shaw Pittman, joined me on What’s Working in Washington to discuss cyber attacks and their effect on business owners and society. This conversation reinforced in me something I had already suspected: cyber attacks have become commonplace.
Brian Finch pointed out that the bar to launch a cyber attack had become very low indeed. There was no longer a need to write code or be a systems expert. You just needed to find existing tools for sale on the “dark web” and cut the developer in for some of the upside in your hacking scheme.
Andres Franzetti agreed with Finch’s categorization of the widespread availability of tools to do cyber harm. “A lot of folks just don’t get it.” It’s an arms race. And it’s a race where it’s a lot cheaper to attack than defend.
The result of this rapid expansion of cyber attack techniques and software? Easy availability means that every American business and government entity should assume it will eventually be cyber attacked, if it has not been already. As Richard Levick put it: “One hundred percent of companies are going to have to deal with this.”
If we are in a place where cyber attacks are commonplace, then what are we to do about it?
Clearly, businesses must prepare for the inevitable by taking a hard look at their technology and being ready to manage the public relations challenges and business interruptions that are likely to occur.
But I have significant concern that our government has to rapidly fill a policy void, if we are to address the larger societal challenges that the ubiquity of cyber threats creates.
For our national security, we must have clearly stated principles for how the United States government will respond to cyber attacks. You can’t deter aggression unless you can communicate the likely consequences. It’s one thing to talk about cyber war conceptually, but another to define the difference between using military force to influence another nation state’s behavior and using cyber attacks to achieve similar ends.
Turning to commerce, there is an immediate need for the management and owners of companies to have rules to allow them to allocate legal liability when the inevitable cyber attack occurs. For instance, it is broadly acknowledged that many boards of directors of public companies are now keenly aware that directors might face personal liability if their company is the subject of a cyber hacking. But have we really stopped to ask whether, as a matter of policy, it should be their responsibility? And, if the answer is yes, under what circumstances should insurance cover their risk, if there should be insurance available at all?
What about the responsibility and liability of individual employees? We know that in many instances, cyber attacks succeed because a single computer user in a network didn’t keep his computer software up to date or used a password that was easy to guess. If people don’t practice good computer “hygiene,” should the responsible individuals be penalized for their lack of care if their employer’s system is hacked? Does it matter if it’s a shared computer, or one that is used exclusively by the employee?
And, finally, what should our reasonable expectations for privacy be? Is it still fair to expect our personal information to be protected when it is shared on line? Or if we don’t practice good computer hygiene on our home computers? Under what circumstances should we be entitled to hold others accountable for our loss of privacy or property because of a successful cyber attack?
I don’t have the answers to these questions today, and that is my point. The time for argument about whether cyber security is an issue has passed. The time for action by our government has arrived.
The threat to our way of life is not fake. It’s real.