Massive breaches, “hacked” elections, and worldwide outages make headlines on a weekly basis. The mere notion of cyberspace and the unending cry for people with “technical” skills to fill cybersecurity roles present a problem that seemingly demands a technical solution. Some of the most prominent breaches and hacks have been the result of mildly-skilled hackers exploiting basic human weakness. Mitigating this problem demands policy in Washington, not an algorithm in Silicon Valley. The major issues are really human.
Russia is currently the most notable international cyber actor at the moment. It famously “hacked” the 2016 election, some even claiming that it possibly swayed the election. The word “sophisticated” is commonly used to describe its campaign. Though it was not as advanced as the word “sophisticated” may suggest.
The core of the Russian campaign consisted of sending phishing emails and hoping that insiders and officials would click on bad links that would provide the hackers with access. As the Associated Press describes in its investigation of the hack of the Democratic National Committee that led to the leak of internal emails, “two-factor authentication may have slowed the hackers, but it didn’t stop them. After repeated attempts to break into various staffers’ hillaryclinton.com accounts, the hackers turned to the [staffers’] personal Gmail addresses.” The hackers were stymied by a simple security precaution and forced to move on to targets that were even less well protected. The “hack” of the 2016 election had nothing to do with cracking advanced encryption or infiltrating air-gapped systems. It relied on people making the mistake of clicking a link.
North Korea is also a common cybersecurity nuisance. From the breach of Sony to suspected operations against banks, the threat from Pyongyang is ever-present. Foreign Policy recently reported that the U.S. government is highlighting the recurrence of a destructive malware associated with North Korea, with a particular fear that it will attempt to target U.S. utilities. That same article quotes a cyber security professional, who notes that North Korea is actually “pretty bad at hacking.” It is North Korea’s aggressive tactics and the fact that “many utilities are equally bad at security” that makes the North a real problem.
In the private sector, the 2017 breach of Equifax that exposed important data of more than 140 million Americans also conjures up images of advanced hackers breaking into secure networks. It turns out that the breach was “a ‘relatively easy’ hack,” involving a flaw in an open-source software—a fairly common occurrence. The shocking part of the incident is that there was a fix. As Wired notes, “Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March.” The company knew there was a problem and knew there was a solution. Equifax was just either too lazy or too incompetent to bother dealing with the issue.
Human fallibility is impossible to legislate away. There is no way to force people to be more careful about clicking links. To a degree, we must rely on individuals and the private sector to be more proactive about cybersecurity. Two-factor authentication and stronger passcode requirements should be utilized by all entities. Customers and users will complain about the extra hassle but will eventually become ingrained. Basic training for users with access to even basic data should also be implemented. There is no way to mandate this, but it should become part of employee in-processing like any other basic entry training.
The real effort needs to be at the federal level. There is no comprehensive legal framework and many federal agencies retain overlapping and redundant cybersecurity responsibilities. When the federal government seemingly fails to step in, states fill the void. The lack of an overarching framework has prompted major entities, including Microsoft, to call for a single federal cybersecurity agency.
A single agency may help with coordination, but the major focus should be on the regulations and what the government is empowered to enforce. The state of New York is implementing a new set of cybersecurity regulations for major financial entities regulated by the Department of Financial Services. Compliance includes requirements for the appointment of a security officer responsible for data protection and the creation of a cybersecurity program. The problem is that the penalties for violating the law are unclear. The European Union (E.U.) has implemented the General Data Protection Regulation (GDPR), imposing privacy regulations on companies that seek to do business with or cover citizens of the E.U. Most importantly, penalties are strict, with fines of up to four percent of global annual revenue.
The policies above should serve as a basic framework for a U.S. federal policy. While details of who exactly should be covered must be decided, at a minimum, entities that deal with critical infrastructure, defense, and financial, medical, or other private data should all fall under the umbrella. Most importantly, strict penalties for non-compliance must be clear and enforced. The damage that can be done by failures in basic cybersecurity requires both severe and enforceable financial and criminal penalties.
For the United States, cybersecurity policy raises questions that reach to the heart of the nation. How much should government regulate free enterprise? How much personal data should private entities be able to collect and monetize? Is the onus of personal data security on the individual or the government? The suggestions above push heavily in favor of greater government intervention. The government itself is not immune to massive failures of cybersecurity, but the status quo is unsustainable. Policy in Washington must jumpstart the effort for a more comprehensive and robust cyber defense.