A recent report on U.S. business community’s acute vulnerability to cyber attacks – 96 percent according to Ernst & Young – is alarming. This report is troubling not only because of its findings – lack of proper cyber defense capabilities – but because it reflects the prevalence of a passive approach that keeps the best cyber defense systems a few steps behind.
It is hard to imagine that 96 percent of Ernst & Young’s 1,909 polled executives would deliberately choose to expose their businesses to cyber attacks because of budget constraints. Interestingly, 70 percent of those surveyed indicated that their security policies are now handled at the highest level in the business, “with the person in charge of security reporting directly to the CEO in 1 in 10 companies.” This begs the question of what the 70 percent really means. One in ten is not 70 percent. Generally speaking, the businesses surveyed wish to be seen as “doing something” about cyber, when, in fact, they are doing very little. The survey found that only 23 percent of the businesses put cyber security in their top two priorities. However, 32 percent considered it the least important item among their security concerns.
An earlier, global, survey by PricewaterhouseCoopers (PwC) was conducted in collaboration with CSO Magazine, the U.S. Secret Service, the FBI, and Carnegie Mellon University’s Software Engineering Institute CERT program.
In contrast to Ernst & Young, PwC survey was more curious about what business is up to. It found that the business leaders polled have high levels of confidence in their cyber defenses, yet research showed that for the most part there were inadequate structures and policies in place and that key defensivee tools and security awareness training are declining.
Only half of the businesses surveyed report to their shareholders the loss of business due to cyber attack while complaining of budgetary constraints. However, 27 percent decline to do so for fear of a long-term damage to their reputations. Lack of relevant information and willful blindness make it easier to ignore threats that could wipe out the business.
Not long ago the business community demanded that Congress and the White House stop the cyber attacks and cyber espionage. New plans were drawn up and new legislative initiatives were discussed. But not for long and without tangible results.
In July 2012, on the eve of yet another failed attempt in the House to pass a cyber security bill, ACD examined cyber insecurity in a Capitol Hill briefing. In April 2013, hot on the heels of government and private sector semi-hysteria over Chinese cyber attacks on the U.S. defense establishment and heightened Chinese cyberespionage in our business sector, were discussed. We invited House Intelligence Committee chairman Mike Rogers to tell us about what he and others in Congress were doing to increase government-private sector cooperation in dealing with cyber threats to the U.S. economy. He spoke of necessary measures to increase cooperation between the government and the private sector, to increase cyber defense.
The spring of 2013 was marked by a great deal talk by the Obama administration about cyber as the No. 1 threat to U.S. national security and statements of resolve to stop Chinese hacking. Since then, however, the waters have been disturbed by other events (Egypt, Syria, Obama’s resolve to create a rapprochement with Iran) and muddied by Edward Snowden’s NSA revelations. Accordingly, the cyber issue has fallen off the radar-screen completely not only for the government, but also for the media and businesses that were crying out for help just a little while ago.
One of the principal conclusions during our July 2012 conference and a more recent roundtable was that cyber defense does not work. There is no sure way of preempting cyber attack. This came from experts such as former CIA and NSA director Michael Hayden, former U.S. attorney general Michael Mukasey, Steve Chabinsky, former Senior Advisor to the Director of National Intelligence on cyber, and former Homeland Security official Stewart Baker, among others.
All concluded that the best defense against cyber attack is offense. Various offensive strategies should be applied to different attacks, hackers could be hacked-back and a variety of methods could be used to punish them and the governments that support them. Further, it seemed to all that while the private sector could devise the proper strategies, the government had to come up with the proper legal framework needed to go on the offense. Alas, nothing has happened. The government is doing nothing and business is still legally barred from “hacking back.”
In the meantime, the number of cyber attacks is on the increase and vulnerabilities stretch from national defense, to public infrastructure (e.g., the electrical grid, communication, transportation), to the functioning of financial markets, to the viability of small businesses.
Both the Ernst & Young and PwC surveys revealed a lethargic attitude among American business executives. Even the well informed seem to have given up on Congress and the White House as useful partners in addressing the existential cyber threat.
Even more troubling is U.S. government apathy, and the apparent willingness of private businesses to bear unknown billions of dollars in losses to cyber attackers.
Have the hackers, who are stealing U.S. industrial and business secrets, hacked also the capitalist spirit that made this country a superpower?