By Kevin McDonald
The U.S. government has been very public about its concern for national cybersecurity. There have been grandiose speeches, presidential declarations and several attempts by the legislature to pass new cybersecurity laws.
But the problem with America’s national cybersecurity strategy is bigger than one-off hacks or data thefts. Crimes perpetrated by the likes of Edward Snowden, Chelsea Manning and the individual(s) who committed the alleged leak of the CIA’s highly sensitive cyber warfare tools have resulted in mind-blowing losses.
Beyond those headline grabbers is a problem that gets less attention but poses a significant risk to critical national assets: the fact that private sector businesses operate — but do not adequately protect — a vast majority of the nation’s critical infrastructure and data.
The federal government, and even the largest private sector enterprises, spend billions on cybersecurity investment but fail to extend those efforts into the SMBs that do much of the legwork. Laws are passed that promise to protect sensitive government information and “critical” systems, but the regulations are fine-tuned to work for the business community, effectively neutering enforcement mechanisms. Until there are real ramifications for cybersecurity failures in government and private sector entities that support the government, we will continue to see national security erode.
Consider, for example, the fallout from a 2013 report that found designs for some of the most sensitive, advanced U.S. weapons systems were hacked by a foreign country. Although it is a serious issue that those weapons systems are now compromised and have likely been duplicated by at least one foreign military, there is no sign of any punishment for the private companies that allowed the theft in the first place. In fact, the companies and their subcontractors that made the stolen systems will ultimately benefit from the espionage: There are a limited number of prime contractors that can perform this work, so the companies from which the systems were stolen will most likely build any replacement systems, if they have not already done so. There is no evidence that the contractors have lost work or otherwise paid for their failure. Until the cost of failure is higher than implementing real security technology, we will continue to see poor choices that lead us to cybersecurity failure.
Lack of private sector cyber accountability
I first wrote about the potential for a digital D-Day in 2005, then again in 2012. In the years since, we have sadly not come very far in advancing cyber protection of our most important systems. We are still allowing the private sector to decide what assets are critical and how they should protect them. This is true even where their product, service or infrastructure has a direct role in our national cybersecurity strategy and the U.S. government’s operational continuity.
Private companies should be responsible for the public interest and implement precautions to minimize security failures that potentially undermine national defense. Cybersecurity professionals who falsely attest to security should be held accountable in the same way business executives are held accountable when their companies violate financial regulations.
To continue reading more of the original article on Tech Target, click HERE.