Comment

Why cyber defense ultimately rests with the private sector

Shutterstock image (by Maksim Kabakou): cyber defense conept, magnifying glass.

(Image:  Maksim Kabakou / Shutterstock)

Following what was broadly known as the year of the breach, our nation’s leaders have responded to the public outcry for assistance in protecting against cyberattacks. The private sector has been the hardest hit by cyberattacks and data breaches in recent years and is now seeking help from the federal government.

As Congress contemplates various cybersecurity proposals, we should welcome initiatives that foster continued sharing of cyber threat information between the public and private sectors. However, it is important to understand that although legislative measures to expand prosecution and law enforcement authority against cybercriminals might deter some, it is not a panacea because hackers often go unidentified.

Attribution in forensic investigations is exceedingly difficult and resource intensive, and it is exacerbated by adversaries’ adroit use of proxy servers, IP masking and other techniques that cement plausible deniability.

When it comes to sharing information, the Obama administration’s executive order calling for the establishment of sharing and assessment hubs reflects the growing urgency to defend U.S. economic interests. How the private sector accepts and makes use of those initiatives will be determined by the government’s ability to protect the private sector, especially when the sharing of classified threat information is time-sensitive and essential.

Further complicating acceptance is the fact that more than one agency is responsible for hacking investigations. The panoply of overlapping organizations with concurrent jurisdiction includes the FBI, U.S. Secret Service and others. Furthermore, the lack of liability protection afforded to companies for sharing information that contains sensitive customer data leaves them exposed.

Given those realities, is it really reasonable for the private sector to rely on the government to improve or at least be an equitable partner in cybersecurity?

Federal programs are undoubtedly important, and cybersecurity initiatives are instrumental in creating a taxonomy of standards, but they should not be regarded as a replacement for corporate security investments and proactive, preventive postures. Collaboration between the public and private sectors is important to the defense of U.S. economic ingenuity because they can complement each other’s depth and breadth of skills, resources and relevant information to stem the tide of cyberattacks.

However, the extent of cyber victimhood will always be dependent on the maturity of an organization’s internal cybersecurity culture, the implementation of holistic security safeguards, and the extent to which a company can prevent, detect and correct vulnerabilities, as well as recover from an attack.

In more and more examples, businesses are being penetrated not due to a lack of government involvement in their security but because they skimped on it themselves. The attack on retail giant Target occurred because the company ignored adequate and reasonable safeguards across the enterprise. Despite using a best-in-class intrusion-detection system, the retailer left myriad vectors undefended, including those associated with vendor access management, hardware encryption, training, awareness and other minimum defense-in-depth practices.

In the 16 months since that breach, countless other companies have fallen victim to cyberattacks, including Sony, JPMorgan Chase and Anthem. Many attacks have been linked to some of the same lax security practices that Target followed.

Although the administration should be praised for elevating the importance of cybersecurity and acknowledging the role the government can play, we should remember that government involvement will never replace risk management strategies that highlight proactive postures and mature cybersecurity practices within an enterprise.

About the Author

Sean Doherty is president of TSC Advantage.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.