Reports are that the latest round of cyber-attacks have been aimed at large media outlets like the New York Times, Wall Street Journal and Washington Post. Before media, large banks and other financial institutions were being targeted. Before the financial industry, it was something else. All the while, the U.S. government is under constant bombardment from potential cyber threats probing for weaknesses.
Whether you believe that this most recent round of attacks or any of the proceeding waves are from China, or whether you believe that, if they are from China, the Chinese government was behind them, one thing should be clear: these attacks are not going away. Last year, we saw the rise of hacktivism. Now, if current theories are correct, we are seeing cyberattacks as revenge and retribution. Media outlets that were critical of Chinese government activities are being targeted.
Cyberattacks for political and nation-state strategic gain are becoming the norm. It is time that we as a country recognize this and do something about it. Having been in information security for over 10 years, I have come to a realization. Perhaps you can call it Shimel's Security Catch-22 Theorem. No matter what, a government or other governing body enacting cybersecurity rules or laws will be flawed; cybersecurity is best left to cybersecurity professionals. On the other hand, though, without some rules or laws the cybersecurity professionals will never get the chance to do so. This dichotomy means that we need some sort of cybersecurity rule or law to be enforced, even if it is flawed¸ to give the security industry a seat at the table and do what needs to be done.
Previous attempts by our government to enact cyber security legislation have been foiled by lobbyists and special interest groups. The fact is many in the security industry have opposed cybersecurity legislation because we know it will be far from perfect and could harm as much as help. But without it, we are never going to have the opportunity to do something to protect our country until after it is too late.
There are those predicting a cyber Pearl Harbor. They know that it is only a matter of time until something beyond annoyance or moderate financial loss takes place that will finally awaken the country to the fact that we need to get serious about security. I am sure that when that happens there will be some who, like the people who say FDR knew about the Japanese attack beforehand, will claim we let this happen because we wanted it to force our hand.
But why do we have to wait until after the attack? The writing on the wall is plain enough for us to see now. I suppose with the dysfunctional government we seem to currently have, the difficulty of getting a cybersecurity policy or law in place should not surprise us. But there comes a time when you really do have to act for the good of the country.
I know there are plenty of my colleagues in the security industry who differ with my opinion. They want the government to stay out of legislating cybersecurity. But when matters rise to the level of a national interest, that is exactly the circumstance our government needs to act. We have reached that threshold. The government needs to act. In the long run, it will enable the security industry to do what needs to be done. It doesn't have to be perfect, it just needs to get the ball rolling.
Some of my friends say what we need is to put both civil and criminal negligence rules in place to hold those who are negligent in implementing cybersecurity liable. But isn't that a law in and of itself? In order to prove negligence, we need to prove a deviation from the reasonable. I don't see how that is different from the government passing a cybersecurity law.
There is another line of reasoning that no matter what laws we pass, no matter what the security industry does, we can never truly safeguard our critical infrastructure. Advanced persistent threats (APT) and similar attack methods render all of our defenses inadequate. Perhaps that is true. But that is not a reason not to try. If at first we fail, we will try again. If that fails we try yet again. Not succeeding on the first try or even not succeeding at all is never a reason to stop trying to do what must be done.
So while there are people who say that the government should stay out of cybersecurity regulation, I think now is the time that the government needs to get involved. Our critical cyber infrastructure extends beyond the government's network. We need to make it clear what a reasonable organization must do to protect themselves and what the consequences are if they do not.