Cybersecurity Needs An Operation Warp Speed
“Ransomware activity jumped an astounding sevenfold in the second half of 2020 compared with the first six months.” FortiGuard Labs Threat Report: Disruption Key Threat Trend in 2020
A recent survey by cybersecurity company Sophos found that 51% of respondent businesses in the U.S. were hit by ransomware attacks in the past year. Another such company – Recorded Future – counted 65,000 ransomware attacks in 2020, or an average of seven per hour.
The 2021 Cost of a Data Breach Report, conducted by Ponemon Institute and sponsored and analyzed by IBM Security, surveyed over 500 organizations and found that data breaches now cost surveyed companies $4.24 million per incident on average, a record high.
Moreover, Recorded Future found that only 65% of data encrypted by a ransomware attack was restored after the ransom was paid.
Clearly, simply paying a ransom is no guarantee that a company’s encrypted data will be successfully restored. Nor that the company able to resume its operations. Standard data encryption is giving way to extortion-style attacks where instead of encrypting files the attackers steal and threaten to publish company data unless their ransom demand is paid. This entails less effort for them as no encryption or decryption is needed.
Government Cybersecurity Initiatives
The Biden Administration’s responded to the Colonial Pipeline ransomware attack includes an “Executive Order on Improving the Nation’s Cybersecurity”. Among other things, it requires government contractors to report cybersecurity incidents to the government. It also sets aggressive timelines for federal agencies to implement stronger encryption, government-wide endpoint detection and response, Zero Trust architecture and other state-of-the-art cybersecurity capabilities.
This – along with the $650 million in new funding the Cybersecurity and Infrastructure Security Agency (CISA) received for cybersecurity work in this year’s American Rescue Plan – are steps in the right direction and long overdue. But they’re limited to federal agencies with little direct impact on other levels of government or on private companies. These are also long overdue in adequately defending America’s critical infrastructure underpinning much of our health, safety and economic well-being.
Equally aggressive measures are needed across both the broader government and private sector spectrums to ward off, or at least deter, this ongoing threat that grows daily. Remote work-from-home has vastly expanded the cyber vulnerability of businesses. An ever more sophisticated hacker ecosystem now includes ransomware-as-a-service so even newbies can share in the looting.
In short, cyber criminals have expanded their ranks to scale up and better capitalize on increased pandemic-related criminal opportunities.
The only things certain in life these days are death, taxes and ransomware. Defeating COVID requires not just effective vaccines but human willingness to get vaccinated. So too does defeating ransomware and other cybersecurity threats require both effective technologies and better security awareness and behaviors by human users – both employees and consumers.
The 21st Century Battlefield
These criminal undertakings are enabled and nurtured by America’s adversary nation states. Several of these sponsor their own state-run hacker enterprises capable of cyber-espionage and highly destructive cyber-sabotage.
The magnitude and brazenness of this internet-enabled cyber aggression is now America’s greatest national security threat. It may well replace conventional warfare on which we spend hundreds of billions in tax dollars annually.
Yet we spend a minor fraction of our defense budget (less than 1.5% in FY 2022’s budget request) on defending against these persistent cybersecurity threats. 21st century warfare is being played out in cyberspace – online – where less powerful countries and the cybercriminals they harbor are able to inflict disproportionate, or asymmetric, damage on their much larger U.S. adversary and never face the kind of retaliation conventional warfare would provoke.
A Cybersecurity Operation Warp Speed
Or, sadly, any retaliation. We currently can’t even play competent cyber defense, much less offense. And our adversaries – cyber criminals and combatants – know it, leaving them to operate with impunity.
Clearly, as far as the security, stability and reliability of our energy, water, manufacturing and transportation infrastructure is concerned, this is an emergency situation. And it cries out for an emergency response on the order of the Operation Warp Speed public-private partnership that delivered highly safe and effective coronavirus vaccines in record time.
More of the glacial pace of applying cybersecurity measures to government contractors – that’s been percolating for years and aren’t expected to be fully implemented for years to come – is not what’s needed now for this broader and far greater threat to our safety, economy and way of life.
“From Stealing Data to Disrupting Operations”
Beyond national security, our economy and personal lives are heavily reliant on a private sector infrastructure. And it may be even less prepared for continuing cyber intrusions and business disruptions. An estimated 85% of the country’s energy, for example, is delivered by private companies.
The federal government highlighted the need for a stronger commitment by private companies in a June 2 open letter to corporate executives. The letter urged business leaders to implement measures – including encryption, multi-factor authentication, and endpoint detection and response – that were outlined in the Executive Order for federal agencies. It also calls for other best practices like maintaining network segmentation to ensure continued operation of industrial control systems.
This call to action for corporate leaders noted that “Investing in cybersecurity is a far better investment for our economy and for companies than paying the funds in ransom…The private sector also has a critical responsibility to protect against these threats…
“There’s been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and you carefully filter and limit internet access to operational networks…
“Companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”
A Stronger Impetus to Cybersecurity Action
All well and good. But the government needs to do more than encourage companies with security suggestions to have any meaningful impact on this threat. To its credit, the Administration has ratcheted up its efforts to disarm ransomware attackers, recover ransom payments and reward those providing information that leads to the arrest of those behind these extortion schemes.
A stronger impetus to action by the private sector would be a tried-and-true incentive system that has proven successful in facilitating other national objectives by private companies. The United States provides the private sector with tax incentives for many things considered beneficial for the country – hiring and retaining employees, research and development, energy efficiency and more.
And new bipartisan legislation introduced by Sens. Wyden, D-Ore., and Crapo, R-Idaho, is under consideration to add a 25% tax credit for investments in U.S. semiconductor manufacturing. The goal is to boost domestic manufacturing of semiconductors, which is sorely needed – U.S. share of the global semiconductor market has declined from 37% in 1990 to 12% today.
But our need to bolster our cyber defenses is needed even more.
Both deserve enactment, along with H.R. 1374, the Enhancing State Energy Security Planning and Emergency Preparedness Act of 2021 to reauthorize and fund the Department of Energy’s State Energy Program from 2022 to 2026 at $90 million annually. This bill passed the House by a 398-21 vote, showing rare bipartisan support.
Start with Carrots, Not Sticks
Before resorting to imposing fines or other punitive regulatory measures on private manufacturers, energy and other critical infrastructure companies why not first try the same tax incentive “carrots” used to positively reward companies that conduct research and development and adopt energy efficiency measures?
Cybersecurity tax credits could be powerful incentives for the private sector to implement stronger security measures proven to mitigate or deny the cybersecurity intrusions that disrupt U.S. critical infrastructure. The recent ransomware attack that disrupted gas delivery to much of the country’s east coast is a case-in-point.
And these credits should scale up as more comprehensive and proactive cybersecurity protections like Zero Trust are deployed for greater threat visibility, detection and response.
Tax credits work pretty well in motivating other national objectives, although many eligible small and midsize companies continue to miss out on them. So such positive incentives may not be a complete solution. But they can pave the way by raising the consciousness of those businesses most at risk, accelerating private investment in cyber resilience. This will make further measures more feasible to the extent they’re still needed.
“Cybersecurity tax credits could be powerful incentives for the private sector to implement stronger security measures…”
But Do It Quickly
Cybersecurity experts agree the Colonial Pipeline and other cyber attacks being reported with increasing frequency are but the tip of the cyber iceberg. Energy Secretary Jennifer Granholm recently acknowledged this on national TV. She noted that such attacks on the country’s energy infrastructure are capable of shutting down the U.S. power grid and represent a grave risk to our national infrastructure.
Quoting her, “There are thousands of attacks on all aspects of the energy sector and the private sector generally. It’s happening all the time. This is why the private sector and the public sector have to work together.”
This is as critical a national priority. It’s also a more immediate threat than crumbling infrastructure, climate change or other challenges before us as a country. And unlike them, it’s not a partisan issue. Both parties agree on the severity of the threat. And both endorse tax credit incentives as the kind of public-private collaboration for which Secretary Granholm is calling.
This positions cybersecurity tax credits as something that could be fairly quickly enacted, at least by legislative standards.
And it should be. There is literally no time to waste.
These current tax incentives can help businesses now.