The Commission on Enhancing National Cybersecurity issued a comprehensive report last December on securing and growing the nation’s digital economy. As the Commission’s Vice Chair and Executive Director, respectively, we were fortunate to work with some of the nation’s most experienced and committed individuals on the subject, drawn from industry, government, law enforcement, and academia. After eight months of public hearings and deliberations, the Commission’s report outlined six primary imperatives, 16 recommendations, and 53 associated action items to enhance the state of the nation’s cybersecurity through a coordinated effort that engages both the public and private sectors.
The bipartisan, independent Commission explored a number of areas, including critical infrastructure, the Internet of Things, innovation, research and development, and public awareness and education, among others. And while we did not focus on any one industry or sector, much of our work was highly relevant to the financial services sector, given the foundational role it plays in the economy. Banks and other financial institutions have made robust commitments to upgrade their cyberdefenses, but they still face evolving threats.
It’s worth noting that the financial industry, given its collective focus on maintaining customer trust and protecting its customers’ financial data, has already coordinated with government and law enforcement when it comes to cybersecurity. Moving forward, the right mix of incentives must be provided, with a heavy reliance on market forces and supportive government actions, to enhance cybersecurity. Incentives should always be preferred over regulation, which should be considered only when the risks to public safety and security are material and the market cannot adequately mitigate these risks.
The federal government has not done enough to encourage companies to implement cyberrisk management principles and demonstrate collaborative enagement.
This article provides an overview of many of the recommendations contained in the Commission’s report, titled “Securing and Growing the Digital Economy,” while frequently returning to one of our overarching conclusions: Partnerships – between countries, between government at all levels and the private sector – are a powerful tool for securing and growing the digital economy. Indeed, it’s clear that joint collaboration between the public and private sectors before, during, and after a cybersecurity event must be strengthened. When it comes to cybersecurity, no organization can operate in isolation.
The first priority must be to secure today’s information infrastructure and digital networks. The need to do so comes against the backdrop of interconnections and interdependencies becoming more complex and extending well beyond critical infrastructure (e.g., the electric grid or communications systems). This convergence, combined with increased cybersecurity awareness, creates a unique opportunity to change existing approaches in ways that will better protect the digital-driven economy.
Another backdrop to today’s cybersecurity environment is that a large portion of network interactions on the Internet are known to be harmful to the network. Most involve either known malware or packets that are clearly coming from a botnet or denial-of-service attack. Many of these interactions are relatively easy to identify and separate from legitimate traffic, and some organizations in the Internet and communications ecosystem are taking steps to reduce them.
Although there are no simple solutions, there are a number of reforms that can help strengthen cybersecurity.
Fundamental to protecting today’s digital networks will be to focus on eliminating “botnets.” Botnets – shorthand for “a network of bots” – are made up of computers that an attacker controls remotely. Attackers use botnets to conduct denial-of-service attacks, distribute malware, and perform other tasks on their behalf.
Progress on botnet elimination will be linked to cooperation between government and industry, with the financial sector being an important actor in this partnership. The public-private effort should be focused on mitigating the impact of botnets, including denial-of-service attacks, and then expand to address other malicious attacks on users and the network infrastructure.
It became clear to the Commission that there is also a need for more robust planning to prevent cyberattacks and to know how to address them when they occur. There is an important role for public-private cooperation in these planning exercises, and that cooperation is well underway in the financial community, with more than a dozen cybersecurity exercises – part of what’s known as the “Hamilton Series” – undertaken in 2014–2016. One outgrowth of those exercises was the Sheltered Harbor initiative, a voluntary industry initiative being carried out by companies in the U.S. financial services sector. Participating institutions are focused on enhancing the ability of institutions to “securely save and restore account data in the event of a loss of operational capability.”
This initiative underscores the value of these exercises, which are helping to strengthen cybersecurity while also building trust between the public and private sectors. But the Hamilton Series is only a first step in improving planning. Now is the time to institute a more systematic approach, with more emphasis on clarifying roles and responsibilities between government and the financial sector before a cyberattack occurs and ensuring follow-through by all parties. One of the keys will be to enhance the involvement of state and local governments as well as small and medium-sized businesses.
Stopping all attacks is not a practical goal. Instead, a core component of all cybersecurity strategies should be resilience — what is the approach for responding to and recovering from an attack?
It is also vital for federal agencies to work with industry to develop a more comprehensive understanding of cybersecurity issues, such as interdependencies and the impact on supply chains. Through deliberate planning and joint exercises that are conducted on a regular basis, industry and government will develop relationships that inspire the trust needed for effective collaboration. “Information sharing” is an overused term that has lost its meaning – and it is not an act that can be created in a vacuum. Information sharing is a product of trust that develops through regular and substantive engagement between and among the key stakeholders in government and industry.
Improve Identity Management and Authentication
Strong identity management is fundamental to the security of the digital economy, and the financial services industry in particular, where the security of online banking depends on identity authentication. Across all industries, a major vulnerability is continued dependence on the traditional password and username for identification and authentication. This process makes it far too easy for malicious actors to steal identities or impersonate someone online. In fact, the Commission learned that all of the major attacks over the past six years were initiated by an identity compromise.
There is a clear need for improved public-private cooperation on authentication. A good start to effective identity management has been initiated through the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC was created in 2011 as a collaborative effort between the private and public sectors to create an identity ecosystem and establish a framework of overarching interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms.
Closely linked to identity management and authentication is mobile security. The Internet of Things has unleashed a massive amount of data, which is being captured, aggregated, and processed. Individuals and institutions are at the early stages of using this data to make choices that influence everything from personal matters to national security. Trust and confidence in that data requires confidence in the devices that captured, aggregated, and processed the data as well as confidence that the data have not been accidentally or maliciously altered.
Mobile security brings specific challenges in the financial services sector. A report issued last year by the Federal Financial Institutions Examination Council (made up of five federal agencies) found that when banking customers are using their mobile devices, they are less vigilant about activating security controls, virus protection, or personal firewall functionality. The security risk is heightened, said the report, by the ability of cyberthieves to develop corrupted applications that customers download to their mobile devices.
Focus on the Cybersecurity Framework
As companies develop and refine their cybersecurity strategies, they should be focused on the content contained within the “Voluntary Cybersecurity Framework” and be encouraged to adhere to the framework’s key principles. The development of this voluntary framework was coordinated by the National Institute of Standards and Technology (NIST) through a collaborative process involving industry, academia, and government agencies.
The Framework provides a risk-based approach for cybersecurity through five core functions: identify, protect, detect, respond, and recover. It is designed to assist organizations of any size, in any sector, and at any stage of their cybersecurity maturity. The Framework provides a vocabulary to bridge the communication gap that sometimes exists between technologists and executives. NIST was directed to create the Framework specifically for managing cybersecurity risks related to critical infrastructure, but a broad array of private- and public-sector organizations across the United States – and some around the world – now use it.
The Framework is playing an important role strengthening the risk management ecosystem, and if effectively implemented, it can reduce the need for future legislation and regulation.
The federal government has not done enough to encourage companies to implement cyberrisk management principles and demonstrate collaborative engagement. To ensure that implementation, the executive branch and Congress should work together to enact legislation that provides appropriate liability protections for businesses engaging in cyberrisk mitigation practices that are consistent either with the Cybersecurity Framework or with common industry segment practices, and that engage in cyber collaboration with government and industry.
Another approach to providing incentives for responsible actions by industry is an approach discussed by the Commission that is, essentially, a “Reverse Miranda.” This approach encourages companies to share information but gives them the protection by the government that what they share will “not be held against them.” The Commission learned, across all industries, sectors, and sizes of businesses, that these enterprises need to be afforded protections and incentives for improving security for their organization, as well as for the public and private sectors.
Harmonize Regulations Across Borders
Although actions by the federal government are critical, cybersecurity is a global challenge, which highlights the need for regulations to be harmonized throughout the world. A starting point should be for U.S. regulators to harmonize their efforts using the Cybersecurity Framework as a guideline. Regulatory agencies should harmonize existing and future regulations with the Cybersecurity Framework to focus on risk management – reducing industry’s cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation.
The private sector has voiced strong concerns about the ways in which regulatory agencies are beginning to use the Cybersecurity Framework, as each agency makes different decisions about its application. Such disparate regulations risk redundancy and confusion among regulated parts of our economy.
It’s also important to bring together like-minded nations, sharing the U.S. focus on cybersecurity and economic growth, to standardize regulations and develop peacetime norms and rules of engagement.
Enhancing Security and Opportunity Through Innovation and Investment
The next big thing in the Internet universe is the so-called Internet of Things (IoT). The research firm Gartner projects that there will be more than 20 billion “connected” devices in the world by 2020. The proliferation of IoT devices will be a critical issue for banks in particular, which are already immersed in the IoT universe and thus even more of a target for cyberthieves.
To advance IoT security, fundamental research and development is needed, both to develop solutions that continue to foster innovation and to build in opportunities for reducing the risk involved with ubiquitous connectivity. Despite the large overall investment in cybersecurity R&D, funding for creating inherently secure technology, products, systems, and environments is relatively small. The federal government should invest in fundamental cyber R&D that will foster the development of inherently secure, defensible, and resilient/recoverable systems. The private sector should help determine this research agenda and work with federal agencies to ensure that the results of this research are readily usable in improving technologies, products, and services. Additionally, industry and government should work together to create a baseline level of security standards for IoT devices to ensure that security is a key component of all product development and not bolted on later in product distribution.
Preparing Consumers to Thrive in a Digital Age
The Internet’s ability to continue driving opportunity and growth will depend on winning and maintaining the trust of consumers. To that end, engineers and designers need to create products and systems with built-in security and also provide consumers with the ability to know how their user experience will be protected. The burden of primary responsibility for cybersecurity should be driven up the chain from the consumer to the manufacturer.
The complexity of cybersecurity and the resources needed to address it must be reduced. In the long run, manufacturers should automate, simplify, and improve the process by which consumers are advised about the cybersecurity implications of using their digital devices. However, moving security away from the end user does not mitigate the need to ensure consumers are appropriately and effectively educated and informed.
Building Cybersecurity Workforce Capabilities
The workforce challenge is two-pronged: 1) Developing the appropriate skill set in the current workforce to meet the cybersecurity needs of the current environment; and 2) attracting more individuals into the cybersecurity workforce. Meeting the critical national and economic security needs to expand and strengthen an agile cybersecurity workforce will require a national effort that engages all levels of the public sector, as well as the private sector. According to the 2015 (ISC)2 Global Information Security Workforce Study, 1.5 million more cybersecurity professionals will be needed globally by 2020. Demand is likely to grow across the financial services industry, in particular. A regulation enacted recently by the New York Department of Financial Services places heightened obligations on financial institutions to design response plans to security breaches, conduct annual self-evaluations, and provide cybersecurity training.
While cybersecurity offers a premium in pay over other fields in information technology, a sizable gap between open positions and qualified applicants has persisted for almost a decade. To address these issues, companies must expand their efforts to draw more workers into the cybersecurity field.
To increase the number of qualified entry-level cybersecurity practitioners, the federal government must work with the private sector to attract more students to the field of cybersecurity. These collaborative efforts also should aim to create pathways into the field for underrepresented populations (e.g., women, minorities, and veterans) and older workers seeking career changes or hoping to leave professions with fewer opportunities. The current focus on retraining veterans for careers in cybersecurity should be continued and expanded.
As part of the workforce efforts, a core curriculum should be developed that will be the foundation for all education and training.
The interconnectedness and openness made possible by the Internet and broader digital ecosystem create unparalleled value for society. The challenge ahead is for the commitment to innovation that underpins so much of the digital ecosystem to be matched by a commitment to cybersecurity. In order for the digital economy to thrive, it must be secure. The vitality of the financial industry is also closely linked to security. As The Clearing House has said, “cybersecurity defenses are one of the core foundations for trust in the financial system.”
In order to maintain trust, and continually strengthen it, large and small companies, government at all levels, educational institutions, and individuals need to be more purposefully and effectively engaged in addressing cyberrisks and committed to working together before a major cyberattack occurs.
Stopping all attacks is not a practical goal. Instead, a core component of all cybersecurity strategies should be resilience – what is the approach for responding to and recovering from an attack? How do you ensure operations are not disrupted or, at a minimum, contained?
One lesson that’s already been learned, but cannot be emphasized enough, is the importance of partnership in the fight for more robust cybersecurity. Partnerships – between countries, between the national government and the states, between governments at all levels and the private sector – are an essential tool for encouraging the people, policies, and technology needed to secure and grow the digital economy. And it will be these strong, collaborative partnerships, coupled with continued innovation in cybersecurity, that can help ensure the digital economy continues to deliver extraordinary new opportunities for people in the United States and throughout the world.
About the Authors:
Samuel J. Palmisano is the Chairman of the Center for Global Enterprise, a private, nonprofit, nonpartisan research institution that studies the contemporary corporation, global economic trends, and their impact on society. Palmisano was chairman, president, and CEO of IBM (2003–2011). He is a graduate of Johns Hopkins University, and was awarded an Honorary Degree of Doctor of Humane Letters from Johns Hopkins (2012) and from Rensselaer Polytechnic Institute (2005).
Kiersten E. Todt is the President and Managing Partner of Liberty Group Ventures, where she develops risk and crisis management solutions for cybersecurity, infrastructure, homeland security, emergency management, and higher education clients. She most recently served as the Executive Director of the Presidential Commission on Enhancing National Cybersecurity. Todt has a degree in public policy from The Woodrow Wilson School at Princeton University, and a master’s degree in Public Policy from the John F. Kennedy School of Government at Harvard University.