This article was originally published in the Harvard Business Review on December 14, 2018. Please go to https://hbr.org.
Not a month goes by without a major corporation suffering a cyber attack. Often state-sponsored, these breaches are insidious, difficult to detect, and may implicate personal information relating to millions of individuals. Clearly, the current approaches to safeguarding sensitive data are insufficient. We need to reorient expectations for the role of the private sector in cybersecurity. As the risk of cyberattacks has become better appreciated, we see an increasingly punitive focus on holding corporate America solely responsible.
Multiple, overlapping laws at the national and state level require companies to have “reasonable” security, a concept that is largely undefined and elusive, especially given that threats and available defensive measures constantly evolve. And regulatory enforcement actions and lawsuits in the wake of cyberattacks declare any exploited security vulnerability to be de facto “unreasonable,” without a meaningful assessment of the company’s overall security program or acknowledgement that the company has been the victim of a crime.
This approach is premised on an unreasonable expectation that every company in the United States has the resources and capability to defend itself against even the most sophisticated cyber actor. We should move away from laws that focus on finding companies at fault, rather than as victims of criminal cyber activity. This framework is neither fair nor effective in improving our collective cybersecurity.
In our experience, despite increasing security spend, most companies face significant obstacles to successfully managing cyber risk. Although some industry security standards have emerged, they are vague, and available security solutions are seldom turnkey. Rather, effective security requires application of significant judgment in the context of unique and complex corporate network architectures, as well as the ability to adapt as security solutions and threats evolve. Unfortunately, the talent pool with the requisite cyber experience and knowledge is limited. It is simply not possible, at present, for every company in America to have sufficient internal cyber expertise to manage the risk.
The challenge is compounded by the resources and sophistication that state and criminal cyber attackers can bring to bear. In no other arena do we expect every business to defend itself from foreign intelligence and military agencies or sophisticated criminal threats.
Although there has been a significant focus on sharing threat information, both within the private sector and between the government and the private sector, such sharing remains incomplete at best, particularly when it comes to the techniques, tactics, and procedures that particular actors are employing. As a result, companies often lack sufficient knowledge of the specific threats they face so they can best defend themselves.
Given these and other factors, companies that suffer cyberattacks are, and should be treated primarily as, victims. When a bank suffers a physical robbery, we do not think of blaming and shaming it – even though there is almost always some additional precaution the bank could have taken that might have helped prevent the attack (such as a police officer stationed at every teller window or limiting customer access to tellers). While banks are expected to implement some security measures, there is no expectation that those measures will prevent criminal attacks entirely, and banks are not vilified if they did not have every available precaution in place that might have prevented them. Yet in the cyber context, a company that suffers a breach faces a substantial risk of multiple regulatory investigations and class action lawsuits, all focused on assigning blame to the organization for having inadequate security measures to defeat the criminal attack perpetrated by others – no matter the strength of the company’s overall security program or the amount of the investment it has made in security.
That perspective is not only unfair, but counterproductive. Instead of focusing on remediating the incident, restoring operations, improving security going forward, and mitigating potential harms, a company in the midst of a cyber breach also needs to worry about the record that is being created – what is being written down, whether lawyers are sufficiently involved in the forensic investigation, and other considerations bearing only on protecting against liability. Moreover, the fear of potential downstream liability constrains what information a company is willing to share – it may not disclose the incident at all, let alone how and why the intruder was able to evade existing security measures, depriving the broader community of the opportunity to learn lessons from the incident, as happens in aviation and other industries.
Although the Cybersecurity Act of 2015 provided some protections, they are narrow and have not resulted in a material increase in information sharing. As a result, our collective cybersecurity is diminished: we do not harness the enhanced security or efficiencies that a more collaborative approach to threat intelligence and defense would yield.
We need to reorient our cybersecurity focus. We should place less burden on individual companies by focusing more on systemic ways to address cyber threats. In part, that approach would require the federal government to take a more active role in cyber defense. The government has a number of comparative advantages over the private sector, such as the ability to collect and exploit intelligence and to coordinate internationally with other governments and law enforcement agencies. The government should do more to give the private sector the benefit of these advantages.
For example, the government should devote more resources to collecting intelligence about potential cyber-attacks against private entities, particularly from nation-state actors, and then take steps to help prevent them — not merely notify companies believed to be at risk and then leave them alone, with imperfect and incomplete information, to investigate and respond. As the Department of Homeland Security takes on greater responsibilities for identifying and minimizing cybersecurity risks to the U.S. economy it should issue pragmatic, cost-effective operational guidance to companies on how to defend against evolving risks.
We also need to focus more on incentivizing security improvements at points in the cyber ecosystem that can have a scale effect and protect large groups of users and companies, rather than leaving each one on its own. We are collectively better off the more that software providers can use secure coding practices and thereby prevent a vulnerability – rather than requiring every user to install a patch somewhere down the line. We will also be better served if more Internet service providers mitigate the effects of a botnet by filtering traffic to limit IP-spoofing – rather than requiring every target to fend off a denial of service attack.
Legal and policy reforms are likely needed to achieve these goals and encourage companies to collaborate with the government on these initiatives. Such collaboration is unlikely unless the law provides greater confidentiality and liability protections than those presently available for companies that take actions to aid our collective cyber defense. But with the right protections, companies may be more willing to join forces with the government in this way and others to reduce cyber risk.
While we are not challenging that it makes sense to impose some cybersecurity obligations on individual companies, those obligations should be reasonable and clear. Companies that meet a defined set of risk-based requirements, which could be developed through a collaborative, multi-stakeholder process, should have a safe harbor from liability – recognizing that they are victims, not perpetrators, of malicious cyber activity.