Outside the Box: The U.S. is falling behind in fighting cybercriminals — here’s what has to change
In 1970s New York, the mafia’s tight grip on the city led many business owners to include a mob payout line item in their annual budget. Today, some of the world’s biggest corporations are once again budgeting for extortion. This time, the threat comes not from physical violence but from cybercriminals half a world away.
Ransomware attacks have been rising sharply over the last few years. In early 2021, the FBI’s 2020 Internet Crime Report included 791,790 complaints of suspected internet crime, an increase of more than 300,000 complaints from 2019, with companies reporting a collective loss exceeding $4.2 billion – and those are just the attacks reported to the Bureau. Still more firms have opted to handle cyberattacks internally, quietly paying ransom to cybercriminals who threaten to release customer data or worse. In fact, The Government Accountability Office reported in May that the number of companies invested in cyber insurance policies had risen from about 25% in 2016, to nearly 50% in 2020.
Big tech companies may claim that cyber assailants are getting savvier, but the methods these criminals are using to break into company servers have stayed consistently basic. Most ransomware assaults still happen because of outdated servers or systems, a lack of air gaps in critical industries, email phishing scams and poor password protection. And there’s a simple way to stop this: government regulations that would force companies to protect themselves and consumers – or pay the price.
This country is trailing behind much of the Western world in terms of policies to protect businesses and individuals from cyberattacks. While originally intended to deal with personal privacy, the passing of the European Union’s General Data Protection Regulation (GDPR) in 2016 solved for the EU many of the issues we are currently facing. The GDPR mandated that consumer information and data must be properly encrypted on fully patched, isolated systems and diligently enforced these mandates through heavy fines.
In the U.S., current government compliance measures such as Payment Card Industry Digital Security Standard (PCI DSS), which was designed to keep customer data safe, are simply not enough. I deal with a lot of companies who are not PCI-compliant, and what I hear from executives at those firms is that they would rather pay the $50,000 fine for noncompliance than invest the $2 million it would cost to become compliant.
“By accepting the inevitability and budgeting for cyberattacks, we are essentially allowing cybercriminals to continue their work unchecked.”
In Europe, the GDPR charges up to 4% of a company’s gross revenue if it is not meeting standards – a number that’s quite a bit more motivating than the fines noncompliant U.S. companies are looking at.
As many American companies with business interests in Europe are already familiar with the GDPR regulations, it wouldn’t be difficult to adapt all or portions of the GDPR to fit U.S. standards, and everyone’s data would be safer as a result.
In my opinion, U.S. regulation should mirror the GDPR to ensure that all public and private systems accessible from the internet must be fully patched and cannot contain any critical data – which should instead be encrypted with a key and stored on a separate server.
Another key regulatory measure would be to create a rigid certification process for anyone working in cybersecurity, overseen by a state licensing board like our system for lawyers or cosmetologists.
Right now, the guy who cuts my hair has more oversight from the government than the people who are employed securing our critical systems. This is a problem because it gives companies with a real need for a cybersecurity resource no way to properly vet candidates for these roles. We can’t expect every business leader to become an expert in cybersecurity processes themselves, so creating oversight in the industry would ensure that all certified professionals have the training needed to spot and address holes in their clients’ systems.
Finally, any industry that is classified as critical infrastructure – such as oil, gas or nuclear power – should implement air gaps between the control systems and the business networks. An air gap ensures that a secure computer network is physically isolated from the internet, and therefore impossible to access remotely.
In fact, the nuclear power industry is already on board with this, and as a result there has yet to be a nuclear reactor compromised via a cyberattack, simply because no one outside the reactor’s physical location can get in.
However, as we saw in the Colonial Pipeline incident, the oil and gas industry has not yet caught up. As our lawmakers continue to look to big tech companies (who often financially benefit from the aftermath of cyberattacks) for guidance on these matters, I fear it may take a terrorist attack in the cyber domain for lawmakers to wake up to the necessity of regulation.
Unfortunately, a lack of meaningful regulation has put us in the same boat as those New York City store owners in the 1970s. By accepting the inevitability and budgeting for cyberattacks, we are essentially allowing cybercriminals to continue their work unchecked. It’s time for our elected officials and business leaders to stand up to extortion and beat back this new cyber mob – before it’s too late.
Eric Cole is the founder of Secure Anchor Consulting and an industry-recognized cybersecurity expert with more than 20 years of hands-on experience in the field.