Another day, another huge cybersecurity breach. Last week, it was Twitch, Amazon’s live streaming platform, that underwent the public disclosure of its source code, big-star earnings and other sensitive information.
Cyber ââattacks are quickly becoming a thorny, large-scale global security problem. The United States alone suffered around 65,000 ransomware attacks last year, and the massive Solar Winds hack exposed big cybersecurity gaps within the federal government. This helps explain why US experts recently interviewed by Axa cited cyber risk as their biggest concern this year, and global experts ranked it second behind climate change.
The diffuse nature of the problem makes it particularly difficult to deal with. The attacks come from everywhere. Some are state sponsored or ideologically driven, while others are all about money. Many victims are reluctant to admit that they have been hacked. Some fear that sharing too much information about methods publicly will just empower bad actors.
However, it is quickly becoming clear that governments need to take a much more active role in information gathering and sharing and defense coordination. The US Senate is considering a bill requiring government agencies, contractors and critical infrastructure companies to report all cybersecurity incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency within 24 hours, or face heavy fines. “If we can’t see it, we can’t defend ourselves effectively,” said Jen Easterly, who heads the agency, recently.
The Australian parliament is moving in the same direction. The EU, which has taken a lead on many cyberspace issues, adopted incident reporting rules for operators of essential services in 2018.
But warning the authorities should only be the first step. Investors have the right to be informed of significant hacks. Clear standards on what this exactly means should be set on a national or global basis, as should accounting definitions for âmaterialâ financial events.
As large businesses invest in proper defenses, hackers are likely to direct their attacks against small and medium businesses, most of which will not be covered by these reporting requirements. If they do not share their experiences, hackers will be able to repeatedly exploit the same weaknesses.
Governments need to do a much better job of working together. Hackers do not respect national borders, and computer problems in one country can disrupt many others, as demonstrated by the recent Facebook outage.
A global standards body must bring together national regulators to share information on hacks and vulnerabilities, ensure companies invest in effective cyber defense, and set up watchdog colleges for larger multinational players. One possible model could be the aviation safety regime, which brings together investigators and analysts from the home country of the affected aerospace group as well as those at the crash site. Another way of thinking would be the regulatory host / host structure that is used for banks.
These increasingly common attacks have financial ramifications. The insurance market finds it difficult to price protection against them, and this may prove to be an area, like terrorism and flooding, where government support is needed. Cyber ââattacks are no longer new. It’s time to stop acting like they are.