Cybersecurity: While We're Waiting on Congress
Cybersecurity dominates the headlines after large, high-profile attacks, such as the hack of over 22 million personnel records from the Office of Personnel Management (OPM) or the theft of 70 million records from Target in 2013. But it's not long before the media and public once again become complacent, and despite multiple attempts, over the past five years Congress has failed to pass adequate legislation on the issue.
Partisan bickering, debate over the scope and breadth of regulations, and privacy concerns have abounded. But this problem isn’t going away. In fact, if the past few years are any indication, it’s only going to get worse. When financial institutions, global trade, commerce, and governments all rely on cyberspace for the free flow of capital and ideas, it’s crucial our cyber highways remain as secure as possible.
Legislation is needed to provide clear guidance on how companies should compare and respond to cyberattacks. Robust policies must allow collaboration and the sharing of threats and risks between both the government and private sector. Currently, companies in the private sector are hesitant to share cyber threat information out of fear of a lawsuit; thus protection from liability is crucial.
But in the interim, companies and legislators alike should familiarize themselves with the National Institute of Standards and Technology (NIST) cybersecurity framework. In 2013, President Obama issued an executive order titled “Improving Critical Infrastructure Cybersecurity,” directing NIST to engage stakeholders and develop voluntary guidelines for reducing the risk of cyberattacks to critical infrastructure, in both the public and the private sector. NIST proposed the framework in February of 2014, and today organizations big and small are using it.
The framework combines best practices across multiple sectors to create a flexible, cost-effective roadmap of sorts for CEOs and corporate boards. When 66 percent of public-company directors do not have confidence their companies are properly secured against a cyberattack, the NIST framework can prove helpful for many.
The framework could one day serve as a baseline for legislation, too, so companies that adopt it now will likely be better positioned to comply with future regulation — and less likely to be considered negligent and held liable in court in the event of a breach.
The good news is that C-suite executives are beginning to bring these critical issues up in the boardroom, taking inventory of their security efforts and identifying where they are vulnerable. But Congress must get its act together and pass cybersecurity legislation. Understanding the NIST framework is a must, both for businesses trying to address this problem voluntarily and for legislators trying to craft a policy solution.
Javier Ortiz is a partner at Falcon Cyber Investments, the first multi-stage investment vehicle exclusively focused on investing in cybersecurity companies, and a strategist and an adviser on cyber policy and regulations for a D.C. based global law firm.