Last week, a hacker turned cybersecurity expert, Marc Maiffret, published an enlightening op-ed in The New York Times, arguing the private sector can and should do more to improve the nation’s cybersecurity. This is especially true since the private sector produces the hardware and software for every device we use. Congress should harness the power of the private sector through flexible and non-regulatory solutions.
Maiffret points out that “for the most part, large software companies are not motivated to make software secure.” This is because these companies are not liable for losses resulting from their flawed software. This has led to several high-profile cases where hackers exploited a known vulnerability in common programs. For example, Oracle’s Java program is known to be full of security holes—so much so that the Department of Homeland Security recommended that its users completely disable the software in their browsers.
Regrettably, this phenomenon is not limited to software companies. Hardware can be easily tampered with to include dangerous vulnerabilities. Furthermore, many companies (such as banks and utilities) also underinvest in cybersecurity, leading to potential losses for their customers. Until businesses take responsibility for their flawed cybersecurity products and actions, U.S. systems will remain vulnerable.
“A lot of the talk around cybersecurity has centered on the role of government,” Maiffret writes. “But investing in software security and cooperating across the software industry shouldn’t take an act of Congress.” Maiffret is almost spot-on: Too much attention in Washington is on top-down approaches to cybersecurity that rely on regulation and government-designed standards. This is the wrong approach to the nimble and rapidly changing cyber realm.
However, there is room for sensible government action that encourages the private sector to take more responsibility for its cybersecurity. For example, Congress should encourage the development of a cybersecurity liability and insurance system that would hold companies responsible when cyber failures in their products or services lead to costs on others. This would encourage companies to invest more in security.
Congress should also encourage better cybersecurity supply-chain procedures. A nonprofit organization could assign letter grades to companies’ security and publish that information for consumers. Armed with such knowledge, every consumer could then make better risk-based decisions.
Maiffret also mentioned the need for improved cooperation among private-sector actors. Currently, companies are afraid to share cybersecurity information for fear of losing privileged information, being sued, or even being prosecuted. Congress should amend particular outdated laws, provide key sharing protections, and outline ways the private sector can act in its own self-defense. Cooperation shouldn’t be limited to just passive defense; companies need to be enabled to partner with the government agencies such as the FBI to actively fight hackers.
There is also an important role for the government to play in combating bad cyber nations. China, Russia, Iran, and others have no interest in stopping cyber crime and espionage since they benefit from it. The U.S. needs to make these nations feel some pain when they commit cyber crimes by taking legal, diplomatic, and economic actions against them.
Instead of viewing the private sector as a vulnerability that needs to be regulated, Congress needs to pursue policies that enlist the private sector in this struggle—a struggle that isn’t going away anytime soon.