Cybersecurity progress on Capitol Hill

Recent reports from Capitol Hill suggest that the Senate is making progress on a bill to address our nation’s pressing cyber security concerns.  Intelligence Committee Chair Dianne Feinstein (D-Calif.) and Ranking Member Saxby Chambliss (R-Ga.) have hammered out draft cybersecurity legislation, and are currently circulating it for comment from interested parties on and off the Hill.  The two senators have that their goal is a bill that “allows companies to monitor their computer networks for cyber-attacks, promotes sharing of cyber threat information and provides liability protection for companies who share that information.” 

While this legislation is still in the draft stage, and it is still too early to tell if the law will be enacted one thing is certain: America’s cybersecurity challenges must be addressed immediately.  We must act now to protect our corporate, governmental and personal digital assets from all cyber threats, foreign and domestic.

Just last week, Target replaced Chief Executive Gregg Steinhafel in the wake of a cybersecurity breach earlier this year.  Further, the “Heartbleed” crisis that shocked major Internet companies and consumers alike made headlines again last month, when the world’s largest tech companies donated millions of dollars to fund improvements to current cybersecurity infrastructure.  Heartbleed, a virus buried within security software employed by over 500,000 websites, made it possible for hackers to steal passwords and other information which consumers had every reason to believe they’d entered securely.  Anyone who’d visited any of those 500,000 websites was a potential victim.  Even worse, the hole in the security software went unnoticed for more than two years.

A glimmer of good news has come out of this tragedy.  Because the Heartbleed scare received heavy media coverage, Americans are taking action.  The Pew Research Center reported that 39 percent of Internet users they surveyed either changed their passwords or shut down online accounts to protect their personal data.  This is encouraging – it means Americans are taking their cyber safety seriously.  Unfortunately, this awareness is not necessarily widespread – another 36 percent of Internet users in the Pew survey said they hadn’t heard anything about Heartbleed at all.  Clearly, work remains to be done.

Educating the online community – those who run websites and those who use the goods and services they provide – must be a key component of our efforts to keep America safe from cyber threats.  Anyone who uses the Internet must have the tools to do so while minimizing their risk for identity theft.  Businesses, too, must know how to best guard their data against hackers from the underworld of 21st-century industrial espionage.  Information is a precious commodity that is shared surprisingly freely online, but it must be safeguarded.

Financial and investment advisory firms, banks, credit unions, and retailers are especially plumb targets for digital marauders.  These modern bank robbers aren’t going to head for the hills with bags of cash, however.  They’re after something more valuable: customers’ financial data.  To combat this threat, companies must learn how to manage a playing field that’s constantly shifting, and make a plan to deal with cybersecurity challenges.  When cyber dangers like Heartbleed rear their heads, they must be dealt with immediately, as swiftly as the company would deal with a crisis in the markets.  The goal should be securing investors’ information as quickly as possible.  And this is not just a problem for the IT department.  The entire organization, from the top down, must be aware of cyber threats and vigilant in thwarting them.

As a nation, we must be prepared to defend ourselves from any digital menace – whether it’s a two-bit hacker sweating away in a basement, or a foreign government like Russia or China intent on pilfering state secrets through online back doors.  The NIST Cybersecurity Framework is an excellent tool to help organizations understand their risks and enable action to protect systems and the information they store.

The advent of the Internet has changed our lives in an almost inconceivable variety of ways.  It is long past time, however, that we wised up to the dangers that lurk in our digital lives and worked together to keep them at bay.

Ortiz is a principal at Crane & Crane Consulting, an adviser on public policy and regulations for a D.C.-based global law firm, and recently spoke on the Cybersecurity Landscape panel hosted by the U.S. Securities and Exchange Commission.