This week Verizon released the 2013 Data Breach Investigations Report, its sixth comprehensive annual report of the state of cybersecurity. The DBIR adds important factual information to the increasingly public debate over the consumer privacy, national security and economic issues around cyber crime and how to prevent it.
While the 2013 DBIR confirms that cyber crime remains a grave and growing threat to our security, it also provides important lessons about protecting data and about sound public policy which will enable a more robust fight against cyber criminals.
First, the facts. In 2012, large-scale financial online crime and state-affiliated cyber espionage dominated the security landscape. Cyber theft of intellectual property such as classified information, trade secrets and proprietary business data is a top threat to U.S. national and economic interests, yet these state-affiliated espionage campaigns were actually less common in 2012 than “hacking,” which accounted for 52% of all 2012 data breaches.
Hactivists – who launch cyber attacks for ideological purposes or for the pure thrill of it – seek to paralyze communications systems through Distributed Denial of Service (DDoS) attacks. DDoS creates significant costs because they not only impair business and operations, they can slow block or dramatically limit access to websites under attack.
As in years past, the 2013 DBIR reaffirms the importance of cyber hygiene. Seventy-six percent of network intrusions exploited weak or stolen user names or/passwords. Fully forty percent of intrusions incorporated such malware as malicious software, script, or code used to compromise information. Rigorous password practices, controls on the use of transferable media like thumb drives and other basic protections remain the first, best protections against cyber attack.
What do these facts say about public policy? Two things: cooperation and flexibility. The vulnerability of hardware and software underscores the interdependent nature of the Internet ecosystem and the need for all technology sectors to be working closely together in defending against cyber-attacks. Verizon has a strong record of protecting our networks and the privacy and data of our customers, and we share the industry’s commitment to ongoing efforts to further improve the effectiveness of our nation’s cyber defenses.
While our industry successfully defeats millions of attempted cyber-attacks each day, it does so because it retains the flexibility to take quick and decisive action against these attacks. In February, the Obama Administration issued an Executive Order to promote best practices on cyber security for critical infrastructure sectors. That Order acknowledged the need for a flexible approach driven by private-public collaboration.
Changes in federal law would go further in advancing U.S. cybersecurity. But it’s important to note that in addressing this increasingly important national and economic security issue, there is no single, correct solution. There are many players and many solutions, and all these players in the Internet ecosystem – service providers, communications equipment makers, software developers – need to participate in the common defense.
Congress will also play a key role and can improve our national cybersecurity posture. Perhaps the single most important step would be to promote the voluntary sharing of cyber threat information between and among communications companies and federal agencies. Critical to ensuring private sector participation will be providing appropriate antitrust and liability protection. And, of course, it is vitally important that legislation provides adequate protection for Americans’ privacy and civil liberties. The recent overwhelming 288-127 House vote on the “Cyber Intelligence Sharing and Protection Act” clearly demonstrates that bipartisan, consensus-based cyber legislation is achievable this year.
As we continue to work to find the best solutions to ensure the best cyber security in the middle of this fast‐moving technological war, we must avoid regulatory mandates that will quickly become obsolete and potentially hinder the ability of high tech companies and broadband providers to innovate and coordinate to defeat ever-evolving cyber threats. These companies must maintain the flexibility to deploy new technologies in real-time to secure networks and to protect customers.
Together, a strong public-private partnership will produce a safer and more secure online environment that supports America’s economic prosperity and growth. As our data breach report recommends, there are many steps that businesses, government agencies and other organizations can take to protect themselves. But it will take teamwork – all of us working together – to permanently secure one of the most creative – and important – inventions of our time that will only grow in importance for our future.
Randal S. Milch is executive vice president, Public Policy, and General Counsel of Verizon