Should private companies be drafted in the cyber war?
Moody’s recently announced a rating outlook downgrade for Equifax, linking the decision to spiraling costs from the massive 2017 data breach that topped $690 million last quarter and are anticipated to remain high as the company continues investing in cybersecurity infrastructure. In today’s modern cyber threat environment, the impacts of a fumbled incident response are beginning to manifest themselves in new, costly ways.
This decision follows a December 2018 report by the House Committee on Oversight and Reform that found Equifax “failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history.”
The report also found that when the adversary did get onto the Equifax network, they persisted for 76 days, quietly crawling across the network stealing customer records. This long “dwell time,” coupled with the lack of any monetization attempt, indicates the attacker is very likely a nation-state actor.
These two findings appear to indicate the government is on the record saying private companies should be responsible for defending against nation-state attacks.
So, what does this new assignment of responsibility and risk signaling mean for private companies looking to protect themselves in the future?
New class of cyber threats
When experts discuss the breakdown of cyber threats, they often mention the 80/20 principle. This principle is based on the idea that 80 percent of actors are generally unsophisticated and 20 percent are so advanced that, given enough time and resources, they could hack any network. Generally, these are nation-state actors such as Russia, China and North Korea, which leverage their military resources in the cyber fight.
Advanced actors such as these are thought to be responsible for the Equifax breach, as well as other well-known examples, including the 2018 Marriott and the 2015 Anthem data breaches. As these incidents illustrate, a nation-state attacker can have immediate financial consequences for a company, and Moody’s has raised the stakes to include long-lasting financial consequences by downgrading an outlook directly because of a cyber attack.
Historically, the defense and intelligence communities have been primarily responsible for handling nation-state attackers, but the condemnation from a rating company and Congress shows that a private company can be held liable for attacks by a nation-state. Is it right to think that private companies can stand up to the resources of a nation-state actor?
Whose job is it anyway?
When it comes to defending the U.S. against foreign adversaries in the land, sea, air and space, it generally falls to the Department of Defense (DOD) to take action. The cyber domain is a bit more complicated, however. In 2009, the DOD created the U.S. Cyber Command and, although useful in defending classified military networks, it does not have the authority to protect private entities.
Domestic law enforcement also plays a role in helping the private sector. The FBI may assist a private company with a criminal investigation into a cyber attack but can do little to prevent one. It is like filing a police report after your house is robbed — good for tracking down the thieves, but does nothing to predict or prevent the crime from occurring.
This leaves the Department of Homeland Security (DHS), which recently established the Cybersecurity and Infrastructure Agency (CISA) to be the coordinating authority across all agencies in the federal government, the states and the private sector. It is not clear how CISA will accomplish this massive task with a relatively small budget. CISA has been slow in passing classified information and warnings from the intelligence community to the private sector, so much remains to be seen about its effectiveness in such a large arena.
What lies ahead
The Equifax downgrade by Moody’s represents an escalation in the “blame the victim” mentality that often follows a nation-state cyber attack. Private-sector companies would be right to take notice of this trend — and take steps to improve security beyond a compliance framework, or “checklist” mentality, toward a more risk-based approach. This latest move ups the ante in liability when it comes to nation-state actors, with the increased possibility that insurance companies will cite “war exclusions” as justification for not paying out.
While most private-sector security could use an internal boost, executives also should demand more action and better policies from the government to defend against nation-state actors. With the costs and risk increasing into uncharted territory, private companies can’t afford to sit on the sidelines of modern cyber warfare, but they shouldn’t be expected to raise the army on their own.
Bob Stasio is a visiting fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School and a former chief of operations at the National Security Agency’s Cyber Center. Follow him on Twitter @BobStasio.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.