When Target paid $18.5 million last September to close the investigation of the 2013 cyberattack on its systems, the settlement became the largest ever for a data breach. For Target, the cost added to the already crippling fallout of the breach, which entailed large losses of revenue and credibility—not to mention the risks passed on to 41 million of its customers whose payment details had been compromised.
Whether businesses and regulators are adequately equipped to stop such attacks in the future was the focus of a recent panel discussion at the Richard Paul Richman Center for Business, Law, and Public Policy. The panel featured Judith Germano, Senior Fellow at the NYU Center for Cybersecurity and NYU Center on Law & Security and Founder of GermanoLaw LLC; Timothy Ryan, Principal of Assurance Services, Fraud Investigation, and Dispute Services at Ernst & Young LLP; and Matthew Waxman, Liviu Librescu Professor of Law and Faculty Chair of the National Security Law Program at Columbia Law School. The discussion, moderated by Richman Center Senior Fellow Jesse J. Greene, hit a somber but measured note: Although advanced technology is key to countering the threat, it is insufficient on its own. Just as important are the building of trust and the sharing of information between regulators and businesses. To bring this about, more cohesive government policy is critical.
One hopeful sign is that the 2013 Target breach and its aftermath marked "a real sea change" in cyberthreat awareness, said Germano. For executives everywhere, the firing of Target's CEO, followed by the lawsuits, inquiries, and Congressional testimonies, was a wakeup call, making them "realize the importance of getting things right."
But awareness does not mean proper preparation, the panelists stressed. Ryan explained that better cyberdefense will take a paradigm shift by both companies and regulators. And time is of essence. Recalling the mega-breach of Sony Pictures by hackers from North Korea in 2014, Ryan added: "There's going to be a day when a large corporation is taken offline by a nation-state not just because of a motion picture."
Below are five policy takeaways from the discussion.
1. Government regulation should balance vigilance with self-restraint.
One obstacle to regulating cyber preparedness is the pace of technological advancement, which will always be more rapid than legislative change. Policymakers must take this into account, the panel stressed. Waxman explained that while cyber tools evolve by the day, "legal development is by design slow. Legislation was designed by the constitutional framers to be a slow process." This means that highly specific rules and cybersecurity compliance standards can become obsolete before they are even adopted.
Another challenge is the sheer complexity of corporate information systems today, which make for endless scenarios of how attacks can unfold. Indeed, only a small percentage of firms have fully adjusted to this new reality themselves by conducting broader system mapping and deeper contingency planning than ever before. But although businesses have a long way to go—a recent Harvard Business School survey found that only 21 percent of U.S. firms treat cybersecurity as a board-level issue—Germano noted that "self-regulation has already proven effective" in many cases.
A better policymaking strategy is thus to exercise restraint and focus on the big picture while drawing on the private sector's mounting experience. "Can market incentives result in the right level of investment in cybersecurity?" Waxman posed to the panel. "Not entirely, but mostly, the answer is yes. The government is not likely to do a better job of plugging those holes."
2. Systemic preparedness matters as much as expensive technology, if not more.
For all the attention on private- and public-sector budgets devoted to cyberdefense, what is needed even more urgently is a change in how companies think about cyberthreats, Ryan said.
Too many companies are still "assuming the state of non-attack," he explained, which leaves them unaware of existing vulnerabilities until a breach occurs. They should instead assume it's inevitable, with the only unknown being its severity, and focus on developing and testing response plans. Above all, companies should know what sensitive information they hold. "I'd be happy if companies understood all the systems they have to begin with—forget about keeping them patched—or were even aware that they have this 2003 server in the back room," Ryan said.
Germano echoed this point: A firm may think that it only has a certain controlled set of sensitive personal information, she said, "but in fact not realize that they've just signed on to a digital marketing platform that's collecting a significant amount of additional data."
Before we get to next-generation cyberdefense, such as smarter machines able to check and fix themselves with minimum human guidance, we need to address the basics. "The basics may not require a ton of money," Ryan said. "But that's the hard part, right? If you could just spend your way out of a problem, that would be easy."
3. Policy challenges posed by cybercrime demand a more streamlined government response.
The recent proliferation of government departments and agencies, often with overlapping reporting demands, pose a headache for private firms, the panelists argued.
As just one example, a company that works in the financial sector but also services utilities might juggle two distinct sets of compliance standards, each with its own testing and auditing requirements. More so if it works with third-party vendors, or if it's based in a state like New York or Colorado which have recently introduced their own cybersecurity standards to supplement federal ones. These regulations can be onerous, Germano said. Worse, they can reinforce a culture of slapdash "check-the-box compliance" at overburdened companies—precisely the approach they are meant to combat.
What we need instead, Waxman said, is a streamlined government agency to deal with cybersecurity needs—one that is "not just efficient and agile but also very fluent in working with the private sector, and one that is able to attract and retain top talent in the field."
4. The government stands to have the most impact in new best practices.
Although excessive regulation can be harmful, policymakers could play a key role in nudging the private sector toward a new agreement on cyberthreats and how to face them. Think of the early industrial age, Germano suggested, when governments helped build a new consensus against rampant industrial pollution. "Eventually, we figured out this is not safe. We can make it better."
Similarly, the government today could "promote certain best practices and establish certain baseline practices as generally effective," Waxman added. Even at the broadest level, however, these practices would need to be tailored to specific companies and institutions, he cautioned. And they would have to constantly evolve—because so will technologies and threats.
5. Focus on prevention, not punishment, in designing government regulations.
There might be unforeseen drawbacks to the government's current emphasis on liability and legal prosecution of data breaches. "We may be devoting our attention in the wrong place," Ryan said. "As we're drawing this rift between government and industry, we could be doing better by bringing them together."
A better model would take some of the legal burden off of firms, he said. One example is workplace injury compensation, where injured employers no longer have to prove negligence on the part of their employees. "We may want to think of that in terms of cybersecurity," Ryan added. "How do we prevent the harm, rather than how do we punish the employer whose employee got injured?"
A similar delineation of responsibilities between the government and the private sector in the case of data breaches would have the added advantage of building up trust—a crucial component of any comprehensive effort to bolster cyberdefense.
A big part of the eventual answer "lies in the exchange of not just information but also human capital between the public and the private sector," Waxman said. Shifting the odds in favor of the cyber defenders, rather than the attackers, would take a much more unified front, he added, "and this is an area where we still have a long way to go."