O P I N I O N
To butcher a very famous quote, are we at war or not?
It is clear that the Chinese and Russians are at war. We have some pretty clear information about what they have been doing and what they have stolen.
What is much less clear is whether WE are at cyber war.
For the most part, the government has played down the hacking by foreign powers. While they have not said why, it is likely partly due to being embarrassed about the loss of billions of taxpayer dollars of research on defense programs like the F-35 and, more recently, Sea Dragon. It is partly because they do not want to scare people and partly due to the fact that U.S. businesses depend on people using the Internet and if they are scared about that, they will spend less.
During World War II, the government was pretty clear about what was going on (minus a lot of classified details, but those details are not really needed to get the point across) and what every loyal citizen needed to do to help the war effort.
But here is the rub.
According to a recent Verizon security report, only 14% of respondent organizations had implemented even the most basic cybersecurity practices, while 32% said that their organizations sacrifice mobile security for business expediency.
One result of this is that Internet of Things cyber attacks have spiked 600% in one year (see here).
It appears that, in the absence of being forced to improve security, most companies (i.e. 100%-14%=86%) have made the business decision to worry about cybersecurity after the horse is out of the barn.
Laws like the new California privacy law, which allows individuals to sue businesses after a breach, even if they cannot show economic damage, could, possibly, change that. Assuming California doesn’t change the law (not surprisingly, businesses are not happy about that part of the law).
If we take a modest breach of say, 500,000 records – small by today’s standard – and multiply that by the midpoint of what the law allows consumers to sue for – say $425 – that creates a potential liability in that breach of a little over $200 million. Add to that, of course, the cost of dealing with the aftermath of the breach.
At the point at which a company is in the boat of having to write a check for a quarter billion dollars – well, enhancing security may seem like the better choice.
Up until now I don’t really blame U.S. businesses for ignoring cyber security. First of all, the odds of getting caught are low. Then, you may be able to get away with not saying anything about it. Some countries in the EU have reported that the number of breaches reported to them in the month of June – the first month after GDPR went into effect – was equal to the total number of breaches reported in all of 2018 prior to the law going into effect.
Why were so many breaches reported in Europe in June?
Not because Europe was under some new form of attack.
Rather, it because willfully not reporting a breach could result in a fine of the larger of 20 million Euros or 4 percent of your global annual revenue. That is a pretty strong inducement.
SO what do you think? Should U.S. companies HAVE to meet security standards? Financial institutions, doctors and hospitals and recently, sort of, defense contractors, have to. What about the rest of U.S. businesses?
If we are in a cyberwar, what is our responsibility as U.S. citizens to do about protecting ourselves and our country?
Right now people don’t worry about their credit cards being stolen. Why is that? Because they have either very little liability or no liability if the card is misused, because of the law. I am not suggesting changing that law, but the law does impact behavior.
I say that we are seriously losing the cyberwar to the Chinese and Russians and others – and not doing very much about it.
Why? because it is inconvenient and, truthfully, many people say that it is not their problem.
What do you think?
Please post your thoughts here.