It’s hard not to notice, that constant breach of data under corporate care has become our new normal. Headlines seem almost redundant — another data breach revealed, some very tardy. In this barrage of breach announcements, we hear more about state-actors originating cyberattacks on corporate data stores. So, whose job is it to protect against foreign state attacks on corporate data stores?
“As we all have witnessed: no company, individual or even government agency is immune from these [cyber] threats.” So said Marisa Mayer, former Yahoo CEO, during her November Senate testimony on the Yahoo breach. Despite years of heading off may cyberintrusions and leveraging white hackers to test their defenses, Mayer says Yahoo still does not know exactly how “Russian agents intruded on our systems and stole our users’ data.”
Last year, North Korean hackers almost succeeded in stealing $1 billion from the New York Federal Reserve, after hacking into the Bangladesh Central Bank. The misspelling of “foundation” as “fandation” is the only thing that stopped the heist. Let’s not forget, Pyongyang Sony Pictures hack to stop release of an unflattering movie.
In 2011, North Korea’s leader Kim Jong-un started investing beyond cyberattack prowess for warfare, with a new focus on training hackers for theft, harassment and political-score settling. Researchers believe that 1/5th of Pyonyang cyberattacks originate from their hackers stationed in India, while other attacks are routed through Malaysia, Nepal, New Zealand and other countries.
“Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised,” said Senator Nelson during the Yahoo hearing. The Senate committee chairman, added that the patchwork of state regulations on breach notifications must be replaced with a federal law.
On another front, the SEC plans to update its cybersecurity guidance for publicly traded companies, after the Equifax fiasco. Equifax discovered the attack in July but waited until September to inform shareholders. During that window, Equifax executives sold company stock. A company investigation exonerated them. A senior SEC regulator wants faster cyber intrusion notices to investors, and revision of post-breach insider trading policies.
Is federal cyber-regulation of the private sector the answer?
In a Friday the 13th London speech, DOJ’s Rod Rosenstein said law enforcement’s goal is to disrupt and deter future attacks, and punish cybercriminals. The Deputy Attorney General observed that “foreign criminals regularly break into systems to steal ideas that make our nation strong and competitive in the global marketplace.” Rosenstein recommends corporations immediately tell law enforcement when they discover a breach, in part so the company can gain access to sophisticated government tools.
What is law enforcement doing to head off these attacks before they happen?
Is Homeland Security doing enough to help corporations protect data from cyberattacks?
Ransomware attacks sure got corporate security folks’ attention this summer. WannaCry and NotPetya wreaked havoc on companies from FedEx to Merck.
SC Magazine places heaps of blame on the National Security Agency (NSA) for the these attacks. The NSA originally discovered the Microsoft security vulnerabilities, didn’t tell anyone and let their own hacking tools for the flaws get stolen by cybercriminals.
If the NSA can be hacked, how can corporations fend off nation-state and sophisticated hackers?
Then there’s the ultimate economic cyberattack — where a nation-state aims to shut down the power supply or scramble bank records with a cyberattack. The NotPetya attack gripped Ukraine’s power grid this summer. Ukraine claims Russia was behind this cyberwarfare.
Wired reports that the NotPetya October follow-on, “Black Rabbit attack” — locked hundreds of machines and hampered critical infrastructure in Russia, Ukraine, Germany and Turkey — may raise doubts about Russian involvement in NotPetya. Though one of the cybersecurity firms commenting on the situation is under F.B.I. investigation for links to Russian intelligence.
Is this a spy novel or what?
These massive destructive attacks on critical infrastructure and data manipulation worry the head of the US National Security Agency (NSA), Admiral Michael Rogers. Let’s remember that a vast swath of US critical infrastructure is run by the private sector.
How will we protect corporate data stores from nation-state and rogue cyberwarfare, let alone run-of-the-mill profit-seeking hackers?
Isn’t the private sector’s job commerce and innovation? Yet in the digital economy, corporations must also be extremely sophisticated data security companies. After all, they leverage our personal data for profit, right?
The European Union’s GDPR is about to usher in massive corporate liability for data privacy. Though “cybersecurity,” a major data breach threat, is not mentioned in the regulation.
Does the government need to take a wider role in combating state-actor cyber attacks on corporate data? What new public-private models are needed to protect corporate data stores? Whose job is it to protect against state-actor cyberattacks on the private sector?
Food for thought.