Comments from Mike Shultz, CEO of Cybernance, on NIAC report
“This report includes fascinating pieces that go beyond the notion we’re in a pre-9/11 moment, although I do agree with that and most others in the industry would as well. The first line of defense truly is commercial enterprise, and that’s a strong, likely to be underestimated statement. That means there are and will continue to be big-splash attacks, but now attacks are coming against the general economy in seemingly smaller packages with just as much damaging impact, and that’s the part that’s most disconcerting. Looking back at NotPetya a couple weeks ago, that was an attack targeted specifically at Ukraine infrastructure, but ripple effect was signification and resulted in more than $1 billion in business losses. If we don’t find a way to protect commercial enterprises, the entire economy is at risk.
“Under Obama’s administration, a very effective beginning for mitigating the nation’s cyber risk was their creation of the NIST standard. Under Trump’s administration, that baseline effort was carried forward by the Cybersecurity of Federal Networks executive order and continued support of the SAFETY Act. Now, we’re seeing NIAC seeking the executive branch’s support to drive NIST even further into economy. Not by regulation, but by incentive. Their belief is that this is the best and fastest way to inoculate the whole economy from cyber attacks, and I think they’re right. They’re not saying we need to have regulations that tell everyone to have specific plans. They’ve said we should find ways to remove the impediments people have to using NIST. By changing some regulations, considering short-term incentives, and even tax incentives, it shows the government can look at things differently to accomplish the cyber resiliency we need for survival.
“We’ve experienced a steady build up to the current level of cyber risk the country faces. In the beginning, the risk came from solo actors in a basement, then came organized crime, and now we face attacks from sophisticated nation states. To put things in perspective, a few years ago, Target seemed to be the ‘mother of all breaches,’ and today it barely makes the list. With the NotPetya ransomware hacks, the losses approach one billion dollars, with Maersk taking the brunt of the damage. Two weeks ago, an OB/GYN clinic in Philadelphia reported a breach releasing health records of thousands of women. The personal liability could run into the tens of millions of dollars, effectively wiping out the clinic and its owners. From small businesses to the largest ocean-going container shipping company in the world, the commercial losses run into the billions. This is most certainly an existential threat to the entire U.S. economy.”