Shifting cybersecurity towards a proactive and cooperative paradigm 
Illustration 130408829 © Funtap P | Dreamstime.com

Commentary

Shifting cybersecurity towards a proactive and cooperative paradigm 

Proactive measures that foster collective resilience could be more effective than the current compliance-focused approach.

The past year has been tumultuous for cybersecurity. Giants like Apple, Boeing, and Bank of America have disclosed cyberattacks. Current federal regulations emphasize incident reporting and assigning liability, incentivizing companies to focus on compliance instead of improving their cybersecurity measures. Companies would be better served by policies that incentivize voluntary information sharing and quick recovery from cyber incidents. 

Take the MOVEit Transfer hack–a recent devastating attack that laid bare the personal data of more than 60 million individuals and 130 organizations. This data can be used for crimes like identity theft, financial fraud, and reputation damage. MOVEit victims included the U.S. Department of Energy, Shell, and the University of Georgia.  

Zero-day attacks like MOVEit are some of the most critical threats in the digital era. These threats earned their name and reputation because developers were unaware of the security flaws before the attack happened—they had zero days to address the issue. Because there is no existing patch to fix the vulnerability, systems are exposed and operators are left scrambling to respond in the aftermath of a security breach. Zero-day attacks are also on the rise and comprise roughly 62% of all exploits, almost twice as prevalent as exploits where patches are already available.   

To combat such threats, effective cybersecurity policy must be preemptive and strategic. Such an approach should recognize that breaches, like natural disasters, can and will occur despite best efforts. Therefore, the focus should be on creating digital infrastructures that can quickly rebound from attacks. Policies under this approach should incentivize proactive behaviors that contribute to an organization’s ability to respond to breaches and recover. 

The Biden administration’s approach to cybersecurity does not necessarily encourage proactive behaviors or rapid recovery from cyber attacks, focusing instead on mandatory incident reporting and liability assignment. Regulatory efforts that have emerged in the past 12 months, including the 2023 Cybersecurity Strategy and U.S. Securities and Exchange Commission and Federal Trade Commission rules, largely mandate compulsory incident reporting, intended to mitigate damage from specific incidents and to investigate how they were perpetrated. Compulsory reporting isn’t an effective way to prevent cyberattacks, because it often incentivizes companies to report the bare minimum to satisfy legal requirements. Organizations then may become concerned with the repercussions of reporting incidents, such as damage to their reputation or stock price, leading to underreporting or late reporting, which can impede swift collective responses to emerging threats. 

If regulatory action and market intervention focused on encouraging organizations to adopt a proactive approach to cybersecurity, including regular information sharing and collaboration, the stigma of reporting breaches could be lessened. If organizations operate in an environment where incident disclosure is normalized and viewed as a responsible corporate action, the negative repercussions on reputation and stock price may be diminished. For instance, if companies know that their peers are also openly dealing with cyber threats, they might feel less isolated in their experiences, reducing the perceived negative impact of such disclosures. 

An alternative approach could promote the voluntary sharing of information regarding security threats and vulnerabilities because there is a mutual benefit in doing so. This approach builds trust among participants and encourages a full and frank exchange of information. It is grounded in the belief that more data and shared intelligence lead to greater agility and preparedness against evolving cyber threats.  

Prominent examples of successful voluntary information sharing in cybersecurity include the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Cyber Threat Alliance (CTA). FS-ISAC serves the global financial industry by facilitating the exchange of information on cyber threats and vulnerabilities among its members, enabling them to respond swiftly and effectively to cyber incidents. It is a member-driven non-profit organization whose board of directors is comprised of cybersecurity executives of top financial institutions.  

Similarly, the CTA, a collaboration among cybersecurity vendors and researchers, aims to enhance the cybersecurity of the global digital ecosystem by sharing high-quality cyber threat intelligence. It requires all members to share a minimum amount of intelligence and anonymizes all victims and sensitive data. Its board of directors is comprised of experts with intelligence and industry experience. Both examples illustrate that voluntary information sharing can significantly bolster collective cyber resilience. 

The Bureau for Cyber Statistics proposed by the Cybersecurity Solarium Commission (established by Congress in 2019 as part of the John S. McCain National Defense Authorization Act) could play a pivotal role in this endeavor, serving as a central repository for cybersecurity incident data, analyzing trends, and disseminating key insights to fortify collective defenses against cyber threats. 

Another problem with our federal approach to cybersecurity is a push to assign blame or liability and levy penalties after a breach. This punitive approach leads organizations to purchase cyber insurance, which disincentivizes them from building resilient systems and gives organizations a false sense of security. Additionally, it can lead to a punitive environment where organizations fear disclosing vulnerabilities or breaches due to the prospect of penalties or fines. 

Our cybersecurity policies must be as dynamic and resilient as the threats they aim to counter. The MOVEit Transfer hack of 2023 and the pervasive menace of zero-day attacks starkly underscore the inadequacy of a purely reactive framework that focuses on assigning liability. Instead, we must pivot towards a model that values the readiness and recovery of our digital infrastructures as much as their initial fortification. By fostering a culture of openness and cooperation, we can catalyze a more robust and rapid response to cyber threats.