Reality Check...

Between the long lines at gas stations due to the Colonial Pipeline Cyberattack and the potential threat to our food supply due to the attack on JBS, the world’s largest meat supplier, we are realizing the gravity of cybersecurity to our daily lives. We are starting to have a real conversation about cybersecurity. Christopher Wray, the FBI director, has rightly compared cyber-attacks with acts of terrorism . Gina Raimondo, Secretary of Commerce, has warned us that ransomware attacks are here to stay .  This is the new normal.  We will not be fighting with tanks and aircraft primarily nor will suicide bombers be the threat we once imagined.  Instead, the threat comes from criminals and state actors sitting behind their computer screens.

So where do we go from here?  The federal government has been taking the right steps.  We are recognizing the threat and putting in the necessary federal resources to counter it.  Our approach has been fairly piece meal for the past 12 years.  While the Obama administration created US Cyber Command under Strategic Command and funded the Computer and Infrastructure Security Agency at DHS, bipartisan efforts to create a legislative strategy to counter the cybersecurity threat stalled in Congress under pressure from the US Chamber of Commerce.   The Trump administration did make the CISA Office permanent, gave Cyber-Command independent status, and allowed for regulation of the DOD supply-chain.  However, there was a general downgrading of cyber-threats in terms of national security.  Finally, we are seeing a more integrated approach.

Just like the war on terror that took on a local approach (“See something, say something”), cyber-security also needs to be local and regional.  Economic development should include a cybersecurity component.  We are realizing that our infrastructure now includes broadband access, the Internet of Things, telecommuting, and smart grids.  Therefore, we should include the security of this infrastructure as part of implementation and maintenance.

Of course, businesses must make cybersecurity a priority.  Businesses and organizations should plan and monitor their cybersecurity efforts.  Organizations should be asking themselves what applications and devices are they using?  Are they supported with updates?  How do they handle passwords?  Are personal devices allowed?  How secure are home offices for telecommuting?  Are all of these policies formally written out? Ultimately, organizations must assess what they are doing to create a culture of cybersecurity.

All of this has costs.  However, avoiding these costs in the short term can have much more expensive long-term consequences.