U.S. Corporations Need Military-Caliber Cybersecurity Capabilities and Methods

Today’s cyberthreat landscape presents unprecedented risks to the nation’s private sector and to our economic security. Major security breaches, some of them state-sponsored, at Target, Home Depot, Sony, and Equifax have damaged market value, tarnished reputation, caused revenue losses and recovery expenses.

As foreign governments develop offensive cyber weapons, they are increasingly using them not only for spying, but also for corporate espionage and to disrupt critical public and private infrastructure in rival countries. Over the years, a number of notable incidents have demonstrated this new tactic.

Fraternal Jackal (APT33), an Iran-backed hacking conglomerate, launched Operation Ababil in 2012, a cyberattack on 46 banks in the United States. The 10-month attack caused intermittent outages at the banks and demonstrated Iran’s willingness to attack our nation’s financial infrastructure.

In 2015, China and the United States signed an agreement not to steal trade secrets from one another. However, last year American defense contractors and energy technology firms suffered many cyberespionage campaigns attributed to China.

Just this month Russia executed hundreds of cyberattacks against United States and European energy grids as well as oil and gas pipelines, harming both public utilities and the commercial sector. All of this is nothing short of war fought by other means.

Similarly, as companies adapt to workforces of the future and people connect more of their lives to the Internet more threat vectors emerge.

The internet of things, for example, has proven revolutionary by connecting smart devices, from appliances and cars to sprinklers and home automation. But in the rush to market companies frequently skipped security, leading to worldwide Distributed Denial of Service attacks such as the 2016 Mirai attack against Dyn Corp. that caused massive outages at Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix, and at much smaller companies.

Surveys of executive-level cybersecurity leaders show that many corporations are only partly equipped to fend off sophisticated cyberattacks from state-sponsored hackers. For instance, the average breach is not detected for 191 days after a network has been penetrated. Imagine an intruder entering company headquarters and searching through file cabinets, scurrying through research labs, and copying the most sensitive intellectual property for months before security noticed; you can start to understand the severity of the problem our nation faces. Understandably, major security breaches are likely to cost executives their jobs. But damages go far beyond that.

The decision to invest in a company comes down to trust that the company produces solid and dependable services. Data breaches violate inherent trust among shareholders that could erode public confidence in the fundamental institutions of American society. But too often, the boardroom treats cybersecurity as an afterthought, or a “cost center” instead of something essential to the “bottom line” and corporate survival. This reckless attitude can lead companies to develop products, and only later introduce security to protect them. This might have worked in the 1980s, but it is not an effective strategy today. Now best practices dictate that security be a key player from the start and that leading edge approaches be used.

Defending against state-backed hackers requires layers of defenses, starting with proper employee security training, detection and alerting platforms, and network segmentation. However, to harden the environment, companies need to embrace defense-grade encryption, insider threat programs, and lay a network of cyber tripwires to attract hackers to a honey pot stocked with bogus databases, traceable documents, and alert triggers when imposters log into accounts. Such tools and techniques are available to forward-thinking companies, and when necessary our government should be forthcoming in providing them to industry.

Similarly the private sector should be eager to adopt lessons learned from the people most focused on protecting the country – our military. Building defense-grade security requires adopting new technologies, network segmentation to protect sensitive information, monitoring and addressing insider threats from employees, and advanced analytics to uncover threats. Incident response and cyber analysts are vital to detect threats, mitigate risks, and manage to the actual threats facing the company and sector.  Trained neural networks and artificial intelligence can be a force-multiplier in Endpoint Protection and network defense. Obviously, the government and the private sector have different missions, but the need to protect information is vital, at the Pentagon and in corporations.

The national security community’s cyber infrastructure is far more protected than the private sector. Foreign adversaries understand that attacking softer infrastructure, including manufacturing, transportation, and banking, can inflict severe economic damage to our country and reap economic and technological advances for our adversaries. It is essential that the private sector realize it is targeted by hundreds of nation-backed hacking conglomerates and quickly adopt defense-grade strategies and technology to better protect itself.

Michael Marks, a founder of Synthesis Partners, is the former assistant director of the Office of Science and Technology Policy and a former senior policy adviser to the under secretary of state for security assistance, science and technology.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult