The worldwide damage inflicted by cyberattacks is estimated to be $575 billion per year, of which $125 billion is here in the US. Those who steal personal financial information rack up charges on credit cards causing a loss to credit card companies or retailers. Sometimes the criminals engage in the more damaging identity theft from consumers. Cybercrime costs show up as tainted information, damage to privacy, reputations, equipment, software and sometimes litigation.

Government intelligence agencies and law enforcement organizations (LEOs) routinely ask companies for surveillance help on consumers. Sometimes they “legitimize” the request with a court order and sometimes they do not. Consumers are aware of government pressures on companies to reveal private information. Some consumers expect companies to play hardball before handing over private information but some feel they have nothing to hide and would allow the company to cooperate with law enforcement. Companies cannot simultaneously comply with both preferences so they resist until a court order removes their freedom and limits the damage they can suffer from litigious customers.

US government agencies usually ask companies for the information, but criminals and nation state rivals don’t bother asking. They feel free to invade company databases and steal whatever data they want. They conduct whatever denial of service or reputation damage they have chosen to inflict, leaving the rest of us to clear up the $575 billion mess.

There are weak spots in our nation’s “security.” There are ineffective security practices in government and businesses. LEOs have a disappointing track record of arresting and keeping cyber criminals imprisoned. Courts inconsistently protect consumers from LEO and intelligence agency breaches of their privacy. It is unclear whether our military is incapable of repelling nation state attacks or whether they are playing possum to protect sources and methods.

Government owns three and a half of the four weaknesses. To correct our security protections, government must lead by example. Stuffing the Federal Register with regulations will not help. Government must get its own house in order by making the departments and agencies resistant to cyberattack and quick to recover.

When government decides to systematically improve its security footing, its senior management must be those who understand security. Federal security needs to be built on deep subject matter competence and team work. The government will also need to invest in best of class equipment and software, not the usual “low bid” dreck. Creating world class security for the US government cannot be done on a shoestring budget.

President Obama’s Commission on Enhancing National Cybersecurity released its report on December 1, 2016. Its central theme was that we face a challenge in catching up with the risks that face us in cyberspace. The Commission’s proposed actions are worth noting, along with our observations (in italics):

  • The public and private sectors should collaborate to identify, protect from, detect, respond to, and recover from cyber incidents affecting critical infrastructure. The private sector will need immunity from lawsuits if they are expected to reveal their own shortcomings and the identity of suspected criminals. We have a decade of collaboration on Critical Infrastructure protections.
  • All federal agencies should require the use of strong authentication by their employees, contractors, and citizens using federal systems. This may be even more polarizing than requiring a picture ID to vote, so expect protests.
  • The Departments of Justice, Commerce, and Homeland Security and the Federal Trade Commission, the Consumer Product Safety Commission, and the private-sector should assess current laws on liability for harm caused by faulty IoT devices. Minimize lawsuit cost and delays.
  • Develop the equivalent of a cybersecurity “nutritional label” for technology products and services, linked to a rating system of impartial, third-party assessment that consumers will intuitively trust and understand. This decent idea informs consumers and avoids litigation.
  • Inform consumers of their cybersecurity roles and responsibilities as citizens and develop a Consumer’s Bill of Rights and Responsibilities for the Digital Age. Privacy is the central issue.
  • Train 100,000 new cybersecurity practitioners by 2020. Let’s start with IT savvy students.
  • Increase engagement in the international standards arena to garner consensus from other nations and promote the use of sound, harmonized cybersecurity standards. Don’t expect nation states to cease cyber-spying.

The key omission from the Commission’s report was upgrading federal departments’ security practice. The departments are clearly vulnerable as shown in the OPM breach that exposed millions of federal employees’ private and security clearance data, the IRS taxpayer scams that led to false refund claims, the Pentagon email breaches, the Navy personnel information breach, and cyber-thefts of R&D weapons information from military contractors.

The Commission’s report can be helpful, but it needs to emphasize repairing government security practices and it needs to be funded, staffed and acted on. It’s unclear if any of that that will occur.