I recently attended CDW’s SummIT on Managing Risk in Las Vegas, which brought together many security and risk management professionals from a variety of industries to share information on recent trends and best practices. These experts touched on a number of common themes, such as the challenges of locking down cloud environments and the increasing use of internal cybersecurity “hunter” teams to uncover potential vulnerabilities before attackers do.
But perhaps the most striking conclusion was that cybersecurity has become a matter of national security. Several leading voices in the industry seem to share the opinion that cybersecurity has moved well beyond merely being a business priority.
2017’s Equifax Breach
During his review of the long parade of noteworthy security breaches in 2017, cybersecurity expert Brian Krebs spent some time focused on the Equifax breach. Among the reasons this attack was noteworthy, it resulted in the theft of personal information of 145 million consumers – names, addresses, birthdates – all the relevant information that would be needed to commit identity theft. That correlates to roughly 45 percent of the U.S. population.
Following his commentary on the numerous government and private sector breaches last year, Krebs closed his speech with a firm statement that all the malicious activity of the past year was sending a resounding message that cybersecurity can no longer be addressed at the business or enterprise level, but that it had grown to the level of a national priority.
Failing at Security Fundamentals
Another speaker that touched on the theme of cybersecurity as a national security issue was Rick McElroy, a longtime security strategist with Carbon Black. McElroy’s discussion focused on a theme common to many of the most egregious breaches – the lack of handling the basics of data security. He noted the breach of the U.S. Office of Personnel Management (OPM), which was uncovered in 2014.
This attack revealed the personal information of 22 million current and former employees of the federal government – including detailed security clearance information and fingerprint data. The basics of cybersecurity – a functional IT security staff, encryption, two-factor authentication – were not in place at this core federal government agency. Like Krebs, McElroy called out the need for greater cooperation among private and public institutions on cybersecurity issues to address what he also termed a national security threat.
Cybersecurity Affects Us All
Whether you want to quantify a national security threat by sheer number of citizens affected (Equifax breach) or by specific, high-value people targeted (OPM breach), it’s clear that we are all at risk from “bad actors” in the digital world, either directly or indirectly. And there appears to be a growing consensus among cybersecurity experts that we need to think of it as a collective threat.
Recognizing a shared threat leads people to band together and share information, to get creative and come up with new solutions to address that threat. I hope the industry leaders who attended the SummIT on Managing Risk take this message to heart and seek out opportunities to collaborate with their peers on this pressing issue.