The constant stream of cyberattacks sweeping making headlines may seem almost inevitable by this point. And while sometimes the organizations being attacked have clearly made themselves easy targets by leaving sizable gaps in their cybersecurity defenses, others are simply unlucky to have fallen into the sights of sophisticated, nation-sponsored hackers.
Enough is enough. It's high time our country stopped playing defense and actively fought against these cybercriminals.
Right now, on the federal level, we have seen very few results from our efforts to prevent nation-states from successfully attacking US targets. Businesses, banks, hospitals, and critical infrastructure organizations that fall prey to breaches have no recourse but to react as best they can — try to halt the damage, clean up the mess, suffer the public distrust, and return to normal operations as quickly as possible. The human and financial costs of this can be high. Sensitive personal data can be compromised and sold on the Dark Web. Human lives can be lost when hospital systems go down for extended periods of time. And the costs for firms to engage with all the necessary insurance companies, lawyers, and cybersecurity experts can be astronomical.
Falling Short of Adequate Protections
What's more, evidently, even our own government is falling exceedingly short of adequate protections for its systems, if the recent FBI InfraGard breach is any proof. The InfraGard hacker was simply given access to the FBI's critical-infrastructure intelligence portal after posing as the CEO of a financial institution. This individual's identity was never properly verified (which even a simple phone call might have accomplished), and now 87,000 high-profile cybersecurity stakeholders and private-sector individuals have had their personal data compromised. In addition, some of our nation's classified data may have been exposed as well.
Worse still, the recommendations provided by the FBI came nearly one week after the breach — leaving those 87,000 stakeholders vulnerable and without a clear understanding of what sensitive data was at risk for far too long. While the latest response provided by the FBI appears to be thorough, it lacks accountability for this epic fail of data protection. When attacks are conducted by nation-states or hackers seeking to damage our national interests, as they so often are, our government has a duty to protect its citizens and prevent the attacks in the first place — and as quickly as possible.
In fact, we should be looking to the Australian government for a strong model of how to stand up to cybercrime. In the wake of massive breaches at telecommunications giant Optus and Medibank, Australia's largest private health insurer, in which millions of people's personal data was exposed, Australia declared outright war against cybercriminals. The new offensive, built upon a joint cyber-policing task force between the Australian Federal Police and the Australian Signals Directorate, has one clear mission: Hunt down cybercriminals and disrupt their operations. Some call this “various forms of takedown.”
Not only has this task force already made progress in identifying the hackers behind the Medibank attack, promising they will be brought to justice, it has also made it a point to send a clear message to any and all would-be attackers. As the country's cybersecurity minister, Clare O'Neil, has said, the task force will, "scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyberattacks, and disrupt their efforts."
Take the Offensive
Here in the US, we need to follow suit. We need to take the offensive and make it clear we won't allow cybercrimes against American citizens to go without serious consequences.
Implementing even the most basic safeguards requires organizations to take accountability here as well, heading cybercriminals off at the pass — i.e., automating regular password resets, enabling two-factor authentication, encrypting sensitive information, conducting regular penetration tests and, ultimately, having an incident response team at the ready when threats or breaches occur.
While it's heartening to see our Congress' recent steps to prioritize cybersecurity development and protection at the federal level — the following examples are only starting points:
- Sen. Mark Warner's latest proposed policies for healthcare are a good model.
- The House of Representatives is exploring a bill focused on the feasibility of establishing a Cyber Defense National Guard
- The White House Cyber Strategy document suggests sanctions and offensive approaches
- The Senate Committee on Homeland Security and Government Affairs hearings are beginning to address the challenges healthcare faces from cyber threats
Senators Peters, Blumenthal, Hawley, Rosen, Paul, Sinema, and others are also suggesting that the federal government could do more to help. Regulations and defensive tactics can only take us so far, and we need to do more.
It's time to punch back. It's time to get ahead of attacks before they even happen, catching and making examples out of nation-sponsored hackers who attack our national security, our businesses, and the lives of our citizens. After all, the best defense is a good offense.