White House, businesses hit snooze button after Petya, WannaCry wake-up calls

Despite devastating impact of cyber attacks, motivation to spark preventive action lags

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Wan­naCry was a wake-up call. Petya is a wake-up call. Last I checked, wake-up calls were meant to bring about change.

After Wan­naCry, we saw a mas­sive surge in patch­ing around the globe, not to men­tion a 22-year-old “acci­den­tal hero” in the U.K. who helped halt the mali­cious soft­ware. It’s proof that beat­ing the drum con­tin­u­ous­ly to pub­lic and cor­po­rate insti­tu­tions about seri­ous cyber defense tac­tics doesn’t seem to do the trick, and once again we will see a tan­gi­ble drop in cyber­se­cu­ri­ty activ­i­ty until the next big attack. It will only keep get­ting worse.

Relat­ed sto­ry: Trump signs exec­u­tive order to improve cyber­se­cu­ri­ty

The ques­tion is quite simple—why aren’t orga­ni­za­tions doing more about this? We wit­ness the answer every day: Most orga­ni­za­tion­al lead­ers refuse to sup­port their inter­nal teams when asked for pro­ce­dur­al change or prop­er fund­ing for cyber­se­cu­ri­ty defenses—which cuts their bot­tom line.

In prac­tice, it’s quite easy to see the lack of empha­sis giv­en to cyber­se­cu­ri­ty when it war­rants only 3–6 per­cent of IT bud­gets, and often­times that num­ber includes risk man­age­ment. More­over, our com­mu­ni­ty just now is scratch­ing the sur­face of pro­vid­ing tan­gi­ble cyber­se­cu­ri­ty reports to the orga­ni­za­tion­al board lev­el, mean­ing its lev­el of import is still not equal to that of numer­ous oth­er report­ing require­ments.

There are strict phys­i­cal safe­ty mea­sures imposed on numer­ous indus­tries, like seat belts and airbags, yet we need look only at the cur­rent U.S. admin­is­tra­tion and its pub­lic stance on cyber­se­cu­ri­ty to see an instance of unbe­liev­ably insuf­fi­cient gov­ern­men­tal pol­i­cy.

The entire intel­li­gence com­mu­ni­ty and the cyber­se­cu­ri­ty com­mu­ni­ty that sup­ports the gov­ern­ment knows and has known the Rus­sians have sophis­ti­cat­ed teams and method­olo­gies that have been used to attack us for years. This admin­is­tra­tion seems to have turned a blind eye on our nation­al defense giv­en their con­sis­tent refusal to admit Russia’s com­plic­i­ty.

This makes a bold state­ment that the White House has no inten­tion of pre­vent­ing, at a pol­i­cy lev­el, cyber attacks. There are still gap­ing holes in the fed­er­al CISO and White House CISO posi­tions and we haven’t received any move­ment in poli­cies or exec­u­tive orders of any sub­stance.

More sto­ries relat­ed to bet­ter cyber­se­cu­ri­ty:
New York finan­cial reg­u­la­tions could sig­nal cyber­se­cu­ri­ty sea change nation­wide
Loom­ing GDPR man­date requires sea change in cor­po­rate cyber­se­cu­ri­ty tac­tics
Secu­ri­ty by design: Embed pro­tec­tion dur­ing soft­ware devel­op­ment
Most busi­ness­es unpre­pared for email-based attacks


Posted in Featured Story, Guest Essays