The impact of the recent Equifax breach is incredibly widespread. First, 143 million people will have to interrupt their lives and choose one or all of the following: Put a credit freeze on their accounts at all three major rating bureaus, subscribe to a credit monitoring and/or ID protection service, create a monitoring account with the Social Security Administration, change every password on every account, and replace their credit cards with new ones, requiring that they reinstate their billing information on all of their online accounts. This is not just time-consuming and an enormous hassle; it costs real money.
Then what? Assuming their personal IDs have not already been used to charge debt, or medical treatment, or opened up new credit instruments in their name, they are good to go … until the next breach. Then they will get to do it all over again.
[lz_ndn video= 32955859]
Second, all 50 state governments, along with the Fed, are now drawing up legislation that will force all businesses to implement highly rigorous cybersecurity protections, policies and processes and be able to demonstrate that they have done so, which may be great for the consumer but also represents another creeping entrée into government intervention and control. Those who liked Dodd-Frank will love this. Those who believe in free-market capitalism will hate it.
Examining Dodd-Frank or the Gramm-Leach-Bliley Act will illuminate how poorly the federal government executes what should be a simple regulatory mandate. Not only did GLBA place enormous and undue burden on businesses of all stripes, but it also excluded the ones that needed the most oversight, i.e., large investment bank holding companies.
Dodd-Frank improved the debt-equity balance by pushing banks to raise more capital, but in the process it drained banks of their economic capital by prohibiting value-sensitive banking activities — resulting in a decline of market price to book value for the biggest banks and actually pushing more of them toward insolvency. Consider them two expensive and game-changing regulations that were poorly thought out and riddled with compromise, contradictions and incongruities.
Neither regulation accomplished their stated purpose. Both created a slew of negative unintended consequences, yet both made a handful of politically motivated congressmen look really caring, beneficent and responsive to the little people.
Third, public companies that cannot demonstrate that they have adequate detection and controls in place to prevent similar breaches will take a huge beating in the investment marketplace. Investors will be intolerant of cyber-vulnerabilities, and they are going to have to know that there’s a good set of policies, technologies and processes in place to prevent, detect, and respond to these types of attacks. While it may be argued that this is their just deserts, the economic impact will be startling.
It is one thing to demand that a company show and tell their cyberdefense mechanisms, but it is entirely another to implement the mechanisms that actually work. Those that are capable of detecting and preventing advanced polymorphic malware in 2017 are few and far between.
The cybersecurity industry is far behind the bad guys. The reason for this is pretty simple. When markets are allowed to develop in the absence of a central theme or fail to coalesce around leadership, they quickly become parochial silos and spend all of their capital on self-preservation. This applies equally well to religion, sports, entertainment, politics, the schoolyard, and business. In our business, we have developed over 400 separate products designed to exploit various technologies to solve very specific cyberthreat vectors. None of these were developed with the intent to address a global threat driven by a unifying belief system or set of values. They were and are developed by people hoping to exploit a market opportunity. Which is as it should be.
But now, it is time for the entire industry to step up its game. As we have just seen, the threat from cyberattacks is very real and very present. The impact is now clear and costly. The next inconvenience may well be a crippled power grid, dam, communication system, air- or seaport transportation infrastructure, or military readiness.
Congress will do what it always does. It will take months and maybe even years to pass overcomplicated and politically careful legislation that will miss the mark and bring with it lots of onerous and other-worldly requirements that will be difficult and costly to implement, along with equally onerous consequences. And in the meantime, the bad guys will continue to do what they do. But instead of getting worse, they will get even better.
The cybersecurity industry has all of the tools required to address these threats at its disposal right now. We have highly advanced artificial intelligence and machine learning technologies; really smart, highly motivated and information security specialized people; and fully developed and matured cybersecurity and risk processes, which, when implemented, will prevent 99 percent of these breaches. Some of the best hackers in the world work right here. We don’t need more regulations. What we need is an infusion of leadership.
An example of leadership is the Chinese government’s Belt & Road Initiative, which has more than 60 countries spanning Asia, Africa, Eurasia and Europe signed up to share in developing three land routes and one maritime route for international trade along the old Silk Road. This initiative, also known as One Belt, One Road, correlated with deep Russian involvement, is possibly the most far-reaching and deep-thinking plan for the future. Regardless of how you feel about it, while our politicians bicker parochially over Melania’s footwear choices, the Chinese are way ahead in strategic thinking, decades ahead.
Whether Belt & Road reaches its full potential isn’t the point. It’s the very fact that there is global yet highly self-centered leadership that invites others in what should give Washington and the rest of us pause for thought. We can’t win this cyberwar through free-market capitalism, and we can’t win it alone.
Steve King is the COO of Netswitch Technology Management.