Another day, another huge cyber security breach. Last week it was Twitch, Amazon’s live streaming platform, which suffered the public revelation of its source code, the income of its big stars and other sensitive information.
Cyber attacks are rapidly becoming a large-scale, and thorny, global security problem. The US alone suffered an estimated 65,000 ransomware attacks last year, and the enormous Solar Winds hack exposed big gaps in cyber security at the heart of the federal government. That helps to explain why American experts polled recently by Axa cited cyber risk as their single biggest concern this year, and global experts placed it second behind climate change.
The diffuse nature of the problem makes it particularly difficult to address. The attacks come from all over. Some are state-sponsored or ideologically driven, while others are just about money. Many victims are reluctant to admit they have been hacked. Some fear that sharing too much information publicly about methods will simply empower more bad actors.
However, it is rapidly becoming clear that governments must take a much more active role in collecting and sharing information and coordinating the defence. The US Senate is considering a bill requiring government agencies, contractors and critical infrastructure companies to report all cyber security incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency within 24 hours or face steep fines. “If we can’t see it, we can’t effectively defend,” Jen Easterly, who heads the agency said recently.
The Australian parliament is moving in the same direction. The EU — which has been ahead on many cyber space issues — adopted incident notification rules in place for operators of essential services in 2018.
But notifying the authorities should only be the first step. Investors have the right to know about significant hacks. Clear standards for exactly what that means should be set on a national or global basis, much like the accounting definitions of “material” financial events.
As big companies invest in proper defences, hackers are likely to turn their attacks on small and medium-sized companies, most of which will not be covered by these reporting requirements. If they fail to share their experiences, the hackers will be able to repeatedly exploit the same weaknesses.
Governments need to do a much better job of working together. Hackers do not respect national boundaries, and cyber troubles in one country can cause disruption in many others — as the recent Facebook outage demonstrated.
A global standard-setting body must bring together national regulators to share information about hacks and vulnerabilities, ensure that companies invest in effective cyber defence, and set up supervisory colleges for the biggest multinational players. One possible model could be the aviation safety regime, which brings the investigators and analysts from the home country of the relevant aerospace group as well as those at the crash site. Another way to think of it would be the home/host regulatory structure that is used for banks.
These increasingly common attacks have financial ramifications. The insurance market is struggling to price protection against them, and this may prove to be an area, like terrorism and floods, where a government backstop is required. Cyber attacks are no longer novel. It is time to stop acting as if they were.