Today, the major threats facing every nation in the world are digital in nature. In response, most – if not all – countries implement serious measures to counter these threats and enhance the overall security of their networks.
As such, securing cyberspace is a high priority today for every country’s administration, but not all of them. Some are more interested in jump-starting their economic efforts by stealing commercial intellectual property or subjecting a competitor to downtime from within the digital realm.
These countries sometimes lack in technical expertise but they make up for it in malice. Shamoon’s use of Disttrack in November 2016 to destroy nearly 30,000 computers at an oil production company in Saudi Arabia is just one example of this. Alternatively, when they don’t wipe a computer, attackers oftentimes steal terabytes of confidential data and release it to the public.
To deal with this growing threat, every country must leverage the forces of the market by motivating the private sector to make the sort of dynamic and continual investment required to secure companies’ diverse networks.
Below are some recommendations I feel countries should incorporate into their cybersecurity strategies.
Every nation should pursue a cybersecurity policy that avoids an expensive and cumbersome regulatory approach. Instead, they should incorporate the key elements that will produce dynamic cybersecurity defenses. The key elements include the following:
Undertaking Powerful International Cybersecurity Engagement
A nation needs a comprehensive set of policies if it wants to take an active role in combating espionage and cybercrime. It must increase and continue coordination and cooperation with its friends and allies. Taking it one step further, it should lead the international efforts to persuade nations that utilizing cyberspace for malicious purposes either against their own people or other nations to change their policies is wrong.
It must also respond to other nations’ aggressive cyber campaigns with economic and diplomatic measures designed to discourage cyber-aggression. State-sponsored, large scale cyber-espionage must be prevented by making the cost to bad actors unacceptably frustrating or large. The response should also include subjecting those that stole intellectual property and other information to criminal charges and other legal actions, curtailing visas for guilty parties and ceasing naive cooperation.
Encourage and Allow the Development of an Effective and Valid Cyber-Insurance Business
The government must support the development of accountability standards – doing so could prove to be difficult but it could enhance the security activities and awareness if done with industry cooperation. As the liabilities and risks are better understood, the cybersecurity insurers could take the lead in building “actuary tables.”
From these tables, they could vend the insurance on a risk-based model. The finer the security of a company, the lower it pays in premiums. The private sector would be pushed by market-driven solutions to invest in accurate levels of cybersecurity, thereby avoiding onerous and outdated government regulations.
Protect the Cyber-Supply Chain
As the components of smartphones, tablets and computers are almost the same and other gadgets are made worldwide, it’s important to evaluate supply-chain operations, practices, and security methods. Perhaps a non-governmental organization could be established, one that could make its evaluations public and give grades to the supply-chain operation of a technology company.
An organization could charge more for its products if it receives a very high grade. A buyer could take a chance with potentially less secure and less expensive items if he wanted to economize. Customers would be able to make informed decisions based on risk.
Consider a Controlled and Specified Cyber Self-Defense Authority
Nowadays, an organization doesn’t know what its rights to self-protection against hackers really entail. What does an organization do if it is attacked? Call the local police or the FBI? Can an organization with strong capabilities fight back if it is attacked?
No one wants the vigilantes rampaging about with no parameters or controls. In order to avoid that, legislation should create basic and restricted rules for self-defense only.
Expand the Push for Training, Education, and Real Awareness
This of greater security awareness effort must seek to end both hype and ignorance. Let people know the truth about cyber threats and provide them the tools they need to protect their businesses, their homes and, more importantly, themselves.
This effort should reach every community in the country at all levels. Regular training should also occur regularly in every government entity and organization.
Employ and Develop a Strong Cyber-Workforce
Anything we do in military, business and government can get affected by cybersecurity. Every nation needs to adjust certification and visa practices and promote science, technology, engineering and mathematics (STEM) to ensure that the brightest and best can utilize their skills to advance its security.
This effort should also update the security clearances process and utilize the pools of talent the nation has in its hacker communities, businesses and military. Any law must enable this effort and encourage it by all possible means.