Over the past few years, the recent, vigorous push towards a tighter level of cybersecurity by global regulators has hardly been greeted with open arms by the business sector. Yet as high-profile incidents of hacking continue, something’s becoming pretty clear: Not only are regulations like the CCPA necessary, but they’re not even enough.
“I would have to argue that we’re not in a very good place right now,” as one of cyberspace’s most influential figures, Dr. Vinton Cerf, stated a few weeks ago on the topic of cybersecurity.
Although probably most known today as Google’s Chief Internet Evangelist, Dr. Cerf is also a co-founder of the Internet, having co-designed its original architecture and TCP/IP protocols. He also holds the National Medal of Technology, the Turing Award, the Presidential Medal of Freedom and a handful of other lifetime achievements. (Disclosure: He’s also a mentor of mine.)
With a job title that literally involves predicting the future of the Internet — and paid to do so by the company that has perhaps come to best define it — Dr. Cerf’s sober-minded assessment of the global state of cybersecurity should give us all pause.
The problem areas he identifies are many. “We have not learned to write software that does not have exploitable bugs,” he said. “Standards are still not widely spread.”
Among consumers and remote workers who access sensitive data repeatedly throughout the day from a variety of devices — a trend that has sharply accelerated in the wake of the Covid-19 pandemic — “there’s a confusion about what exactly it is that needs to be secured.” Two-factor authentication is a good thing, and effective, but wildly inconvenient. For those of us who have dozens if not hundreds of accounts, password management has become a task, and a risk, unto itself.
“We have not supplied adequate, easily-used technology for the general public to secure itself,” he concluded. “And I would argue that in the enterprise space, we have a similar problem.”
It Takes a (Cyber) Village
Dr. Cerf was speaking at a webinar held by SecureTheVillage, an organization created to promote a sense of cybersecurity as community and civic duty. By providing the “knowledge, skills and commitment needed to meet the ongoing challenges of cyber crime, cyber privacy and information security,” the group works to transform people and organizations into “CyberGuardians,” per its own mission statement.
It’s an expansion of the age-old maxim “it takes a village,” adjusted for the Internet age. And it’s a philosophy that’s well past due. As Dr. Cerf explained in that SecureTheVillage Leadership Council Meeting from July 8, 2020, “It feels to me like there’s a whole lot of work to do here.”
The work he’s talking about involves serious, concerted efforts “to educate the public, to provide tools for the public, to use technology to protect themselves and to facilitate protection in the private sector.” In short, to instill in people — in everyone — the importance of cybersecurity. It’s a call to protect not just ourselves, but the entire global online community as a whole.
Why is that worth doing? Why is it our problem, in the private sector? Because it’s the Internet that we all use: After all, when one house catches on fire, the entire neighborhood is at risk of going up in flames.
To this end, Dr. Cerf and others have floated such ideas as a “cyber fire department,” or a cybersecurity first responder group that’s made up of volunteers (such groups do exist on some community levels). The idea is to protect ourselves by offering protection to the most vulnerable among us — in this case, small businesses without the capacity to hire their own IT departments, for instance.
And, based on data from the SBA, that’s probably most of them: Businesses with fewer than 20 employees account for 89 percent of all businesses in the United States. That’s almost 9 in every 10 businesses that most likely doesn’t have the operational resources needed to give cybersecurity the appropriate level of attention. And that’s a risk to us all.
A New Age, with New Cybersecurity Norms
So, let’s say we can all agree on the need for huge, system-wide change. How do we get there?
Dr. Cerf has pointed to the necessity of creating cybersecurity norms that are accepted on an international basis and baked into everyone’s day-to-day sense of personal responsibility: A mutual agreement that could potentially develop into something like an international treaty to truly protect online interactions.
And this isn’t a philosophical “what if,” but a culmination of a process that’s been researched and pondered over for, quite literally, decades. Last year, the Global Commission on the Stability of Cyberspace (GCSC), of which Dr. Cerf is a member, issued a report that represented the bulk of that knowledge. Called “Advancing Cyberstability,” the report calls for the widespread adoption of four central cybersecurity norms to permeate the public and private sector:
- Responsibility: “Everyone is responsible for ensuring the stability of cyberspace.”
- Restraint: “No state or non-state actor should take actions that impair the stability of cyberspace.”
- Requirement to Act: “State or non-state actors should take reasonable and appropriate steps to ensure the stability of cyberspace.”
- Respect for Human Rights: “Efforts to ensure the stability of cyberspace must respect human rights and the rule of law.”
The GCSC has concluded that these new norms are “critical for ensuring the stability of cyberspace,” and embody a principle that calls “on all parties to be responsible, exercise restraint, take actions, and respect human rights.”
And, if the task of getting everyone to sign on to community standards seems impossible, well, that may well be true. There will always be bad actors. But it would at least, like the Geneva Convention, give us all an agreed-upon set of values to enforce, and an ideal towards which to aspire. And, in doing so, give hackers a much narrower field of exploitation.
In the meantime, the closest thing we have to such universal cybersecurity norms — and the best place to start for businesses who see the need to kick their data protection efforts into high gear — is adoption of a sweeping cybersecurity framework like the NIST.
Named for its creator (the National Institute of Standards and Technology), the NIST framework is the most widely used by American companies. Developed by the U.S. federal government in collaboration with leading industry figures — and constantly updated — it represents the most accepted universal form of data protection and security available to organizations. Read more about NIST here.
‘Assume That All Networks Have Been Compromised’
The bottom line here is simple: Shoring up cybersecurity is a burden we must all bear, from the smallest business to the largest corporation. If the Internet is to continue to function as a safe and prosperous place to do business, we must all make the effort to protect it from outside forces.
Dr. Cerf bases his conclusions in part from his dozen-plus years as one of Google’s leading strategists. He has spoken of that company’s dawning realization that, under the current structure, we simply can’t eliminate risk, but only minimize it.
“We came to the conclusion that we should assume that all networks have been compromised — including our own.”
If they’re saying that at Google, can you really say any differently at your organization?
It’s not too late to change our thinking. But to really get the job done, we’ll need everyone’s cooperation. I would encourage anyone reading this to acquaint themselves with the GCSC’s report. Exhaustively laying out the key challenges and solutions of cybersecurity today, it’s a lengthy but highly compelling read — particularly if you’re interested in staying ahead of the new cybersecurity regulations (and their ominous penalties).
The entire SecureTheVillage webinar is worth checking out, too. Self deprecating and full of wisdom, Dr. Cerf’s talk includes more than just a stark assessment of cybersecurity but a quick tour through the history of the Internet and its commercialization, too. You can find it here.
And another disclosure: In addition to being a former colleague of Dr. Cerf and many individuals within the GCSC and SecureTheVillage (where I sit on the board), I’m also CEO of Omnistruct, a global cybersecurity solutions platform.
Our goal is to leverage the “people-focused” priority of the new cybersecurity norm to help usher organizations into the new age of security, on an organization-wide basis. If you’re interested in learning more about how we can help you achieve a more effective level of data protection, feel free to reach out to me here. I also invite you to attend our webinar on Governing Your Business’ Cyber Privacy and Risk that we are conducting with SecureTheVillage on August 13th… And stay safe!