Panelists Say Corporate Responsibility Extends to Cybersecurity, National Security

By Adrianne Appel

Aug. 12 - Businesses have a responsibility to know what data in their company needs to be protected from cyberattacks and why because the nation's security depends on it, panelists at the American Bar Association Annual Meeting in Boston said Aug. 9.

The panel, which include high-ranking government cybersecurity officials, a member of Congress and a contract research scientist for the government, addressed some of the thousands of lawyers attending the meeting.

On Aug. 12, the ABA announced that at the meeting its House of Delegates passed a resolution calling on "all private and public sector organizations to develop, implement, and maintain an appropriate cyber security program." In 2013, the ABA House of Delegates adopted a separate cybersecurity resolution calling for an end to government-sponsored hacking of networks utilized by lawyers.

Determining Vulnerabilities

Companies need to determine where their cybersecurity vulnerabilities are, Sean Kanuck, national intelligence officer for cyber issues at the Office of the Director of National Intelligence, said. "What are you trying to protect, from whom and why? What is it that they want from you?" Kanuck said during a panel on cybersecurity evolution and response planning.

Companies have a responsibility to safeguard their clients' data, Kanuck said. "Think about how careful you are supposed to be with their money," he said. "Do you treat their data the same way?"

Companies should expect that they will get hacked and put systems in place so they can continue to operate once targeted, Harriet Goldman, director of advanced cyber at MITRE Corp., said.

"If someone wants to get at your customer information, they will be successful, even with good cybersecurity,'' Goldman said. "Make the critical aspects of your business resilient. Not the whole business, just the critical parts.''

National Security Issue

A cyberattack on a business that is part of the nation's critical infrastructure rises to the level of a national security issue, Suzanne Spaulding, under secretary at the National Protection and Programs Directorate, Department of Homeland Security, said.

"What happens if the electricity goes out, can we deliver water?" she asked. "If the transportation infrastructure goes down, what are the cascading effects?"

Rep. Jim Langevin (D-R.I.) said threats to the U.S. "come not only from peer or near-peer nations bent on destruction or on economic advantage but also from criminal groups that possess state-level capabilities and have immense skills, great financial incentive, and in many cases legal havens that afford them almost complete sanctuary."

More Regulation Needed

Langevin said he is worried that critical infrastructure businesses, including utilities, haven't added cybersecurity protections.

In February, the National Institute of Standards and Technology finalized voluntary cybersecurity framework designed to arm critical parts of the private sector against attacks.

In May, Langevin successfully pushed for an amendment to the House Commerce-Justice-Science appropriations bill for fiscal year 2015 to require the Department of Commerce to assess the extent to which companies have adopted the NIST framework.

"The government needs the ability to step in and require basic protections,'' as was the case with the airline industry, Langevin, co-founder of the Congressional Cybersecurity Caucus, said. "Carriers have every financial incentive to act safely to get passengers from A to B," he said. "Yet we still need the Federal Aviation Administration.''

Policies that penalize utility companies if they spend ratepayer money on cybersecurity need to be removed, Langevin said. "We should give industry more certainty that they won't be penalized,'' he said.

Congress Should Encourage Insurers

Insurance companies are beginning to consider cybersecurity among companies they insure, and this will push the business community toward tighter security, Langevin said.

"Clearly insurance companies have a stake in whether their clients, especially the owners and operators of critical infrastructure, are taking needed steps to secure their networks,'' Langevin said. He added that Congress can encourage the insurance industry forward through incentives in stand-alone legislation or through incentives that would accompany updates to the NIST framework.

On the consumer side, a metric should be established so that shareholders can easily see that a company has a level two of cybersecurity or a level three, Langevin said. "It will go a long way toward making sure companies step up and do what they should,'' he said.

"There are real questions about the disclosures that companies are making to their shareholders regarding their vulnerabilities in cyberspace," Langevin added.

The SEC's Division of Corporation Finance issued guidance in October 2011 relating to public companies' disclosure obligations for cybersecurity.

Third-Party, BYOD Security

When looking at where the vulnerabilities are within a business, it is important to consider third parties, Kanuck said. "You may have consultants and auditors who have access to your data but who don't have the same security practices as you,'' he said.

Likewise, it is important to know who your clients are, Kanuck said. "Are they who they say they are?" he said.

Employees and the devices they use are another area to scrutinize, especially if a business has a bring your own device (BYOD) policy, Kanuck said. After a device goes home with an employee, anyone may end up using it. "When you have a BYOD policy, whatever is happening in that household or wherever it may travel, all that is coming into your institution,'' he said.

Industries need to develop best practices for cybersecurity, with benchmarks, he added.


To contact the reporter on this story: Adrianne Appel in Boston at

To contact the editor responsible for this story: Katie W. Johnson at

The ABA cybersecurity resolution is available at .