Aug. 12 - Businesses have a responsibility to know what data in their company needs to be protected from cyberattacks and why because the nation's security depends on it, panelists at the American Bar Association Annual Meeting in Boston said Aug. 9.
The panel, which include high-ranking government cybersecurity officials, a member of Congress and a contract research scientist for the government, addressed some of the thousands of lawyers attending the meeting.
On Aug. 12, the ABA announced that at the meeting its House of Delegates passed a resolution calling on "all private and public sector organizations to develop, implement, and maintain an appropriate cyber security program." In 2013, the ABA House of Delegates adopted a separate cybersecurity resolution calling for an end to government-sponsored hacking of networks utilized by lawyers.
Companies need to determine where their cybersecurity vulnerabilities are, Sean Kanuck, national intelligence officer for cyber issues at the Office of the Director of National Intelligence, said. "What are you trying to protect, from whom and why? What is it that they want from you?" Kanuck said during a panel on cybersecurity evolution and response planning.
Companies have a responsibility to safeguard their clients' data, Kanuck said. "Think about how careful you are supposed to be with their money," he said. "Do you treat their data the same way?"
Companies should expect that they will get hacked and put systems in place so they can continue to operate once targeted, Harriet Goldman, director of advanced cyber at MITRE Corp., said.
"If someone wants to get at your customer information, they will be successful, even with good cybersecurity,'' Goldman said. "Make the critical aspects of your business resilient. Not the whole business, just the critical parts.''
A cyberattack on a business that is part of the nation's critical infrastructure rises to the level of a national security issue, Suzanne Spaulding, under secretary at the National Protection and Programs Directorate, Department of Homeland Security, said.
"What happens if the electricity goes out, can we deliver water?" she asked. "If the transportation infrastructure goes down, what are the cascading effects?"
Rep. Jim Langevin (D-R.I.) said threats to the U.S. "come not only from peer or near-peer nations bent on destruction or on economic advantage but also from criminal groups that possess state-level capabilities and have immense skills, great financial incentive, and in many cases legal havens that afford them almost complete sanctuary."
Langevin said he is worried that critical infrastructure businesses, including utilities, haven't added cybersecurity protections.
In February, the National Institute of Standards and Technology finalized voluntary cybersecurity framework designed to arm critical parts of the private sector against attacks.
In May, Langevin successfully pushed for an amendment to the House Commerce-Justice-Science appropriations bill for fiscal year 2015 to require the Department of Commerce to assess the extent to which companies have adopted the NIST framework.
"The government needs the ability to step in and require basic protections,'' as was the case with the airline industry, Langevin, co-founder of the Congressional Cybersecurity Caucus, said. "Carriers have every financial incentive to act safely to get passengers from A to B," he said. "Yet we still need the Federal Aviation Administration.''
Policies that penalize utility companies if they spend ratepayer money on cybersecurity need to be removed, Langevin said. "We should give industry more certainty that they won't be penalized,'' he said.
Insurance companies are beginning to consider cybersecurity among companies they insure, and this will push the business community toward tighter security, Langevin said.
"Clearly insurance companies have a stake in whether their clients, especially the owners and operators of critical infrastructure, are taking needed steps to secure their networks,'' Langevin said. He added that Congress can encourage the insurance industry forward through incentives in stand-alone legislation or through incentives that would accompany updates to the NIST framework.
On the consumer side, a metric should be established so that shareholders can easily see that a company has a level two of cybersecurity or a level three, Langevin said. "It will go a long way toward making sure companies step up and do what they should,'' he said.
"There are real questions about the disclosures that companies are making to their shareholders regarding their vulnerabilities in cyberspace," Langevin added.
The SEC's Division of Corporation Finance issued guidance in October 2011 relating to public companies' disclosure obligations for cybersecurity.
When looking at where the vulnerabilities are within a business, it is important to consider third parties, Kanuck said. "You may have consultants and auditors who have access to your data but who don't have the same security practices as you,'' he said.
Likewise, it is important to know who your clients are, Kanuck said. "Are they who they say they are?" he said.
Employees and the devices they use are another area to scrutinize, especially if a business has a bring your own device (BYOD) policy, Kanuck said. After a device goes home with an employee, anyone may end up using it. "When you have a BYOD policy, whatever is happening in that household or wherever it may travel, all that is coming into your institution,'' he said.
Industries need to develop best practices for cybersecurity, with benchmarks, he added.
To contact the reporter on this story: Adrianne Appel in Boston at email@example.com
To contact the editor responsible for this story: Katie W. Johnson at firstname.lastname@example.org
The ABA cybersecurity resolution is available at http://www.americanbar.org/content/dam/aba/images/abanews/2014am_hodres/109.pdf .
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)