The U.S. should treat cyberattacks as a national disaster | #government | #hacking | #cyberattack

In recent weeks, the Biden administration has increasingly treated cybercrime as a national security issue. The topic headlined discussions at both the conference of leading industrial nations and President Joe Biden’s meeting with Russian President Vladimir Putin. And officials have vowed a broader response in the wake of last week’s ransomware attack on the Kaseya software platform, which affected over a thousand companies worldwide.

Almost simultaneously, federal law enforcement sent a powerful message about its capabilities by initiating efforts to recover bitcoin paid to certain cybercrime groups, including successful recovery of some of the ransom paid by Colonial Pipeline and override access to certain foreign-backed websites linked to misinformation and theft.

These efforts are an important turning point in how the U.S. government engages with cybersecurity and state-sanctioned cybercrime. Still, diplomatic and law enforcement efforts, much like forward-looking regulatory solutions, do little to address a critical consequence of cybercrime that is affecting much of America today: the recent surge in cyberattacks is threatening to cripple businesses and hamstringing government at nearly every level, from hospitals to meatpackers, and from municipalities to federal agencies.

The result is a largely unaddressed disruption that threatens to pass substantial costs to the American people. Because of this, it may be time to treat cyberattacks as not just a national security issue, but as a national disaster.

The economic consequences of cybercrime are staggering. The FBI reported nearly 800,000 potential cyberattacks last year and, according to IBM, the average cost of a cyberattack to a company is just over $8 million. Due to underreporting of financial crimes, the FBI estimates the real number of cyberattacks could be nearly five times as high.

While some companies have insurance to help mitigate costs, others do not. Many small businesses, in particular, did not foresee themselves becoming the target of state-sanctioned hacking cartels. Either way, the cost of cyberattacks is being passed to consumers through increased prices or increased insurance premiums, at a time when inflation worries are already at the fore.

So how do we mitigate the cost of state-sanctioned cyberattacks? By treating them like the disasters they are and providing government-backed relief for affected businesses and insurers.

One approach could be to create an agency, or task the Cybersecurity and Infrastructure Security Agency, with acting as the cybersecurity version of the Federal Deposit Insurance Corporation. The goal would be to provide government-backed, mandatory cybersecurity insurance that could help cover remedial costs, such as forensic investigations and credit monitoring, in the event of a cyberattack.

An FDIC-style agency could also help administer regulations and provide resources for front-end cybersecurity protections. And it could supplement or underwrite private insurance, thus helping to prevent undue loss to insurers in the event of another upsurge in cyberattacks.

There’s good precedent for establishing an agency like this in response to a disaster. The FDIC was created in 1933 to guarantee deposit funds and prevent economic loss in the event of bank failures similar to those during the Great Depression. At its beginning, the FDIC was primarily government funded, but it is now entirely member-funded, albeit with a substantial government-backed line of credit to cover costs in the event of catastrophe. Banks are required to take certain steps to mitigate this risk.

A similar approach could be used for cybersecurity. A federal cyber insurance agency could initially be paid for by the government to provide immediate relief to affected businesses and prevent inflation. Then, as costs become more predictable, funding, as well as certain required protections, could be shared among businesses, with the welcome safeguard of a government-backed line of credit.

Another viable approach would be to declare state-sanctioned cybercrime a major disaster akin to a terrorist attack or natural disaster, thus making Federal Emergency Management Agency funds available to cybercrime victims to cover non-insured costs.

Given the Biden administration’s actions over the past few weeks, this seems like a logical next step. If cybercrime is a national security issue significant enough to discuss with world leaders, shouldn’t cybercrime victims be eligible for the same FEMA disaster relief that victims of a physical attack would be if one of those same world leaders launched a conventional assault on the United States?

In addition to providing timely relief, there is an added benefit to this approach: removing the risk of economic loss to affected businesses will help incentivize the reporting of potential cyberattacks. Increased reporting, in turn, will provide law enforcement with critical information about cybercrime trends and footprints, aiding efforts to disrupt cybercriminals before they strike American businesses and infrastructure.

Regardless of what relief, if any, is implemented, it remains important to begin viewing the recent surge in cybercrime for what it is: a national disaster fomented largely by foreign cartels hurting American businesses and risking our personal data. Unless we find a way to mitigate the cost of this disaster, we may all be forced to the price.

Anthony J. Hendricks and Jordan E.M. Sessler are attorneys with Crowe and Dunlevy’s Cybersecurity and Data Privacy practice group. They wrote this column for The Dallas Morning News.

Got an opinion about this issue? Send a letter to the editor and you just might get published.

Original Source link

Posted in Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *

forty seven − = 37