In January, FBI Director Christopher Wray testified before Congress with stark warnings about the threats to U.S. critical infrastructure from Chinese hackers. While the briefing will not surprise cybersecurity professionals, his urgency reminds us that American companies and their customers are being targeted by increasingly sophisticated cyber threats every day—victimized by nation-state level cyber tradecraft and highly professionalized extortion.
A wave of government action threatens to alienate U.S. companies as they commit ever increasing resources to cybersecurity and have embraced public-private collaboration. Despite growing cybersecurity budgets, industry leaders struggle to understand the cybersecurity “goalposts” without clear, consistent government direction on what “good” looks like. Business and security leaders will be more willing to align to common sense cybersecurity standards that are predictable and risk-based.
Inconsistent government intervention or overreach can erode mutual trust and voluntary information sharing from industry, which the government relies upon from the operators of eighty percent of our nation’s critical infrastructure. The Department of Defense recognizes this in a 2023 U.S. Cyber Command memo, stating “the relationships we have built with our industry partners, is game-changing” with calls for increased data-sharing.
The 2020 SolarWinds breach was a watershed moment for its cybersecurity implicationsand the U.S. government’s response. The espionage attack, attributed to Russian state actors, impacted as many as 18,000 customers and highlighted the dangers of weaponized software updates. In response, the Biden administration issued the sweeping Executive Order 14028, intended to address software supply chain vulnerabilities and the nation’s broader cybersecurity gaps.
Three years later, the fallout from SolarWinds continues. In October, the Securities and Exchange Commission (SEC) filed a civil complaint against SolarWinds, extraordinary in its scope and severity. The complaint alleges that SolarWinds and its chief information security officer (CISO) defrauded investors by misstating the company’s cybersecurity practices and by concealing poor cybersecurity practices and its heightened cybersecurity risks, thereby violating federal securities laws.
This complaint arrives on the heels of an expansive new SEC rule on cyber oversight and governance for public companies, significantly increasing cybersecurity expectations. While these government measures are intended to drive cybersecurity transparency and accountability, they are not consistently accompanied by traceable, risk-based performance metrics for companies to achieve.
This lack of clarity is even evident in the SolarWinds civil complaint, in which the SEC conflates the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Special Publication (SP) 800-53 — two very different documents. This ambiguity from regulators can breed confusion and disincentivize cyber defense. The aggressive action against SolarWinds’ CISO could also have a chilling effect on attracting the most talented practitioners to security leadership roles.
SolarWinds is pushing back on the SEC complaint to “set the record straight.” In a recent blog post, the company insists that the “SEC’s misguided complaint threatens to impair our industry’s collective security.” The January compromise of the SEC’s Twitter account is reminiscent of the axiom, “Don’t throw stones if you live in a glass house.”
Demonstrating collective commitment
Both the government and the commercial sector share a consensus view of the threats our country faces from Russia, China and non-state, financially motivated hackers. Given this mutual appreciation, government must balance between establishing a standard of care and marginalizing the progress that has been made in independent commercial…
This article was originally published by a www.hstoday.us . Read the Original article here. .