Executives from Neiman Marcus and Target went before the Senate to apologize for the breach that happened last November through December. This boggles my mind for two reasons. First, why only Target and Neiman Marcus? Why isn’t every company that has been breached or hacked required to do a mea culpa in a Senate hearing? Sure, that would mean the Senate would be doing nothing but holding hearings involving corporate breaches, but it’s not like Congress is busy passing bills or anything.
And that comes to my second point. Congress has been mostly silent on the whole issue of cybersecurity. Every so often, they’ll make a pass at introducing legislation that ends up going nowhere. When they do talk about cybersecurity issues, the story tends to get buried under more important news. Just this week, the media focused on the retailers speaking before the Senate, but an equally important report from the Senate’s Homeland Security and Governmental Affairs Committee went unnoticed. According to the committee’s website:
The report details serious vulnerabilities in the government’s efforts to protect its own civilian computers and networks, and the critical, sensitive information they contain.
As Matthew Standart, director of threat intelligence at HBGary, told me in an email, the findings in the senate report aren’t surprising and, in fact, reflect the overall state of security in most organizations.
Why government and private organizations don’t make time to improve security has a simple answer, according to Aaron Titus, CPO/general counsel at Identity Finder. Security isn't convenient, it doesn't make money, and it is only ancillary to an agency's primary mission.
However, a lack of security loses money and can destroy an organization’s reputation. I have a friend who is currently struggling with the aftermath of one of these corporate breaches. She found that her debit card information had been stolen and her bank account wiped. The outpouring of anger on her behalf toward the companies possibly involved, as well as toward the bank that said it would take more than a week to restore her funds, clearly shows how much damage can be done in a breach. TK Keanini, CTO of Lancope, explained it best, telling me in an email:
The problem is that cybersecurity is an "everyone and everything problem," not just this computer or that network because it is deemed “critical infrastructure.” Yes, it is important to call these out and label them as such but in this hyper-connected world, malicious intruders have hundreds of ways to go about their campaign and only one needs to work. My point is that our daily lives, personal and at work are blurring when it comes to information systems. We cannot just think about the targets attractive to the adversaries and protect just those because as our world becomes more and more connected, the security of a tiny component someone overlooked or some combinatory set of minor weaknesses when combined create a major weakness, gives attackers the strategy they need for compromise. There can no longer be any blind spots created by complex political systems where system A feels that it’s system B's problem: Cybersecurity is everyone’s problem.
The Congress has heard from companies who have suffered major cybersecurity meltdowns. They also have a report warning how weak cybersecurity is within their own federal agencies. If these incidents, along with the (long-needed) outcry from the public regarding security issues doesn’t spur Congress to finally take action on cybersecurity protective measures, I really don’t know what will.