This emerges clearly from the comments of Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), in a recent Congressional hearing on Chinese cyber operationsand from documents leaked by a Chinese hacker for hire ring, that there is a growing threat and demand for a market for cyber vulnerabilities. Even more alarming, however, was Easterly’s assessment that “we made life easy” for attackers through poor software design. To protect our systems and prevent a society-wide or economy-wide attack like the one described by Easterly and his colleagues in Congress, it will require a society-wide effort to reshape the cybersecurity market to create technologies that are both high-performance and safe.
2023 cybersecurity statistics paint an even clearer picture of how easy it is for hackers: In Chromium, the engine that powers Chrome and Edge, eight previously unknown vulnerabilities (zero days) have been identified. Even software designed to keep users and networks safe has not been immune to compromise. CISA opened 2024 with a emergency directive for federal departments and agencies to fix a number of vulnerabilities in VPN software designed to protect employee connections to federal networks. In the coming months it is also likely that the creation of a market for hacks and hacked data by companies like iSoon, as well as growing offensive threat posed by artificial intelligence, will make cyber defense even more challenging.
As CISA articulated in its Safe by design initiative, vendors are the first step toward creating technologies that are safe and usable. Taking security into consideration alongside performance and functionality from day one of a product’s development will not only help build a secure technology stack, but will also ensure that products truly balance security and performance instead of creating roadblocks to a good user experience disguised as security features. But even CISA’s ambitions to bring Secure by Design to life as a regulatory framework are insufficient to drive the sea change needed to turn the tide against emboldened, AI-enabled hackers without market support, even the most well-intentioned and well intentioned. Informed regulations will turn into a box-checking enterprise.
Cyber risk is a business risk
To protect our economy and privately run infrastructure, companies must realize, as Easterly said, that “cyber risk is a business risk” by incorporating cybersecurity into all of their business practices. From raise the stature of CISOs and by offering them holistic oversight of the entire company’s cybersecurity, especially procurement decisions, companies can incorporate cybersecurity as an organic step into business processes. In doing so, cybersecurity will become less of a last-minute obstacle to business effectiveness and more of an enabler for building a technology ecosystem and operating model that is safe and successful.
As executives prioritize cybersecurity as a factor in their strategic decisions, cybersecurity and IT professionals – two closely related but often conflicting groups – must come together to build networks that are secure and functional for their users. IT professionals must realize that shortcuts to bypass security controls in favor of user experience or network efficiency pose unnecessary risks to their companies; in exchange, cybersecurity professionals must proactively seek technology that gives users a good experience while insulating them from technical risks. Both groups need to work together to create training for their workforce that is based on a real-time understanding of the risks they face and that enables them to make good decisions about those risks rather than the annual, quarterly or monthly training that is too often done in the background while employees do their “real work”.
The final piece of a comprehensive approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into citizens’ daily lives. While CISA and the U.S. government have placed much of the burden of secure development and secure decisions on corporations, citizens must realize that the stakes in cybersecurity go far beyond individual credit cards and bank accounts . THE apocalyptic scenario of a simultaneous outage of power, water, and communications brings these challenges into focus, and everyday citizens must be willing to increase their computer literacy and compliance to prevent this scenario from coming to fruition. Just as we accept and respect the incessant tones that remind us to fasten our seat belts while driving, we must accept small cybersecurity “nudges” such as multi-factor authentication of sensitive and personal work.
It is easy to catastrophize the consequences that a Chinese cyber attack could bring – and it is certainly worth talking about response, resilience and recovery policies. It’s hard to look in the mirror and realize that, in our rush to develop, purchase, and consume feature-rich technology, we’ve made things “easy” for our adversaries. But it doesn’t have to be that way. If we work together and integrate cybersecurity as part of our corporate and individual thinking, we can make life harder for hackers and safer for ourselves.