On the heels of a global cyber security attack that cost billions, the United Kingdom is considering legislation that would charge companies as much as £17m for failing to prevent a cyber attack. Across the pond in the United States, the President issued an executive order, echoing earlier motions from the prior president (in a rare case of bipartisanship), regarding cyber security. The message again: companies and executives, in particular, are responsible for cyber security protection.
Not IT departments. Not government regulatory bodies such as the FCC (Federal Communications Commission). It is a direction we should expect to see more of in coming months and years, but is it right?
The Case Against
Cyber security attacks are not necessarily the direct result of any internal action. Like a fire that can burn down a building, they often are the result of external action, but protective measures help minimize and mitigate damage. In the case of a fire, insurance policies assist in restoration.
Similarly, some industries have moved in the direction of having cyber security insurance. International cyber attacks like the recent WannaCry and Petya malware utilized tools created by the US super-agency the NSA (National Security Administration). Can a company really be expected to secure itself against NSA-level cyber threats? Even international governments often fail at that.
Speaking of international governments, many of these recent cyber events are thought to have state-sponsored cyber actors behind them (specifically, Russia and North Korea). If foreign foes want to damage western economies, can individual companies really be held responsible?
The Case For
When a major event occurs at a company, the ripple effect impacts many others. For example, the National Health Services getting hit by WannaCry caused major chaos. When British Airways suffered an IT event, on a major travel weekend, the economic impact extended well beyond their own services.
Those in favor of holding companies directly responsible for cyber security protection cite these reasons for such measures:
- Cyber security attacks can be the result of internal threat actors.
- The majority of malware events result from employee action or negligence, which companies could be made to resolve through internal training.
- System updates prevent many major cyber security events—both the WannaCry and Petya viruses exploited vulnerabilities that Windows had already patched.
- Holding the heads of organizations responsible is thought to increase pressure for leadership to learn about and resolve cyber security weaknesses, weaknesses that impact other businesses and the state economy both.
Considering the remarkable preventability of most cyber security events, making individual companies responsible for their own cyber security protection, with financial penalties for failures or negligence, may increase the pressure sufficiently to diminish the power of future cyber attacks. One thing is certain: we can expect that more cyber security attacks, of both greater strength and greater frequency, will occur in the months and years to come. Cyber events are not going away.
Cyber Security Protection
As legislation moves to hold companies and heads of companies responsible for cyber security, new issues of responsibility will arise. Those issues will be up to the courts to resolve. In all likelihood, to avoid such fines, some companies will argue that cyber events are beyond their control. Such arguments will also have footholds. That back-and-forth could go on for many years to come, perhaps indefinitely (like so many other issues of liability).
In the meantime, superb cyber security protection, with industry-specific insight, already exists. The tools and protocols of the future, which at some point may become required, can already be implemented and applied. An ounce of prevention is worth a pound of cure, after all.