In recent years, America’s digital infrastructure has become a core vulnerability as international conflicts migrate online, and cyberwarfare becomes an ever-present threat to our nation’s security.
Sweeping breaches like SolarWinds and, more recently, Log4j made it clear that our current defenses can and will be compromised if we fail to shore up domestic protections, with both the public and private sectors equally at risk for exploitation.
Unfortunately, we’ve already witnessed the snowball consequences of these cyberattacks. Last month, analysts discovered that the Russian hackers behind the 2020 breach have continued collecting sensitive data from U.S. agencies and the software providers that serve them.
Even more alarming is the fact that nearly two years later, much is still unknown about the true impact of the original SolarWinds, with Congress currently introducing fact-finding legislation to gauge remaining vulnerabilities. For instance, Rep. Ritchie Torres (D-N.Y.), the vice chairman of the House Homeland Security Committee, has proposed an amendment to the 2023 National Defense Authorization Act that calls for further investigation into SolarWinds. Likewise, the July report from the Cyber Safety Review Board (CSRB) warned that Log4j is far from over, with new vulnerabilities and threat actors discovered regularly.
In the face of these ongoing challenges, the federal government is making promising strides on its mission to bolster domestic cybersecurity protections. Notably, President Biden recently signed two integral bills into law — the Federal Rotational Cyber Workforce Program Act of 2021, which establishes a rotational cyber workforce across federal agencies, and the State and Local Government Cybersecurity Act of 2021, which requires increased collaboration between state, local, federal, tribal, and territorial governments on all cybersecurity issues.
While this legislation marks a vital step toward improving our country’s cybersecurity infrastructure, it’s crucial that the private sector follows suit and applies the fundamental intent of these bills to their internal cybersecurity frameworks and best practices. A unified effort between the public and private sectors is essential in the near term to prevent devastating vulnerabilities from persisting in our digital infrastructure.
Make Cyber Literacy Mainstream
The Federal Rotational Cyber Workforce Program Act points to the essential role technical talent plays in shoring up domestic protections. This legislation establishes a framework through which cybersecurity professionals in the federal government can work with multiple federal agencies to enhance their skills.
Similarly, private companies must bolster their cybersecurity training programs and extend these educational resources to all employees across the company. Given the severity of modern-day cyberattacks, this knowledge can no longer be confined to the data or IT departments.
Current private-sector cybersecurity training is significantly lacking, according to a recent survey which found that 61% of employees who have received cybersecurity training failed a basic test, and those fail rates were even higher for professionals in information services/data (83%) and software (73%). These findings reveal the inadequate breadth and depth of corporate programs, which have fallen short of what is necessary to enhance the skills of even their most technically inclined employees.
In the coming months, it’s essential that private companies invest time and resources into bolstering their company-wide cybersecurity training programs, whether that means outsourcing to an instructional organization that can lead live virtual or on-site workshops, commissioning a detailed video series or establishing a regular cadence of all-hands exercises to gauge cyber literacy.
While the financial investment to build out these programs might seem daunting, leaving your company’s digital networks vulnerable will end up costing you precious management time, partnerships, reputation and much more money in the long run.
Notably, there are funds and resources readily available to those that do invest in their digital infrastructure. For example, companies can claim the Research and Development Tax Credit for activities related to implementing new technical programs and processes, including developing, updating or just integrating their current systems with new cybersecurity training courses and tools, as well as adopting the latest protective software across digital systems.
Another pillar of a national cyber strategy is the development of a cyber workforce for the future. A new bill, the Cybersecurity Grants for Schools Act of 2022, sponsored by Rep. Andrew Garbarino (NY-2) to fund schools that provide cybersecurity education and training, recently passed the House and awaits action in the Senate.
In the long term, this will be helpful to the industry; however, even when this talent becomes available, it will be hamstrung without better collaboration.
Cyber Industry Collaboration is Key
The second piece of cybersecurity legislation signed by President Biden requires governments at every level (local, state, tribal, etc.) to increase their collaboration on sweeping cybersecurity issues, including the sharing of specific security tools and protocols.
The scope of this resource-sharing doesn’t extend fully to the private sector; however, companies would be wise to adopt this “stronger together” approach and independently seek out opportunities to workshop key learnings with other businesses in their industry.
Each sector — from small business to manufacturing, healthcare, technology, agriculture and more — faces unique cyber threats and other industry peers have the most relevant experience to address these issues. As opposed to struggling in isolation, leadership teams must join existing coalitions or form collectives with other entities to promote the democratization of cybersecurity knowledge, as well as advocate for private sector needs at the federal level. The National Technology Security Coalition (NSTC) and the Cybersecurity Coalition are just a couple examples of groups spearheading this effort.
Ultimately, companies can only progress in their digital infrastructure if they work together, and one business’s vulnerability could take down the entire industry. For instance, much of the most critical supply chain is already at risk as hackers become more advanced in their ability to breach not only individual container ships and freight planes, but the various software systems that operate them.
Follow the Security Framework
While the federal government has yet to enact comprehensive cybersecurity legislation that provides support and guidance for the private sector, companies can use the latest bills as the roadmap for their immediate next steps, which points to talent and industry collaboration as the key avenues for safeguarding our digital infrastructure.
As the ripple effects of SolarWinds and Log4j continue to impact public and private entities and new threats make their way onto the global stage, it’s more important than ever for private companies to make cybersecurity investments a top priority.