Addressing cyberthreats: A Q&A with the U.S. Chamber of Commerce
Vincent Voci offers insight and practical tips for midsize businesses
Despite a rise in cybercrime, many middle market companies may not be aware of the range of resources and regulations set up to track and respond to incidents.
RSM spoke with Vincent Voci, U.S. Chamber of Commerce senior policy manager for cyber, intelligence and security, about government assistance available at the federal and state levels.
RSM: What action has the federal government taken to protect businesses from cyber crime?
Voci: The Trump administration has prioritized cybersecurity for federal networks and critical infrastructure with a May 2017 executive order. The action calls for reviews of electricity disruption incident response capabilities, workforce development, market transparency and the threat of botnets, which are a series of connected devices tasked with performing a specific mission. A series of reports is expected to be signed by the President later this year.
In April, the National Institute of Standards and Technology’s (NIST) released an update to the 2014 Framework for Improving Critical Infrastructure Cybersecurity. The update provides best practices for mitigating cyber threats that midsize companies will find useful. As we said, business leaders and policymakers view the framework as a pillar for managing enterprise cyber risks and threats, including at home and increasingly abroad.
Meanwhile, the White House Council of Economic Advisors produced a report on cybercrime earlier this year. It estimates that in 2016 alone the cost of malicious cyber activity to the U.S. economy was between $57 billion and $109 billion. Alongside the report, the Trump administration has been active in calling out state-sponsored malicious cyber activity.
In addition, many private-sector organizations have robust reports for tracking cybercrime, including Verizon’s 2018 Data Breach Investigations Report and Symantec’s Internet Security Threat Report, to name a few.
RSM: What actors are government most closely watching?
Voci: Certainly, there’s been a great deal of attention paid to malicious cyber activities stemming from Russia, including incidents related to the 2016 U.S. presidential election.
The Trump administration has also called attention to China’s unauthorized intrusions into U.S. commercial computer networks and the cyber-enabled theft of intellectual property and sensitive commercial information. In addition, the U.S. government indicted Iranian individuals earlier this year for their role in a massive cyber theft campaign on behalf of the Islamic Revolutionary Guard and formally attributed a separate attack last year to a hacking group linked to North Korea.
The U.S. Chamber and other organizations closely watching cybercrime are aware that the Trump administration is taking a visible and active role in calling out malicious cyber activity and imposing consequences on individuals and entities found in violation of established norms for acceptable behavior in cyberspace.
RSM: How can the U.S. government keep up in such a fast-changing environment?
Voci: The road ahead for Congress is uncertain. Significant Senate attention is focused on a bill to reauthorize the Department of Homeland Security. One positive addition to the draft bill is language to reorganize the department’s cyber operations into a Cyber and Infrastructure Protection Agency.
With recent high-profile cyber incidents, including breaches at Facebook and Uber, some cyber observers speculate the time is right for a privacy and data security bill.
However, with recent high-profile cyber incidents, including breaches at Facebook and Uber, some cyber observers speculate the time is right for a privacy and data security bill. It’s unclear if there’s enough political momentum and time in the current legislative calendar for such a bill to be drafted and considered by either chamber of Congress.
Meanwhile, recent turnover at the White House’s National Security Council will seemingly slow some of their initiatives.
The bottom line? Don’t expect the cavalry to come from Washington to solve cybersecurity challenges for midsize businesses. Cyber continues to be a domain where public policymaking will lag behind industry advances in technology, processes, best practices and standards.
RSM: What agencies or sites can provide assistance to midsize companies?
Voci: There are a several options for midsize companies looking for resources or to report cyber incidents.
First, look to industry guidance. Some organizations are bound by regulatory requirements related to disclosure of incidents or data security requirements. It’s a good idea for all organizations to reach out to their sector-specific information sharing and analysis center. Commonly called ISACs, these groups are member-driven and provide hazard, threat, and mitigation information; they typically don’t include regulators, government representatives, or law enforcement officials.
Depending on an organization’s risk management needs and resources, engaging a law firm that specializes in cyber issues or purchasing a cyber insurance policy to help with risk management and incident response planning can be particularly beneficial.
Finally, business can turn to federal law enforcement. Each of the FBI’s 56 field offices now includes a cyber task force. Separate field offices set up by the Secret Service include 40 electronic crimes task forces around the country. FBI resources include public-private information-sharing bodies such as InfraGard, the Domestic Security Alliance Council and the Internet Crime and Complaint Center, or IC3.
RSM: What proactive measures should companies take?
Voci: The U.S. Chamber recommends reaching out to local federal law enforcement and building relationships prior to incidents. The Department of Justice has also been fairly active recently in training attorneys in its U.S. Attorney offices as specialists in cybercrime investigations. It also offers voluntary cyber incident guidance for organizations.
We encourage midsize businesses in states and municipalities that don’t have an FBI or Secret Service field office, or an office of the U.S. Attorney, to reach out to state and local law enforcement. They should inquire about law enforcement’s capabilities and expertise in cybercrime investigations. In addition, the Secret Service operates the National Cyber Forensics Institute in Hoover, Alabama. The Institute trains state and local law enforcement, prosecutors and judges on cybercrime. If your jurisdiction doesn’t have sufficient local knowledge, ask officials to consider sending a representative to the NCFI for training.
Finally, the Department of Homeland Security is significantly expanding its Cybersecurity Advisor (CSA) program across the country. CSAs offer assistance to help prepare and protect private sector entities from cyber threats by promoting cybersecurity preparedness, risk mitigation and incident response capabilities.
Ultimately, assistance is available for businesses of all sizes and sectors. State or local chamber’s of commerce resources can help organizations navigate the web of three-letter agencies to help improve risk management and incident response plans. However, at the end of the day, it’s up to individuals and organizations to manage their own cyber risk.
you may also be interested in
The age of big data translates to even bigger risk for businesses of all sizes, but middle market companies are particularly vulnerable.