The truth is much more boring: It’s what we’ve always dealt with. Sure, in a post-Stuxnet world, there are more countries than ever dabbling in cyberwarfare. But they’re generally relying on the same sort of software flaws hackers have been using for decades. If this is all old hat, though, why aren’t we getting better at preventing major cyberattacks? Simply put, there still isn’t enough motivation for organizations to step up their security practices — even in the midst of an avalanche of headline-grabbing attacks.
“The larger problem is you have to think about how to get people to do the basics — get them updating and using better authentication,” James Lewis, senior vice president at the Center for Strategic and International Studies, told Engadget. “I don’t think there’s enough of an incentive yet for the market to do this. And when the market isn’t doing it, you have to think of regulation.”
After a series of cyberattacks targeted New York financial and insurance companies — including the 2015 Anthem breach, which exposed personal data of 78 million people — the state responded with one of the country’s first set of cybersecurity regulations. It requires that financial-service firms hire a chief information security officer (CISO) to manage and document their cybersecurity plans. Additionally, companies must notify New York’s Department of Financial Services of any breach attempts and ensure third-party firms that handle their data implement their own cybersecurity measures.
The New York regulations force potentially vulnerable companies to step up their efforts and accept accountability. Even with the looming threat of losing customer data, it’s difficult to make huge companies change their security behavior on their own. While it’s too early to tell if the regulations have actually helped stop any major attacks, the measures are at least more proactive than what organizations have done in the past. On the national front, Trump’s cybersecurity order doesn’t bring much to the table aside from more calls for surveillance.
“The economy would be better off if we could deregulate. That doesn’t work for cybersecurity,” Lewis said. “Companies hate regulation, I get it. But then you’re going to say, ‘Well, we’re giving up on public safety.'” He likens the current situation with how American car companies, in particular, Ford, were resistant to seat belts and other safety regulations in the 1960s. And that was despite widespread research that seat belts would save customers’ lives.
“Many of the temporary standards are unreasonable, arbitrary and technically unfeasible,” Henry Ford II, then-CEO of Ford, warned at the time. “If we can’t meet them when they are published, we’ll have to close down.”