The White House is expected to issue an executive order aimed at bolstering U.S. cybersecurity efforts — efforts that will be made, in large part, with the cooperation of U.S. companies.
In an afternoon "listening session" on cybersecurity issues, President Donald Trump stated, "We must work with the private sector. The private sector is way ahead of government in this case, to make sure that owners and operators of critical infrastructure have the support they need from the federal government to defend against cyberthreats."
The planned executive order identifies cyberspace as a domain equally vulnerable to attack as land, sea, air and space, with the U.S. government bearing responsibility for protecting the country from cyberattacks that could "threaten U.S. national interests or cause significant damage to Americans' personal or economic security."
In Tuesday's session, officials expressed interest in learning from the private sector's cybersecurity efforts, including those in the energy and power, finance and hospital industries.
"The private sector is wide open to hacking and sometimes by hacking the private sector, you get into government. So we can't do this separately," said cybersecurity adviser and former New York City mayor Rudy Giuliani.
Wide-ranging challenges
Government officials hoping to take a page from the private sector's playbook will uncover wide-ranging challenges around cybersecurity.
Technology conglomerate Cisco Systems recently released its 10th annual cybersecurity report, a snapshot of the enterprise information technology (or IT) landscape, with insights into the difficulties faced by IT departments across various industries.
Cited in the report was a benchmark study conducted by Cisco which surveyed close to 3,000 chief security officers and security operations leaders from 13 countries. One major finding concluded that organizations are only able to investigate 56 percent of the security alerts received on any given day.
A number of obstacles — limited budgets, product incompatibility and a lack of trained talent — prevented IT departments from fully implementing network security measures.
Cisco executives recommend automation as a potential solution. In the case of unanswered security alerts, for example, automatic detection and decision-making could cut down on operational expenses and alleviate the workload of IT personnel.
"That's a perfect place by which we can help us increase as an industry the number of things we see and respond to and, frankly, use technology for what technology was supposed to be used for, which is to help us get to things we can't do," said Cisco senior vice president John N. Stewart.
Spike in spam
In 2016, spam also continued to be a nuisance for companies, accounting for nearly two-thirds of total email volume, according to Cisco's research. Compared to previous years, 2016 actually saw a significant spike in spam and malicious emails.
"If you were to give broad numbers, back in 2010, we probably saw in total spam maybe 4,500 per second," said Stewart, "Whereas in 2013, we probably saw 1,000 per second. Now … we're back up to that 4,000 per second."
An increasing number of botnets, or robot networks of computers remotely controlled to carry out automated actions, made the job of mass spam distribution that much easier.
Adware infections
Adware infections also contributed to cybersecurity woes. Cisco surveyed 130 companies and found 75 percent to have been affected by adware infections. Under normal circumstances, adware, or advertising-supported software, can be a revenue-generator for companies. But when unsuspecting customers or employees click on infected adware, they unintentionally allow hackers access to local networks.
The seemingly invisible costs of cybersecurity vulnerabilities ultimately add up to real-world dollars and cents. Cisco's study found that nearly a quarter of companies which suffered a cyberattack also lost business opportunities, with four in 10 describing those losses as "substantial."
Stewart reiterated the importance of bringing cybersecurity discussions out of IT departments and into boardrooms. "It's a business discussion that can affect revenue, customer loyalty, certainly missed opportunities,” he said. “It has to be brought through into a true business discussion.
"We've been ‘talking tech’ in cyber forever," continued Stewart. "We've used a lot of tech terms. It's got to be about business-based outcomes, and it's only this past year I'm starting to see a real tipping point where that's starting to occur."
