What's the Government's Role in Protecting U.S. Businesses from Cyberthreats?
Succeeding in today’s intensely competitive global marketplace is challenging, to say the least, but with an ever-growing pool of cyberattackers specially trained to access and cripple large computer networks, international competition is no longer just tough, but can be downright vicious.
With manufacturing coming back to the U.S. due to a variety of reasons, some believe countries that have enjoyed a thriving manufacturing industry over the last decade or so view maintaining a competitive edge as a matter of national security. Rumors of state-sponsored cyberattacks have been circulating for years, but, for the first time ever, foreign officials have been indicted on charges of economic espionage, computer hacking and other offenses against U.S. businesses. This has some international companies pressing the panic button, scrambling for ways to protect their most valuable information and networks.
In light of the growing threat to U.S. commerce from overseas, in 2013, the U.S. government commissioned the National Institute of Standards and Technology (NIST) to develop a “Cybersecurity Framework”—a “best practices” for U.S. business and industry that consists of standards, guidelines and practices to promote the protection of critical infrastructure. The first version, released in 2014, is entirely voluntary and the NIST says it will “help align critical infrastructure of owners and operators with existing resources that will assist their efforts to adopt the Cybersecurity Framework and manage their cyberrisks.”
But not everyone is convinced the U.S. government should be handing out such advice. Researchers with George Mason University’s Technology Policy Program conducted a study on federally sponsored cybersecurity practices and concluded that, because cyberthreats are ever-evolving and changing, cybersecurity cannot be tackled by a one-size-fits-all solution. The study also suggested such an approach could thwart creativity from business and industry where some of the best solutions are innovated. And because the federal government does a relatively poor job of protecting itself from cyberattacks, U.S. businesses should have little faith that by following these standards, they will be protected.
The study suggested a better solution is to “promote private cybersecurity insurance that would provide competitive coverage for cybersecurity breaches that is tailored directly to the unique needs of each industry and organization.” This would, in turn:
• Promote proactive risk reduction efforts to decrease insurance company costs. Insurance companies would use audits and rate pressure to encourage clients with substandard security practices to improve.
• Teach insurance companies best practices from experiences with their clients and continually improve the net level of cybersecurity by developing better recommendations and standards.
• More accurately price and distribute risks and liabilities.
Some members of Congress are attempting to address the issue of cybercrime by introducing legislation aimed at lessening the blow of attacks on U.S. companies. U.S. Senators Chris Coons (D-Del.) and Orrin Hatch (R-Utah)—members of the Senate Judiciary Committee—introduced what’s being called the Defend Trade Secrets Act to help combat the loss of an estimated $160 billion to $480 billion each year in the United States to the theft of corporate trade secrets. The act would empower companies to protect their trade secrets in federal court by creating a federal private right-of-action. The bill has been endorsed by the National Association of Manufacturers, the U.S. Chamber of Commerce and companies including 3M, Abbott, AdvaMed, Boston Scientific, Caterpillar, Corning, DuPont, GE, Eli Lilly, Medtronic, Micron, Microsoft, Monsanto, Philips, P&G, and United Technologies.
State governments have also responded to growing cyberthreats, enacting laws to help protect their own interests and those of local businesses. All but three states—Alabama, New Mexico and South Dakota—have enacted data breach notification laws in order to track and address attacks on state governments and the companies operating within their states.
Joel Beres—an intellectual property attorney for Stites & Harbison in Lexington, Ky. and a founding member of the firm’s Intellectual Property and Technology Service Group—says many inconsistencies in cybersecurity law exist across state governments and, because of this, it can be difficult for businesses that compete on a national and global scale to stay in compliance with so many different regulations.
“The laws are not the same across the 50 states, so if you’re a manufacturing company doing business nationally, you may have different obligations to provide notice in Kentucky than you would in California,” said Beres. “And there are different time periods to provide the notice, different means of providing the notice, and a variety of ways to do it. And that’s just if you’re doing business in the United States. If you also are doing business in Europe, you’re subject to the European Union’s and individual nation states’ laws, as well.”
Cybersecurity in the industrial sector is a complex issue. It is becoming even more complicated as new, more sophisticated threats are introduced, and as new laws are passed to help curb cybercrime. While it remains to be seen how impactful governments can be in deterring attacks on U.S. manufacturers, the ultimate responsibility lies within the manufacturing community itself.
Today’s manufacturers must make a company-wide commitment to remain educated on the latest threats to their internal networks. They must implore strategies to prevent and manage attacks, from the C-suite to the shop floor.