Login Register Subscribe
Current Issue

NIST provides risk management framework for cyber attacks against U.S. business


WASHINGTON — The chairman of the U.S. House Intelligence Committee said it is “shocking” how long it has taken the United States to recognize the threat to the nation's economic prosperity presented by Chinese hackers.

Rep. Mike Rogers, R-Mich., a keynote speaker at Business Insurance's inaugural Cyber Risk Summit last week, said hackers work for the Chinese government to steal U.S. businesses' intellectual property as part of their day job, then accept cash from Chinese companies to hack into U.S. businesses during their free time.

“We need to be incredibly aggressive about sending messages to the hackers that we're coming to get you, that we're not going to play this game anymore,” Rep. Rogers said.

The situation with the Chinese “is so bad and so breathtaking. It is shocking it has taken us so long” to perceive the real threat this represents “to economic prosperity in the United States,” said Rep. Rogers.

Citing last week's U.S. indictment of five Chinese military officials for alleged cyber spying, Rep. Rogers advised, “Put your helmets on; it's going to be a bumpy ride.”

Cyber risks also abound inside the United States.

On the federal level, much of the focus has been on the U.S. Department of Commerce's National Institute of Standards and Technology's final framework to improve cyber security, which suggests voluntary standards to help companies mitigate legal liability from data breaches and other cyber threats.


Andrew J. Grotto, senior adviser of technology policy at the U.S. Department of Commerce, said the framework is a starting point, “especially for organizations that are less mature in terms of their awareness and ability to manage risk,” to develop best practices.

“It's not a silver bullet,” Mr. Grotto said.

Tom Finan, senior cyber security strategist and counsel in the U.S. Department of Homeland Security, said companies with cyber insurance that follow best practices eventually should benefit from lower insurance rates. However, the business case to invest in ways to control cyber risks has not been made, he said.

Top management often treats cyber risks as an “IT problem,” which he said appears to be the result of potential costs and reputational damage not being reduced to terms that nontechnical businesspeople can understand.

Thomas M. MacLellan, director of the Homeland Security and Public Safety Division of the National Governors Association, said the Washington-based group has recommended five ways to address cyber security issues to establish a “culture of risk awareness”: establish a framework on the subject; conduct risk assessments and allocate resources accordingly; implement continuous monitoring; ensure that states have a security methodology; and focus on the “weakest point,” meaning people.

Gene Fishel, senior assistant attorney general and chief of the computer crime section of the Virginia Attorney General's Office, said data breaches occur almost daily, three-quarters of them involving small businesses.


“Our first goal as an enforcement authority is to make sure that if a company or organization has suffered a data breach, that the consumers or people impacted are notified as quickly as possible,” Mr. Fishel said.

Aaron R. Lancaster, counsel at law firm Dickstein Shapiro L.L.P. in Washington, cited a federal judge's April ruling allowing the Federal Trade Commission to sue Wyndham Worldwide Corp. for allegedly failing to adequately protect personal information of the hotel chain's customers.

“Most states have broad consumer protection statutes that are modeled after the FTC,” with the “same ability to enforce unfair and deceptive trade practices that the FTC has,” Mr. Lancaster said.