Private sector urged to focus on cyber security defenseReprints
NEW YORK — The private sector will come under increased focus to serve as the first line of defense for cyber security, a former general counsel for the U.S. National Security Agency said Wednesday.
Rajesh De, now a partner at Mayer Brown’s Washington office, made his comments during the law firm’s conference in New York City on the New York State Department of Financial Services’ cyber regulation that requires financial institutions, including insurers, to establish a cyber security program.
The DFS cyber regulations, which became effective on March 1, mandate cyber security standards for any entity licensed or similarly authorized by the department to operate in New York, including insurance companies, agencies and brokerages, as well as certain banks, licensed lenders and money transmitters.
The covered entities would have 180 days, or until Sept. 1, to comply with most parts of the regulation.
“Are we heading toward a world where we have 47 different cyber security state regs —like we do when we have data breach notification — or are we going to have a different paradigm?” Mr. De asked. “New York has clearly put that question squarely on the table.”
In response to a question about the Trump administration’s approach to cyber security, Mr. De said that the general feeling in government even prior to Mr. Trump’s election is that the private sector will be called upon to do more.
“I think for many years the government struggled with how much responsibility it should take for cyber for things outside critical infrastructure,” Mr. De said. “Increasingly, folks are realizing that it’s too big of a problem for the government, in my view, to handle. I think the general philosophic bent of this administration means that philosophy will accelerate.”
Mr. De said cyber threats are far more nuanced today than they were 10 years ago, when cyber security was largely centered on preventing the theft of personal information or intellectual property.
“Cyber security is not just about the stealing of data,” Mr. De said. “Frankly in a few years, I think we’re going to think of the stealing of data like we do of pickpockets, a kind small-bore crime.”
Cyber crime has expanded over the years, Mr. De said, moving from exploitation to disruption such as distributed denial-of-service attacks, to destruction such as the 2012 attack on Saudi Aramco where 35,000 computers were partially wiped or totally destroyed in a few hours.
The next step, Mr. De said, is the manipulation of physical objects through cyber means.
“The only thing worse than stealing your information, or making it inaccessible or even destroying it,” Mr. De said, “is fiddling with it in a way that undermines your integrity, that undermines the confidence of your business system, that undermines the confidence of your customer, and undermines the confidence of whatever system you’re in.”
Mr. De said that in the last 18 months, the world has seen the remote hack of a car and a hack at Yahoo Inc. that affected its acquisition by Verizon Communications Inc. “to the tune of some $300 million.”
There will be increased focus on employee awareness and detection of incidents, Mr. De said.
“The weakness element in any security program is us, people, the human factor,” he said, “and as result of that recognition, regulators are increasingly focusing on topics like employee training, employee discipline, employee policies.”
Mr. De said there’s also increased focus on detection of cyber incidents and how quickly they are addressed, as well as an increased focus on corporate governance.
“In other words,” he said, “are the big bosses paying attention and how are they going to be held accountable?”
This includes focus on board reporting, on the chief information security officer appointment, the executive committee and the management organization as well as corporate governance.
Vendor management and third-party service providers are going to represent the hottest area of cyber security, Mr. De said, “because regulators are increasingly feeling that no matter how secure the primary regulated entity is, the entire ecosystem is only going to be as secure as its weakest element.”