Regulatory enforcement is our best weapon against cyberwar

The war in Ukraine demonstrates that modern warfare is not just wielded on the battlefield. The war started with attacks on Ukrainian websites and computers, and it continues with Ukraine’s supporters attacking Russian targets. On May 12, 2021, President Biden issued an executive order to improve cybersecurity for the federal government. However, when it comes to the private sector, all Biden administration initiatives are voluntary and depend on the goodwill of private companies.

Unfortunately, this is not sufficient. While there are no methods that can completely safeguard networks and systems against cyberattacks, to increase the odds that our country will not be paralyzed, regulations that will enforce cybersecurity principles on products and infrastructure are necessary.

The executive order was an excellent first step in the right direction. It required the National Institute of Standards and Technology (NIST), in collaboration with industry and other partners, to develop a new framework to improve the security and integrity of the technology supply chain. As a direct response, in February 2022, NIST published Recommended Criteria for Cybersecurity Labeling of Consumer IoT Products and Recommended Criteria for Cybersecurity Labeling of Consumer Software. The publications recommended cybersecurity labeling for consumer software and consumer internet connected devices that will give the public a clear indication of whether a device or software meets cybersecurity criteria.

One of NIST’s tasks is to “consider ways to incentivize manufacturers and developers to participate in these programs.” In other words, there is currently no intent to force vendors, big or small, to label their products. Similarly, the Cybersecurity and Infrastructure Agency (CISA) offers recommendations and tools for companies to maintain cybersecurity hygiene, but it has no enforcement capabilities. 

The guidelines outlined by CISA and by NIST are not surprising or onerous; rather, they build upon existing frameworks and incorporate lessons learned from cyberattacks. Following these standards would have prevented some of the most massive cyberattacks known to date. But they also require investment in better IT practices, additional software and, oftentimes, new hardware development.

To ensure companies invest in better cybersecurity, the U.S. must require all companies to go through a yearly audit to certify their IT infrastructure and obtain a cybersecurity label for their products. Companies that do not meet the certification criteria ought to face financial penalties. At the same time, the U.S. government should embark on a campaign to educate the public on the security labeling, so the public avoids purchasing products that lack a cybersecurity label and, therefore, have not met the criteria.

The ransomware attack on the Colonial Pipeline in 2021, which caused power outages across the East Coast, demonstrates the importance of following the guidelines. According to Bloomberg, a hacker got hold of a password to a single VPN account and through that account was able to take down the largest fuel pipeline in the U.S. This attack could have been prevented if access to the VPN required multi-factor authentication, which adds an additional layer of identification on top of the password (as recommended by the currently voluntary CISA guidelines). 

In another such example, on Oct. 21, 2016, a service provider called Dyn was targeted by a series of cyberattacks. The result was a massive internet outage affecting websites such as Amazon, PayPal, Walgreens, Visa, CNN, Fox News, Wall Street Journal and the New York Times. The attack was carried out by Mirai malware that took control over internet-connected devices such as cameras, DVRs, routers, printers and VOIP phones. These devices come out of the factory with a hard-coded default user and password. Mirai scanned the internet for the devices and tried to access them through the known default username/password. It succeeded in gaining access to more than 400,000 devices. 

Using strong passwords and changing them regularly is a basic cybersecurity principle, one of the principles spelled out in the NIST labeling recommendations. The attack could have been prevented if vendors of the devices had enforced changing the default access setup upon activation.

One of the worst global cyberattacks to date, the 2017 NotPetya cyberattack, likely would have been diverted with better cybersecurity. The alleged Russian hack – which was largely directed at Ukraine but infected countries all over the world – infected computers via a backend vulnerability in the software update that had been present for six weeks prior to the attack. When the malware spread around the world, it impacted companies such as FedEx and Mondelez International, the maker of Oreos and Triscuits, which is headquartered in Chicago. Mondelez claimed damages of $100 million. The Russian invasion is happening on the ground in Ukraine, but cyberwar has no borders, and its ramifications have the devastating potential to spread globally.

When we think of America going to war, we think of defending American values and way of life. In this century, the American way of life is dependent on our use of technology and the internet. To preserve this, we must deploy the best weapon in our arsenal — regulatory enforcement of cybersecurity principles.

Talila Millman is a cohort member of the Progressive Policy Institute’s Mosaic Economic Project. She is a product and engineering leader with 20 years of experience identifying what products customers need and how to best deliver them. Talila has led product and engineering groups at Stanley Black and Decker, Harris, Infinite Convergence, Motorola and others.