Why we need a fire code approach to cybersecurity

Let’s face it: The private sector isn’t getting the job done when it comes to cybersecurity. How many more Colonial Pipeline– and JBS-type incidents really need to occur to drive that point home?

The crescendo is building for a national standard for cybersecurity — and maybe even for some type of regulation — in the wake of increasing cyberattacks that are targeting a wide range of industries and paralyzing companies whose goods and services overlap with the public interest. 

This is the moment where many readers, with an arched eyebrow, might ask, “Is it really a good idea to have the government wade into this matter or to impose a national standard on every company doing business in the United States?”

Actually, it’s not as foreign an idea as it sounds if you look at a similar protective measure that has been implemented over the past century: the fire code.

After spending the better part of the 19th and 20th centuries taking a patchwork approach to safety requirements, all 50 states, the District of Columbia and every U.S. Territory has adopted a uniform set of standards from the International Code Council as a basis for their building or fire codes. 

In other words, you can’t just build a new condo development and say, “Sure thing, I’ll try not to make it too much of a death trap.” You have to build it to code. 

Notably, the insurance companies are on board, helping to align priorities. Someone who’s built a brand-new restaurant, office park, or split-level ranch house can’t get insurance for those buildings unless they’ve been built to code and comply with all the necessary standards. 

This creates a powerful incentive for builders to do the right thing and make sure buildings are compliant from a safety and standards perspective, which ultimately protects and benefits everyone.

Imagine if we had a similar sort of “cyber security code” for all the companies out there that are walking around with leaky security: one that said they needed to have a minimum level of security in place to do business  and in order to obtain cyber insurance.

At a base level, these minimum requirements should include several key factors: proper identity management, including multi-factor authentication, is a must. Mobile device management and virtual desktops are another way to significantly reduce the overall “attack surface area” and lessen risk. Patching is another must-have, even if patching is backward looking. Unpatched known vulnerabilities are a very easy target. Hackers understand that organizations cannot possibly stay current with necessary patches, so they deploy very simple tools to sniff for these vulnerabilities. 

Happily, we don’t need to completely reinvent the wheel when coming up with a model for what this base level of security should include or what it might look like.

For example, there actually is a fairly useful security standard in place already for companies that want to do business with several federal agencies, including the Department of Defense (DoD) and NASA, called NIST SP 800-171. It contains strict requirements around security controls and data protection for those companies and their suppliers.

Here’s the thing, though: NIST only applies to that relatively small slice of companies that cater to the DoD and those handful of other federal agencies; it certainly doesn’t apply to all the beef processors and oil pipeline companies out there.

Making something like NIST a national security standard for all companies would go a long way towards ensuring we had fewer companies walking around as easy marks for cyber criminals and other bad actors. (Likewise, it means fewer occasions when we suddenly see a spike in gasoline prices at the pump or an eye watering grocery bill because of supply chain disruptions).

Care must be taken, however, not to take a rote “checklist” approach to security where companies are simply checking the right boxes to show that they are “in compliance” and thus worthy of being certified at some level and of being insured.

Compliance does not equal security. It’s certainly a good start, but security threats are constantly evolving, and the bad guys are continually developing new platforms and technologies to launch attacks. As a result, the standards themselves need to be constantly evolving to keep pace with the current threat landscape.

The fire code wasn’t frozen in amber when it was first written. It became a living, breathing code that incorporated new elements on an ongoing basis — requirements for sprinklers, or fire escapes, or lighted exit indicators, or fire-resistant materials — as knowledge around safety and fire prevention increased. 

A cybersecurity code should be constantly evolving as well. Because unlike fire, which follows the laws of physics and has some predictability as to what will start a fire and what won’t, cybercrime is completely unchained from these “analogue world” constraints.

The sooner we can get a truly national cybersecurity standard in place, the better. Because as recent hacks, breaches and ransomware events have shown, we have arsonists walking around every day who’d like nothing better than to strike a match and then sit back and watch the world burn.

Michael Abboud is founder and CEO of TetherView, a leading private cloud provider.