Technology

Warren Buffett’s cybersecurity wake-up call — are we listening?

On May 6, the world’s richest and most famous investor called cyber attacks a bigger threat to humanity than nuclear weapons. “I do think that’s the number one problem with mankind,” Warren Buffett said during Berkshire Hathaway’s annual shareholder meeting.

But is the government listening?

{mosads}President Trump’s first four months in office have seen much promising talk about shoring up the nation’s cyber defenses — such as the administration’s reported intention to develop metrics to track federal agencies’ cybersecurity posture. Now is the time to harness these good intentions into concrete action.

 

The government needs to heed Uncle Warren’s warning and treat cybersecurity with the utmost urgency. Here are four steps the administration can take immediately to better protect the government and industries it regulates from cyber threats.

1. Place cybersecurity high on the SEC’s agenda.

Now that Jay Clayton has been sworn in as SEC Chairman, he should make cybersecurity one of his uppermost priorities. There are encouraging signs this could happen.

During his Senate confirmation hearing, Clayton — who had spent more than 20 years working for Wall Street companies on mergers, acquisitions and federal regulatory compliance — said he did not think public companies were providing investors with enough information about cybersecurity.

He also told the Senate Banking Committee he supports a Senate bill that would require companies to disclose whether their board of directors have a cybersecurity expert. “As I look across the landscape, discussion and understanding of cyber threats and their possible impact on companies, I question whether the disclosure is where it should be,” Clayton said.

All of this points to a deep understanding by Clayton that better transparency about cybersecurity to the marketplace — and appropriate oversight and accountability — should be key ingredients in making sure security is properly addressed. Making sure that becomes standard practice should be one of his major focus areas as chairman.

2. Appoint a senior cybsersecurity leader for every federal regulatory agency.

More and more private-sector companies are recognizing that cybersecurity protection needs to be a priority at the top of the organization, with active involvement by the CEO in security strategy and planning. Too often in the public sector, though, security is treated as an IT issue buried somewhere deep inside the bureaucracy.

Every regulatory authority in the financial, energy and healthcare arenas, to name just a few, should have a senior leader overseeing and coordinating its security policy and advising the agency head. The SEC showed the way here last June when Christopher Hetner, the former cybersecurity chief at Ernst & Young and GE Capital, was appointed senior adviser on cybersecurity to then-SEC Chair Mary Jo White.

These positions can raise the profile of cybersecurity within agencies and lead to better collaboration among different groups on measures to reduce risk. Other regulatory agencies should follow the SEC’s model by appointing a high-level executive for cybersecurity.

It’s encouraging that Trump’s pick for Treasury Department general counsel, Brent McIntosh, co-leads the cybersecurity practice at international law firm Sullivan & Cromwell LLP and has counseled clients on cybersecurity, data protection and financial data privacy governance policies. That’s the kind of leading expert every agency needs.

All of this isn’t to say more regulations are needed, it’s that cybersecurity and cyber risk need to be a prime focus at the top of regulatory agencies.

3. Finalize the executive order on cybersecurity.

Trump’s cybersecurity executive order has been a tantalizing coming attraction since an initial version was leaked by the Washington Post in January. The order is now on its fourth revision and, if reports are accurate, it will be worth waiting for.

The order is believed to emphasize a risk-based approach to security, have agencies employ the NIST cybersecurity framework, hold departmental secretaries and agency directors accountable for security and promote a government-wide initiative to modernize information technology that will include an emphasis on more secure systems. The order also contains a provision recognizing the importance of market transparency around cybersecurity disclosure.

The multiple iterations of the executive order suggest that the administration is carefully studying cybersecurity challenges. It’s time to finalize it so the actions can be executed.

4. Base decisions on data.

Policymakers and regulators need to incorporate more quantitative, objective cybersecurity performance data into the policy and regulatory process.

In early May, questions were raised over the National Cyber Security Alliance’s oft-cited statistic that 60 percent of small businesses that suffer a breach typically go out of business within six months. The figure has appeared in a House bill, in congressional testimony by federal officials, and elsewhere. But it doesn’t appear the study actually exists.

This illustrates that policymakers and regulators need more hard data if they are to effectively measure and manage cybersecurity. They tend to rely on reports and articles by third parties — some authoritative, some not — in trying to understand cybersecurity performance.

Just as we leverage labor and financial statistics in policy decisions, so too does more quantitative, objective data sources need to be integral in the process of formulating cybersecurity law and policy. The data exists; now it’s time for departments and agencies to start to use it.

Jake Olcott is vice president of strategic partnerships at BitSight, which provides companies with objective, evidence-based security ratings. He previously worked as legal advisor on cybersecurity issues in the Senate and House of Representatives.


The views expressed by contributors are their own and are not the views of The Hill.