Feds must listen to the tech industry if they want to stop future WannaCry attacks
Cyberattacks are the newest and fastest growing threat vector to our national and economic security. Roughly 70 percent of businesses expect to be compromised each year; the estimated economic loss from cyber crime worldwide will reach $6 trillion by 2020. Economic loss aside, cyberattacks also pose a threat to the stability of our democratic institutions, the economic impact of which is impossible to quantify.
The global WannaCry attack, which many believe was launched by North Korea, reminded us that internet security needs to be a team sport. As news outlets detailed the rapid pace at which the attack spread from country to country, a security researcher found the WannaCry kill switch and disabled it.
Unfortunately, in today’s world, there is not enough teamwork between cyber experts to tackle this ubiquitous problem of cyber crime. The existing silos in both the public and private sectors pull in different directions depending on their competing interests. Communication is patchy and trust among stakeholders is fragile.
{mosads}The first step to creating effective cooperation is enacting a robust and lasting Vulnerabilities Equities Process that spells out the need for governments to disclose network vulnerabilities to the private sector, rather than stockpiling them. It is essential that all stakeholders be represented in this process so that both benefits and costs are considered when choosing to disclose a vulnerability. Network and security vulnerabilities, such as WannaCry or backdoors to encryption, should not be unnecessarily stockpiled or mandated by governments.
Key to this process will be recognition that mandating backdoors to encryption technology — a forced vulnerability — is an outdated and dangerous concept. The WannaCry bug exploited a U.S. government-developed vulnerability and wreaked havoc on businesses and consumers as a result.
There are many who call for backdoors to be built into encrypted communications technologies on the premise that law enforcement agencies would be the sole entities with access. However, the inability to guarantee the absolute safety of vulnerabilities like those that led to WannaCry — no matter who holds the information — applies equally to the encryption debate. Any rules forcing companies to engineer backdoors in their products will increase the threat of cyberattacks and further destabilize our digital security infrastructure. The only solution is not to create these vulnerabilities in the first place.
When it comes to strengthening our digital infrastructure, there is a tendency in security circles to think that throwing money at the problem within a single silo will lead to a solution. Not so. Cyber criminals are too creative and too wily to be stalled by anything other than a full team effort.
In a high-functioning team, communication is frictionless and trust is mutual and resilient. In the internet security context, the players on this team should include our government, the private sector, and U.S. consumers. Each has a unique and equal role to play in defending the network, and it is time to break down the silos between them.
This is where the crowd comes in. It is well understood in security circles that some of the ablest first responders are independent security researchers. In order to protect the free and open internet, security researchers must be able to operate free from the scrutiny of government prosecutors who often miss the bigger picture and see security researchers as nothing more than malicious hackers. A better model would follow the example set by many Internet Association members, which is to establish bug bounty programs to reward so-called “white hat” security researchers who detect and responsibly disclose network vulnerabilities to companies.
At the Internet Association, we represent more than 40 of the world’s leading internet companies. These and other internet companies represent 6 percent of our GDP and over 3 million American jobs. For the sake of those jobs, and the millions of U.S. consumers who rely on the internet to go about their daily lives, it is time to pull together as a team. The sooner the better.
Michael Beckerman is president and CEO of the Internet Association (@InternetAssn), which represents America’s leading Internet companies.
This story has been corrected to accurately reflect the estimated amount of cyber crime in 2020.
The views expressed by contributors are their own and are not the views of The Hill.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..