The nation's air traffic control capability is one of many critical systems vulnerable to cyberattack. (Joe Raedle/Getty Images)
The world has a big cybercrime problem: the kind of problem that costs roughly $445 billion a year globally and triggers an annual loss of 200,000 jobs in the U.S. alone, according to a new report. It’s a problem compounded by poor data, partially because governments often don’t collect and report reliable information. So what should U.S. agencies be doing to fight back?
The answer is multi-fold, and can be as nuanced as the cybercrime problem itself. A lack of reporting regulations and practices, a bureaucratic structure and inadequate cybersecurity policies all contribute to a growing problem, according to experts.
“Government is a difficult participant in this debate. It is insufficiently nimble and overly hierarchical in a domain that is extremely distributed and dynamic,” said Paul Rosenzweig, CEO of Red Branch Consulting. “I think that government’s best successes come when it sticks to the things it does best – serving as a conduit for information-sharing, perhaps as a purveyor of information it is uniquely in [possession] of. It does have some competitive advantage in that it is capable of acting in ways some private sector actors are not presently permitted to in the U.S.”
Rosenzweig spoke as part of a panel discussing the release of a Center for Strategic and International Studies/McAfee report on the cost of cybercrime, held June 9 in Washington.
The information-sharing issue itself has many facets, dealing with sharing between agencies, the public and private sectors, foreign governments and others. With that communication, not only are organizations forced to operate separately, but it also worsens the global understanding of the cybercrime problem writ large.
“One of the reasons we keep harping on this is because if governments were producing accurate estimate of losses, it would have an impact on government policy as well as the policies of companies that take their cue from the government,” said Stewart Baker, partner at Steptoe & Johnson LLP distinguished visiting fellow at the Center for Strategic and International Studies. “If governments produce numbers that underestimate loss, there’s a tendency on part of companies to say, ‘it can’t be that big of a problem.’”
Public-private partnerships are a cornerstone in addressing cybersecurity today, but there remains room for improvement, especially when it comes to information related to cybercrime, said Tom Gann, McAfee vice president of government relations.
“It’s clear that there is a challenge in terms of getting good data,” Gann said. “One way to address that challenge in terms of partnership between private sector and governments worldwide [is] to report on cybercrimes and cyber attacks when they occur, to work together and truly analyze how that attacks were propagated and what can be done about them.”
To get to a point where better data is a reality, policy changes are likely in order, Rosenzweig noted.
“Where [the government] gets into difficulty and some of the failures is when it tries to see itself as the decider, the regulator, the setter of standards – it does that poorly and slowly,” he said. “To date we have done very little in incentivizing or requiring reporting of breaches that have adverse effects. It is the case that most companies won’t admit it -- they aren’t obliged to, and there are plenty of other incentives for them not to. Beyond that I think the government’s best role would be to get out of the way of the private sector in terms of actual activity in developing new tools to combat cybercrime. I don’t think the government is nimble enough to do that on a consistent basis.”