The impact of the recent Equifax breach is specific and wide-spread. First, 143 million people will have to interrupt their lives and choose one or all of the following: Put a credit freeze on their accounts at all three major rating bureaus, subscribe to a credit monitoring and/or ID protection service, create a monitoring account with the Social Security Administration, change every password on every account and replace their credit cards with new ones, requiring that they re-instate their billing information on all of their online accounts.
This is not just time-consuming and an enormous hassle, it costs real money.
Then what? Assuming your personal IDs have not already been used to charge debt, or medical treatment or opened up new credit instruments in your name, you are good to go … until the next breach. Then you will get to do it all over again.
Second, all 50 state governments along with the Fed are now drawing up legislation that will force all businesses to implement highly rigorous Cybersecurity protections, policies and processes and be able to demonstrate that they have done so, which may be great for the consumer but also represents another creeping entrée into government intervention and control.
Those who liked Dodd-Frank will love this. Those who believe in free-market capitalism will hate it.
Examining Dodd-Frank or Gramm-Leach-Bliley will illuminate how poorly the Federal government executes with what should be a simple regulatory mandate. Not only did GLBA place enormous and undue burden on businesses of all stripes, but it excluded the ones that needed the most oversight, i.e., large investment bank holding companies. Dodd-Frank improved the debt-equity balance by pushing banks to raise more capital but in the process it drained banks of their economic capital by prohibiting value-sensitive banking activities resulting in a decline of market price to book value for the biggest banks and actually pushing more of them toward insolvency. Two expensive and game-changing regulations that were poorly thought out and riddled with compromise, contradictions and incongruities.
Neither regulation accomplished their stated purpose, both created a slew of negative unintended consequences, yet both made a handful of politically motivated congressmen look really caring, beneficent and responsive to the little people.
If this is what lawmaking is now about, deal me out.
Third, public companies who cannot demonstrate that they have adequate detection and controls in place to prevent similar breaches will take a huge beating in the investment marketplace. Investors will be intolerant of cyber-vulnerabilities and they are going to have to know that there’s a good set of policies/technologies/processes in place to prevent, detect and to respond to these types of attacks. While it may be argued that this is their just deserts, the economic impact will be startling.
It is one thing to demand that a company show and tell their Cyber defense mechanisms, but it is entirely another to implement the mechanisms that actually work. Those that are capable of detecting and preventing advanced polymorphic malware in 2017 are few and far between.
The Cybersecurity industry is far behind the bad guys. The reason for this is pretty simple. When markets are allowed to develop in the absence of a central theme or fail to coalesce around leadership, they quickly become parochial silos and spend all of their capital on self-preservation. This applies equally well to religion, sports, entertainment, politics, the schoolyard and business. In the Cybersecurity business, we have developed over 400 separate products designed to exploit various technologies to solve very specific Cyber-threat vectors. None of these were developed with the intent to address a global threat driven by a unifying belief system or set of values. They were and are developed by people hoping to exploit a market opportunity. Which is as it should be.
But now, it is time for my industry to step their game up a few notches. As we have just seen, the threat from Cyber-attacks is very real and very present. The impact is now clear and costly. The next inconvenience may well be a crippled power grid, dam, communication system, air or sea port transportation infrastructure or military readiness.
Congress will do what it always does. It will take months and maybe even years to craft over-complicated and politically careful legislation that will miss the mark and bring with it lots of onerous and other-worldly requirements that will be difficult and costly to implement, along with equally onerous consequences. And in the meantime, the bad guys will continue to do what they do. But instead of getting worse, they will get even better.
The Cybersecurity industry has all of the tools required to address these threats at its disposal right now. We have highly advanced artificial intelligence and machine learning technologies, really smart, highly motivated and information security specialized people, and fully developed and matured Cybersecurity and Risk processes that when implemented will prevent 99% of these breaches. Some of the best hackers in the world work right here. We don’t need more regulations. What we need is an infusion of leadership.
An example of leadership is the Chinese government’s Belt & Road Initiative which has more than 60 countries spanning Asia, Africa, Eurasia and Europe signed up to share in developing three land routes and one maritime route for International trade along the old Silk Road. This initiative, also known as One Belt, One Road, correlated with deep Russian involvement, is possibly the most far-reaching and deep-thinking plan for the future. Regardless of how you feel about it, while our politicians bicker parochially over Melania’s footwear choices, the Chinese are way ahead in strategic thinking, decades ahead.
Whether Belt & Road reaches its full potential isn’t the point. It’s the very fact that there is global yet highly self-centered leadership which invites others in that should give Washington and the rest of us pause for thought.
We can’t win this cyber-war through free-market capitalism and we can’t win it alone.