How Public and Private Entities Can Fight Cybercrime

By Gregg Garrett

Gregg Garrett is Vice President of Cybersecurity and head of the Cybersecurity Community of Practice (CoP) and leader of the Cybersecurity Offerings & Solutions team for Peraton. He is also the best-selling author of 24 business books, including Cybersecurity in the Digital Age.

OPINION — For years, cybercrime was dismissed as an afterthought. Indeed, it wasn’t long ago that the FBI leadership famously dismissed it as “ankle-biter crime.” Clearly, that’s no longer the case.  As our dependence on high-speed electronic communications has increased, the prevalence — and seriousness — of cybercrime has skyrocketed alongside it.

Worldwide, companies are now spending billions of dollars on cybersecurity hardware, software, and professional services. The global damages from cybercrimes are predicted to exceed $7 trillion in 2022 and grow at an annual rate of over 15%, according to Cybersecurity Ventures

To increase safety all over the world, we need to prioritize cybersecurity by beginning all information technology (IT) and operational technology (OT) modernization projects with cybersecurity in mind. We also need to allocate more funding to cybersecurity, on both a public and private sector basis.

A Persistent and Spreading Global Cyber Threat

Over the last several years, cyberattacks have grown dramatically in their level of sophistication, magnitude, and frequency. One such example is the 2021 attack on the Colonial Pipeline, in which a criminal ring extorted nearly $5 million from a company that owns a vital 5,500-mile U.S. oil pipeline. 

As the digital world expands, so does the number of users, devices, and endpoints. In health care alone, it’s estimated that more than 27 billion Internet of Things medical devices will support this industry by 2025. More devices mean there is a larger cyber-attack surface area with more software-related vulnerabilities, which result in more entry points for bad actors. 

With that in mind, consider the potential impact of large-scale cyberattacks on the IT and OT systems that help us maintain our national energy grid, food and water supply, healthcare system, financial services, national security, transportation, and more. 

Federal Government Has Promoted Cybersecurity but Our Nation Still Struggles to Keep Pace

Thankfully, we’ve seen real positive movement in the war against cybercrime over the last several years. The Trump Administration created the Cybersecurity and Infrastructure Security Agency (CISA) as part of the Department of Homeland Security in 2018, and the Biden Administration has since expanded CISA’s role and provided hundreds of millions of dollars of additional funding.

On May 12, 2021, the Biden Administration issued Executive Order 14028, which included numerous cybersecurity mandates for all federal government agencies. 

These steps are commendable, but frankly, they are not nearly enough. For starters, cybersecurity executive order mandates for U.S. federal agencies are largely unfunded. Similarly, because most of our nation’s critical infrastructure is privately owned and operated on a for-profit basis, the government’s cybersecurity guidance is largely voluntary — thus not enforced.

Subscriber+Members have a higher level of access to Cipher Brief Expert Perspectives and get exclusive access to The Dead Drop, the best national security gossip publication, if we do say so ourselves.  Find out what you’re missing. Upgrade your access to Subscriber+ now.

On a related note, in 2019, the Trump Administration implemented the Cybersecurity Maturity Model Certification (CMMC) program within the U.S. Department of Defense (DOD), which requires companies in the Pentagon supply chain to pass independent security audits or potentially lose their eligibility for government contracts. The Biden Administration paused the CMMC program implementation. Now, two years later, there has been movement toward restarting a revised/simplified version called CMMC 2.0, but, it hasn’t yet been contractually implemented.

Putting this supply chain risk management program for DOD cybersecurity into place would be a good step in the right direction for the federal government, but private companies have a responsibility here, as well. Their work should begin with a clear-eyed look at their cyberattack risk and subsequent financial liability: The average cost of a cyberattack in the U.S. is over $9 million, according to IBM, and many cyberattacks result in damages that reach into the hundreds of millions of dollars.

Five Recommended Cybersecurity Actions

Key actions that organizations can take to enhance their cybersecurity include:

  • Using flexible and scalable cyber ranges to train cybersecurity analysts via emulated networks and simulated cyberattack scenarios.
  • Deploying a proven cybersecurity protection, detection, and incident response system for OT and industrial control system devices.
  • Developing customized zero-trust architecture, which leverages data segmentation, creates micro-perimeters, and implements data segmentation gateways to improve data access control.
  • Reducing cyber-incident response time by implementing an advanced data analytics capability to streamline and simplify response and remediation.
  • Ensuring cybersecurity supply chain risk management via a proven effective Cyber Risk Radar using open-source data analysis with predictive analytics.

Once overlooked as almost inconsequential, cybercrime has become a pronounced threat to our day-to-day personal safety and national security. The effects of ignoring the growing cyber risks range from massive financial losses to catastrophic infrastructure collapse. 

Now is when we need to step into action and accept this as the massive threat that it is. Increasing cybersecurity funding and effort now, will pay off dramatically in the long run, helping to keep everyone safer across our nation and the globe.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.  Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field?  Send it to [email protected] for consideration

Related Articles