We're taught early in life that making mistakes — as long as they aren't life-threatening — is not necessarily bad because that's how we learn, and that experience is one of the best teachers. It's how we learn from our mistakes, and how to avoid them in the future, that really matters. As Bill Gates put it, "It's fine to celebrate success, but it is more important to heed the lessons of failure."
We've had hundreds of colossally significant cybersecurity-related failures over the past couple of decades, and yet new attacks and exploits continue to be labeled by public officials, CEOs and the media as "unprecedented," "a reminder," "a seminal event," "a watershed moment" or, with mind-numbing frequency, "a wake-up call" — as if they are some kind of unique occurrence.
In fact, they are so un-unique that they've become routine. Unremarkable. Expected. The only true unknown is who the next victim will be. And yet we seem stuck in an endless "wake-up call" loop. The Russian cyber attack against Estonia in 2007 was called a "wake-up call," as was Yahoo's security breach in 2012 — by the hackers themselves. U.S. Rep. Dutch Ruppersberger called the 2015 hack of the federal Office of Personnel Management "a wake-up call," and the Obama White House said it "has the potential to be a seminal test case for the government's developing deterrence efforts." Now we are hearing that the recent SolarWinds attack "is a wake-up call for taking cybersecurity action."
If you want to immediately lose credibility with a cybersecurity professional, call a cyber event "unprecedented" or "a wake-up call." As Richard Stiennon, author of a number of books including There Will Be Cyberwar, told me, "Every attack is a wake-up call!" In a 2017 Heritage Foundation article, David Inserra wrote that "when it comes to cybersecurity, the U.S. is stuck in its own 'Groundhog Day.' But a happy ending may not be in the cards. Unlike the weatherman, it's not clear that we are learning from the past."
But learn we must, and collectively. The next vulnerability may be a new zero-day exploit or a new version of ransomware, but the reality is that every security event is of course a wake-up call. Meanwhile, government organizations are bearing the costs and citizens are bearing the disruption for constantly reacting to foes who have far more time and resources than any single government security team can rally to.
Just a few years ago, the federal government was solely responsible for dealing with cyber aggressors from nation-states. Fast forward to 2021, and every government organization in America is fighting for its cyber life in battles where they are vastly out-manned and out-resourced. The nonstop embellishment of security breaches with terms like "clarion call" simply diminishes the very real challenges and unique cybersecurity dynamics facing governments today. While it's obviously critical to respond to major breaches like the SolarWinds and Microsoft Exchange Server events, too often we become so focused on the latest attacks that we lose sight of ensuring that we're prepared for the next big one.
There are some hopeful signs, at least from the private sector. A recent Gartner report predicted that "by 2025, 40 percent of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10 percent today." What about government organizations? Shouldn't states, counties and cities have the equivalent of a cybersecurity subcommittee that reports to leadership? It's not like we need more evidence that cybersecurity risks are real. "I'm not sure my elected officials even know my name," one government chief information security officer told me recently. How is that possible in 2021?
We don't need any more wake-up calls. The question is, are we awake? If we can agree that cyber events are no longer unprecedented but rather the cost of operating in the digital world we live in today, public officials and security leaders need to do better. Here are some recommendations:
• Every government leader must know the name of their CISO and meet regularly with the security leaders of their organization. And "regularly" means more than once a quarter for 15 minutes. I'm a firm believer that the CISO should have direct access to government leaders to avoid any unintentional (or intentional) filtering of the security message. Cybersecurity is a tough business, and sometimes the security message is a bitter pill. Far too often politics or personalities get involved, and government leaders hear what someone wants them to hear rather than what they need to hear.
• Conduct cybersecurity exercises with mandatory participation by all layers of the chain of command. If everyone is not involved, how will they know how to react when the inevitable cyber event occurs? There have been a number of security events in recent years where government leaders, not truly understanding the problem, made things worse for the organization while making themselves look silly.
• If your government organization is responsible for citizen and consumer privacy-related data, you have a higher level of responsibility to your constituents. Citizens can make a choice about providing personal information to public places where they shop and visit. They don't have the same choice about providing personal information to government. Those government organizations should have no higher priority than allocating all the cybersecurity controls and qualified people necessary to protect that information.
The security events of the past 12 months — of which SolarWinds and Microsoft Exchange Server are only the most recent and highest profile — prove that there is nothing more important for government organizations than to be prepared for the unexpected. Calling these events "a wake-up call" for action is naïve at best and negligence at worst. We must do better.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.