The Colonial Pipeline ransomware attack has prompted soul-searching debates about what we need to prevent the next attack. Commentators have questioned whether cybersecurity best practices are enough, or whether government standards, from the Cybersecurity Maturity Model (CMMC) CMMC to President Biden’s executive order, will actually be effective.
They are, and they will be — if they’re enforced. Ira Winkler expertly dismantled the argument that best practices don’t prevent cyberattacks, pointing out that true best practices not only prevent attacks but are also designed to respond to them to reduce risk and limit damage.
Of course there’s no standard or best practice that claims to prevent every attack. But that’s hardly proof that those standards are ineffective. Seat belts don’t prevent car accidents and smoke detectors don’t prevent fires. But they limit the potential damage, lower risk, and alert us early enough to save life and property.
Many cybersecurity standards have monitoring, alerting, information sharing, and incident reporting requirements built into them. They don’t stop 100% of all attacks, but they do position us to more quickly respond, build resilience, and share information related to these incidents with the broader community.
The real problem with best practices isn’t that they don’t work. It’s that so few organizations implement them and few have any incentive to do so.
Imagine if OSHA guidance was recommended but never enforced with inspections or fines. Imagine if no one actually checked to make sure car manufacturers install seat belts in every vehicle or to make sure drivers use them. In both cases, we’d have a lot more preventable injuries and deaths. This is exactly what’s happening in cybersecurity.
From CIS to NIST to CMMC, we have plenty of standards, frameworks, and best practices that we know work. Zero trust is the buzzword of the day and we’re all talking about critical infrastructure, software standards, and supply chain cybersecurity. But how about enforcing the regulations we already have? Let’s see what happens when we actually implement the best practices that few but the largest corporations on earth have in place.
President Biden’s executive order, with detailed timelines for implementation, will be the most successful accomplishment ever in cybersecurity, if only it actually enforces many of the regulations that have long existed for federal contractors. If the federal government stopped awarding contracts to non-compliant contractors, cybersecurity would improve exponentially overnight. Tying revenue to compliance is a surefire way to force private industry to make the investments they have largely avoided for decades. Instead of debating which law or standard might have stopped the latest attack, we should try actually picking a standard for a few years and seeing how much better we are for it.
But who is going to pay for it? We all are. We already are. Attackers have been shutting down critical infrastructure, stealing our data, and threatening our intellectual property. We need to stop treating cybersecurity like it’s some atom-splitting, mind numbingly complex domain and transfer the kinds of thinking we’ve used in every other major industry so we can start solving this problem. No business complains that the price of office space includes the cost of meeting building codes and completing inspections.
Cybersecurity is too expensive for small businesses, some will argue. It’s not, and we should stop proliferating this falsehood. We don’t waive fire detection and prevention for small business storefronts, or allow upstart auto manufacturers to opt out of safety standards. We certainly shouldn’t deceive ourselves that cyber security is too expensive for small businesses.
Everything is too expensive until it isn’t. Cybersecurity is too expensive right up until the moment you get hit with ransomware, or can’t bid on a government contract, or are breached and liable for losing information that you were supposed to protect. Insurance is also expensive, but it’s a cost every business owner has to pay, for good reason.
Until recently, cybersecurity has existed outside the bounds of other safeguards we deem necessary. But it’s getting the same treatment as other standards we now take for granted.
Many balked at seat belts when they first appeared, cutting them out of cars in protest. Businesses have long railed against the regulatory burden of OSHA standards, even though they could save billions of dollars in workers’ compensation costs alone. Business have countless examples of embedded, accepted costs that reduce risk and improve safety. They’ve been enforced to the point that they’re now the accepted cost of doing business. Cybersecurity should be no different.
We hear a lot about the need for public private partnerships, information sharing, and incident response reporting and the good news is that we already have all of that and more in an operational model that has been in place for more than a decade. The Department of Defense (DOD) has been doing all of the above with their supply chains, defense contractors, since at least 2008. The DOD model lacked a key component, auditability and the achilles heel of the program was that defense contractors could self-certify as being compliant and many did despite not having been compliant. CMMC changes that and now third-party audits will be mandatory before a defense contractor can take any DOD contracts. Inspecting defense contractors for their ability to meet cybersecurity minimums pre award is common sense. Your car requires an inspection before you can drive it right?
To learn more CMMC and how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the evolving compliance landscape join us on September 29, 2021 as CMMC Con returns with an all-star lineup to provide hands-on, actionable compliance strategies to the thousands of small- and medium-sized defense contractors in attendance. Register now.