Glenn S. Gerstell writing in NYT Opinion:

Last week President Biden warned Mr. Putin against Russian cyberattacks on the United States’ critical infrastructure. But American businesses aren’t ready for a war in cyberspace. Although Mr. Biden designated the Department of Homeland Security to lead what he vowed would be a forceful response to any such aggression, this isn’t enough. The D.H.S. doesn’t have the legal authority to order the private sector to follow its lead. More broadly, the federal government, even if warned by companies like Microsoft of incoming cyberattacks, doesn’t have the necessary infrastructure in place to protect American businesses from many of these attacks.

That the United States has to resort to threats of retaliation is itself a problem. America should already be cyberattack-proof, but coordinating these efforts across the country has been an uphill battle.

There’s much in this article that’s good – particularly the proposal to rationalise per-sector cyber regulation with a single, cross-sector cyber regulator. Simplifying the regulatory landscape would help US firms cut the complexity of understanding and complying with cyber obligations.

That said, I’m somewhat bewildered at the absence of any mention of software quality from the piece. Nothing about enforceable minimum standards and requirements (e.g., 2FA on email services), or fines for critical vulnerabilities, or even removing software liability waivers. Software remains the only industry where you can sell a $1 bn of something to someone, and assert zero guarantee that it works or is fault-free, and everyone seems to be fine with that. It seems surreal that the problem could be so critical that the regulators should be unified and the private sector should have their cyber defences regulated, but that we would still do nothing to regulate the root cause issue: software vulnerability (code or configuration).

The weekly reports of ransomware attacks and data breaches make it clear that we’re losing this battle.

This is a common assertion, but there’s not much evidence for the claim. Since the early-2000s, there has been a constant battle with cybercrime, but the criminals are not winning. Instead, there’s equilibrium point that moves as attackers and defenders each improve. The widespread adoption of cyber insurance moved that equilibrium point, making it more practical for criminals to attack companies (rather than just consumers). Attacks on companies for multi-million dollar ransoms are far more newsworthy than small-scale fraud, so public awareness has been easier to raise; that creates the impression that it’s bigger than before.

(Thanks to James for the prompt.)