At a glance.
- Advocating for a top-down cultural shift in private sector cybersecurity.
- FDIC cybersecurity monitoring found insufficient.
Advocating for a top-down cultural shift in private sector cybersecurity.
Foreign Affairs takes an in-depth look at the private sector’s role in bolstering the US’s cybersecurity prowess. While tech developers and retailers continue to profit from a steady increase in market demand, the burden of ensuring that the products and services are secure is largely carried by consumers. The author posits that the US is in need of a cultural shift that puts responsibility for product cybersecurity in the hands of businesses, and more specifically CEOs and company boards. Like the automotive industry, manufacturers should take responsibility for ensuring their product is safe to use.
National Cyber Director Chris Inglis told Foreign Affairs last year that cyberdefense must be redistributed to those who are most likely to benefit from that security: company heads. A recent National Association of Corporate Directors survey found that 79% of public company directors felt their board’s understanding of cyber risk had significantly improved over the past two years, but that only 64% believed their boards were informed enough to provide effective oversight.
Government alone cannot solve this problem, but officials can play the key role of making safe tech design a priority and emphasizing that cybersecurity is a CEO-level business risk. The key is for the government to clearly define security expectations, calling out businesses that aren’t pulling their weight and applauding those that are.
The Biden administration has established software security requirements for federal contractors and is advocating for the establishment of security labels for Internet-connected consumer devices. The next step is to impose strict secure-by-default and secure-by-design requirements across all sectors that focus on outcomes and allow for newer or smaller organizations to be innovative in finding creative, cost-effective solutions. Cybersecurity oversight must be incentivized in order to make sure boards and directors are personally held accountable for security issues.
FDIC cybersecurity monitoring found insufficient.
A government watchdog says the Federal Deposit Insurance Corp (FDIC), the agency responsible for overseeing the health of US banks, has several shortcomings when it comes to monitoring cybersecurity, according to its IG. The FDIC’s inspector general found that the data being used InTREx, the FDIC’s IT and cyber risk assessment program, is out of date. In addition, it was determined that some agency examiners were not completing tests, that staff were not properly informed about cyberthreats, and that examiners were offered no training on reinforcing InTREx procedures. The inspector general has recommended nineteen actions to resolve the issues, but the FDIC submitted plans to complete only fourteen of those by the end of 2023, leaving five concerns insufficiently addressed. CyberScoop notes that when the FDIC’s former CIO resigned last year, he claimed he had attempted to modernize the agency’s operations, only to be met with pushback from FDIC staff.