Is the NSA responsible for the Wannacry virus attack? Microsoft certainly seems to think so, as their chief legal eagle pointed the finger last month, claiming that the NSA and other security agencies’ practices of hoarding cyber-security exploits makes it too easy for that information to fall into the wrong hands. But now James Lewis, senior vice president at the Center for Strategic and International Studies, takes it a step further and calls for worldwide electronic security regulation.
The recent rash of malware, ransomware, and other digital sabotage affecting global systems seems like a new age of electronic warfare. But the sober truth is, none of these attacks are anything unique. The defenses against them are common sense practices any IT professional should know by heart. When companies don’t take these steps to secure their networks, it hurts everybody – sort of like lack of herd immunity can allow a few people not vaccinated to lead to a pandemic.
In New York state, such regulations are happening already. New York regulations require financial-service firms to hire a chief information security officer whom is required to document company security plans. In addition, regulations require companies to report all breach attempts to the New York Department of Financial Services.
A whole lot more finger-pointing is going on than just between Microsoft and the US Intel structure. Microsoft’s Brad Smith devoted his recent speech at RSA Conference 2017 to proposing a “Digital Geneva Convention,” a worldwide consortium to agree to a set of cyberwarfare standards. It’s likely to prove difficult to get every country to come to the table on this issue; Russia, for one, seems to shrug off international cooperation as of late.
But at the very least, corporations with considerable network security exposure should be looking out for their own best interests in fending off hacking attacks, and yet they do not. Instead, every company seems to be content to do nothing and hope they don’t get hit next. Any IT professional knows the frustration of explaining to management that their budget and resources for cybersecurity needs an increase, or that their company’s network infrastructure needs an upgrade. If more states regulate cyber-security standards, perhaps finally some of those CEOs will see the light.