By Jared Stancombe | Rising Expert for Cyber | July 20, 2023 | Photo Credit: Pixabay
The United States has failed to protect its small and medium-sized businesses from growing cyber threats. A new strategy from the federal government aims to change that.
In June 2023, Wendy Nather, the Head of Advisory Chief Information Security Officers (CISOs) at Cisco, spoke at the Cyber Civil Defense Summit in Washington, D.C. about the concept of the “cyber poverty line.” This has been a recurring topic that has been brought up in other cybersecurity and hacking conferences such as ShmooCon and the Atlantic Council’s Cyber 9/12 Strategy Challenge. Wendy defines the cyber poverty line as “the line below which organizations and people cannot effectively defend themselves from cyber incidents.”
The cybersecurity community has been aware of this issue for a while, but has had difficulty identifying effective and capable solutions that meet the scale of the problem. Most of the organizations and companies that fall below the cyber poverty line are small and medium sized businesses (SMBs), which are the backbone of the U.S. economy, making up 99.9% of all U.S. companies today. But SMBs have been bearing the responsibility of protecting their data, networks, and systems for decades, which are becoming increasingly vulnerable. According to Google, over half of SMBs last year were the victims of a cyber attack such as a ransomware attack or a compromise of sensitive information in 2022. Approximately 60% of SMBs close for business within 6 months of a cyber attack.
Hackers Aren’t Basement Dwellers Anymore
In recent years, the cyber poverty line has risen significantly as cyber criminals use more sophisticated malware and services while information technology (IT) and cybersecurity budgets for SMBs face challenges due to rising operating costs, high staff turnover, and the cybersecurity workforce skills gap.
Black hat hackers, or criminal hackers who seek to maliciously exploit vulnerabilities and weaknesses to harm their victims, are rapidly growing in sophistication and complexity. While the stereotype of the “lone hacker” wearing a black hoodie sitting in a dark room continues to persist, this stereotype is dangerously outdated. The barriers to entry to black hat hacking have significantly lowered where less experienced hackers can purchase off-the-shelf capabilities and services. They can buy ransomware that can be customized to their victims from a ransomware-as-a-service (RaaS) provider. They can even purchase phishing-as-a-service (PhaaS) services where prospective black hat hackers buy a subscription to use phishing software to gain initial access to their target networks.
This has left SMBs under the cyber poverty line–with limited IT and cybersecurity budgets, limited capabilities, and limited personnel–largely at the mercy of highly capable criminal organizations seeking to compromise their systems. Black hat hackers operate within networks and organizations, which are incredibly resilient, relying upon illicit markets for the tools, expertise, and services to achieve their goals which put the backbone of the American economy at risk.
Small and Medium Sized Business Cybersecurity is National Security
This is not, however, just about protecting small and medium sized businesses. It also has important ramifications for our national security interests. Following Russia’s invasion of Ukraine, the banking and finance sector was incredibly nervous about retaliatory cyber attacks after the federal government implemented sanctions on the Russian government. In the near future, foreign adversaries may use targeted cyber attacks to disrupt supply chains in retaliation for U.S. actions–supply chains which may include many vulnerable small and medium sized businesses. This could take the form of ransomware attacks, denial-of-service attacks, or other types of cyber offensives aimed at disrupting business operations.
Nation-state actors, such as the Chinese Ministry of State Security (MSS) or the Russian SVR (Foreign Intelligence Service), could imitate non-state cyber criminal actors, using off-the-shelf products and services sold in the black hat hacker markets and strike against SMBs to achieve their geopolitical goals. Also, cyber criminal groups may take advantage of the products made available by unfriendly foreign governments.
The Cyber Poverty Line and the National Cybersecurity Strategy
The National Cybersecurity Strategy released in March by the White House Office of the National Cyber Director (ONCD), however, has finally set a path forward to address this issue by shifting the responsibility of protecting information and systems away from those falling under the cyber poverty line towards more capable private sector companies and government agencies and providing much needed market incentives that address the cyber poverty line. Combined with the prevalence of cyber attacks, the cyber poverty line is now a matter of national security, which the National Cybersecurity Strategy addresses by addressing the need to “rebalance responsibility” and shape market incentives through new regulations, laws, frameworks, and long term investments to make cyberspace safer and more secure.
The strategy outlines several key ways the federal government will coordinate more effectively with the private sector to provide SMBs much needed support and relief as cyber threats grow in sophistication and complexity. While the strategy predictably outlines an agenda to dismantle cyber threat actor groups and improve information sharing through government agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), some of the more exciting points of the strategy involves goals to shift responsibility by shaping market forces, which includes holding data stewards accountable through legislation and new privacy standards and guidelines, and making software vendors that produce insecure software liable.
Cracking Down on Insecure Software and Shaping Markets to Reduce Cyber Risks
Organizations with relatively low cybersecurity often take cybersecurity risks into account late in the software development process. Cybersecurity is essentially seen as a “bolted on” component, and sometimes security is only considered after software or a service is deployed into production. The National Cybersecurity Strategy addresses this by shifting liability for insecure software products and services to hold vendors accountable through federal regulation and legislative action if they fail to take reasonable precautions during production.By making software vendors responsible for pre-production testing and using secure-by-design principles, SMBs under the cyber poverty line can feel safer once these go into effect.
Another issue that affects the SMBs under the cyber poverty line is who owns their data and who should be responsible for responding to a cyber incident. SMBs use a variety of third party vendors, which perform functions such as processing customer transactions, store confidential information such as proprietary documentation, store sensitive employee information in human resources databases, or store sensitive customer information such as personally identifiable information. All these types of information are ripe targets for black hat hackers, who sell this data on dark web markets.
The National Cybersecurity Strategy addresses these third party risks by stating that data stewards–or those responsible for processing, storing, and governing these types of data–are not being held accountable for effectively managing risk. This lack of accountability is the reason why 70% of SMBs close for business after a cyber incident–they are currently responsible for incident remediation, not their vendors. The Strategy outlines ONCD’s intent to pursue privacy legislation and implement new standards and policies through the National Institute for Standards and Technology (NIST) to ensure that risks are transferred away from those under the cyber poverty line to those who are the most capable of managing them.
A Path Forward Out of Cyber Poverty
The 2023 National Cybersecurity Strategy outlines a path forward that allows U.S. small and medium sized businesses under the cyber poverty line to receive much needed support against black hat hackers and allow them to conduct business in a safer, more secure environment.
Through improved regulation that shifts market incentives to improve software security and make data stewards responsible for protecting SMB data, SMBs below the cyber poverty line finally have the much needed support they need. The cyber poverty line is now a national security issue, and failure to address it could cause significant impacts to SMB supply chains, production lines, and business operations that could have significant economic, social, and public safety impacts.
By defining a practical approach, the new strategy finally addresses this complex problem. If implemented effectively, with this new strategy in place, SMB owners can sleep easier knowing that their businesses are better protected.
Jared Stancombe is YPFP’s 2023 Rising Expert for Cyber. He is Senior Associate at PricewaterhouseCoopers.
Charged Affairs 