Getting a spot at the table before a US Congressional Committee where you’re not getting raked over the coals for nefarious practices probably sounds like a great thing. Perhaps a chance to influence legislation. Although getting a bill through Congress over the past 40 years more or less has been a trip harder than a trek across Antarctica.
That obstacle did not deter Tenable CEO Amit Yoran from giving characteristically blunt assessments of the state of cybersecurity before the House Committee on Homeland Security about the need to protect OT and critical infrastructure against Russian cyber threats and how it should happen.
Take a look at some of his talking points:
- IT and OT sides of infrastructure move at different paces. OT needs to be more deliberate to avoid outages or other service disruptions.
- Mandating air-gapping of IT and OT systems is dangerous from both a business and operational standpoint.
- We need legislation that requires reporting of incidents and reporting of ransomware payments to CISA.
- It should be illegal for private industry and private citizens to hack back.
And a few quotes from his testimony today:
Unless we make a stand, unless we show our resolve, unless we demonstrate our commitment to a more secure future, there will be a hearing like this one, decades from now, wondering why responsible action wasn’t taken.
LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices. Consider Russia — with much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.
Government policy should not allow for “learned helplessness” by government agencies or private industry. There is too much at stake for individuals and organizations to remain negligent, not taking even the basic steps to improve their cyber posture and manage cyber risk proactively.
CISA has already recommended best practices that organizations can implement to prepare themselves from a cyber perspective through its Shields Up Initiative. These recommendations align strongly with the best practice recommendations of numerous security advocacy groups, industry associations, working groups and regulatory bodies. Organizations that fail to implement these basic steps should be held accountable.
The SEC’s Proposed Cybersecurity Risk Management, Strategy, Governance and Disclosure and the recently passed Cyber Incident Reporting legislation for timely and transparent notification of cyber breaches are the two actions that would most dramatically improve our cybersecurity preparedness as a nation. Requiring greater transparency of cyber risk practices and oversight forces companies to treat cybersecurity risk as business risk, and will lead to stronger cybersecurity governance and accountability among corporate leaders and boards. This results in more effective cybersecurity. Period.