Unlike national security threats, cybersecurity threats are much harder to track. There is no Jack Bauer hunting down imminent threats, no single organization providing us with lists of places we can and can't go, and no oceans separating hackers from hackees. As the Internet becomes more and more globalized, security regulations can't keep up — which means the responsibility falls to enterprises.
Regulators like the OCC and SEC partner with organizations like the FS-ISAC to provide guidelines that will hopefully someday be laws, but managers would be wise to think beyond these recommendations. Recently we studied the Monetary Authority of Singapore (MAS), an organization whose laws apply to institutions that conduct business in Singapore (and a setup other countries should consider emulating). With the increasing globalization of commerce through the Internet, the MAS guidelines are applicable to almost every major commercial enterprise — a harbinger of future international cooperative laws that will (hopefully) provide consistent regulations and means for prosecuting cybercriminals.
But not all countries boast such robust and comprehensive guidelines. In an effort to pressure more countries to implement guidelines and legislation, the FS-ISAC requires that any company seeking membership "cannot have its head office or have its primary business in a country that does not have laws targeting cybercrime or does not actively prosecute cybercriminals in their country."
As with all crime, cybercrime can happen anywhere. But it's a lot easier to commit when there are no domestic laws to work against. Hacking from remote locations without fear of legal repercussions makes cybercrime a lucrative and sometimes legal(!) way to make a living. What's more, to hack, you never have to get dressed or show up at an office.
If the biggest hindrance to hitting the hacking jackpot is not your government but your target's security software, making money while cross-site scripting in your underwear starts to sound like a rather appealing career. The FS-ISAC recognizes this and forces corporations seeking membership to pressure their governments into writing and enforcing laws targeting cybercrime. This top-down solution will ultimately lead to a safer worldwide web — but until the last country is on board, there are still plenty of ways to protect your enterprise from cybersecurity threats.
The Best Defense Is Good AppSec
Safety starts with a robust, comprehensive security solution. Great security is like having your own personal Jack Bauer hunting down threats and taking care of them before they reach your company's data. Most serial hackers face little pressure from their local governments; even where laws exist, sanctions and enforcement are still inconsistent at best. Instead of relying on foreign governments to prevent attacks, the best defense remains a good defense.
Understanding the complexity of the problem helps us understand the necessity of a solution. As the UN continues to meet its 2015 Millennium Goal to, "in cooperation with the private sector, make available the benefits of new technologies, especially information and communication" for all member countries, it ensures that bandwidth is increasing across the globe. The spread of the Internet is vastly outpacing the spread of cybercrime laws, leaving newly connected regions like much of Africa wide open to benign and nefarious users alike. Despite the staggering growth statistics of Internet use in Africa, only two countries (South Africa and Kenya) currently have cybercrime laws in place.
The time lag between threats and legislation is not unique to countries experiencing development booms. As hackers continue to find loopholes in laws, threats will continue to emerge from everywhere — including the United States. And even when laws exist, enforcing them is difficult when hackers use advanced techniques to deflect the sources of their attacks. So, while the FS-ISAC's goal of spreading cybercrime laws and awareness is a noble one, such crimes will continue to boast alluring paydays even where they are illegal. We all know the feeling of hiding behind the Internet (see the comments section on CNN or ESPN), which adds an air of invincibility to everything from arguing over which wide receiver is a better fantasy-football bargain to attacking major banks.
The Internet is unique in both its international vulnerability and the ways in which its users can protect themselves independently of domestic or global governmental efforts. With a comprehensive security solution that is constantly updating to ward off the latest attacks, cybersecurity threats can remain as distant as the people sitting in their underwear across the globe building them.
Photo Source: Flickr