Last week, we learned that researchers had discovered two major flaws in microprocessors of nearly all the world’s computers. The revelation came on the heels of a distressing series of major hacks: In 2017, Yahoo revealed that all of its three billion accounts were compromised, WannaCry ransomware shut down hospitals across the globe, and an Equifax breach affected approximately 145.5 million consumers in the United States. The latest news about the computer security problems — whose names, “Spectre” and “Meltdown,” appropriately convey their seriousness — is just the latest evidence that true digital security remains out of our reach.
But when these vulnerabilities are exposed and damaging attacks occur, there are few lasting repercussions. Almost without fail, stock prices bounce back, customers return, executives keep their jobs or exit with golden parachutes, and government mostly looks the other way. After the news of Equifax’s massive breach, for example, the company’s stock dropped roughly 35 percent. But it’s already recovered nearly half of its lost market value, and Fortune reported that the former chief executive officer Richard Smith retired with as much as $90 million in compensation. Resilience is one of the hallmarks of stable, mature markets, but something isn’t right here.
The tepid consequences are part of a growing problem. From a corporate governance and accountability perspective, cybersecurity today is being treated like accounting was before the fallout from the Enron scandal inspired the Sarbanes-Oxley Act’s increased standards for corporate disclosures. With the privacy and personal data of hundreds of millions of people at risk, and especially now with the increasing ubiquity of connected devices in our lives, the security of digital assets is too important for that kind of treatment. We need to bolster a culture of responsibility around cybersecurity, combining stronger and more uniform corporate governance with a clearer government commitment to enact better defensive policies.
A complex hack may not be a C.E.O.’s fault, but it is absolutely his or her responsibility. Investors and consumers need to demand more from the executives to whom they entrust their digital lives. The same holds true for government. Protection of the welfare and livelihood of its citizens is a foundational principle of government, and yet for more than a decade there has been very little consequence for nation-states and state-affiliated groups who’ve pilfered the intellectual property, and violated the personal privacy, of citizens and companies around the world.
Strengthening a culture of responsibility will require changes by both companies and the government. Last year, the New York State Department of Financial Services took a promising step by implementing new data-security regulations for certain financial companies operating within the state. It includes rules for reporting cybersecurity events within 72 hours, annual proof-of-penetration tests, and, by 2020, third-party assessments — all designed to increase accountability and remove the fog of uncertainty that often surrounds breaches. The federal government would be wise to follow New York’s lead and implement similar laws on the federal level. Without federal action in this regard, increased regulation of cybersecurity practices will happen anyway, but in a fragmentary and disjointed way. More uniform regulations can help a more uniform standard to emerge, providing companies with the predictability and certainty they need in order to evaluate their risk management and security investments the right way.
While more must be expected of companies, more should be expected of government as well. American businesses are under attack by our nation’s geopolitical adversaries, and by nonstate groups affiliated with them. Just imagine if American shipping companies were battling foreign navies, or if domestic airlines were fighting an adversary’s air force. This asymmetry locks the businesses into fights they cannot win.