Big Picture:

Cybersecurity has risen to prominence as one of the world’s most critical issues, both in the public and private sectors. Ransomware attacks are constantly increasing in scope and frequency, while the cyber realm as a whole is poised to be the international battleground of the future. As such, it is imperative that the United States prioritize improving its cybersecurity capabilities across critical sectors of the economy. 

• Graphic From: Crane, Casey. “42 Cyber Attack Statistics by Year: A Look at the Last Decade.” InfoSec Insights, 20 Nov. 2020, https://sectigostore.com/blog/42-cyber-attack-statistics-by-year-a-look-at-the-last-decade/. This figure illustrates the ever-increasing number of significant cyber-attacks around the world. These figures include attacks on government agencies and major corporations.

Operative Definitions:

1. Ransomware: According to an article by Gregory Twachtman on MDedge ObGyn, this kind of software exists for the purpose of inhibiting access to a computer system; access is only granted after a certain amount of money is paid to those imposing the software. 
2. Zero Trust: A security framework that requires constant authentication and validation to access a system or network.
3. Cloud Computing: According to an article by Jake Frankenfield on Investopedia, this term refers to the use of the Internet to distribute various services, including such resources as servers, databases and softwares. 
4. CISA: Cybersecurity and Infrastructure Security Agency. 

Important Facts and Statistics:

1. Increase in malware and ransomware from 2019-2020: 358% and 435%, respectively.
2. Worldwide cost of cybercrime per minute: $2,900,000.
3. Number of ransomware attacks on critical infrastructure in 2021: 649.

Four-Point Plan:

(1) Amend section II of the Strengthening the American Cybersecurity Act of 2022 to include cyberattacks of lesser magnitude. Under current SACA legislation, businesses that operate in industries deemed ‘critical infrastructure’ are required to report cyberattacks of ‘significant magnitude’ to CISA within 24 hours. While this is an important first step, much can be learned from regular attacks as well. CISA should collect as much data as possible in order to determine incident response plans and identify areas of weakness.

(2) Increase “Defend Forward” operations to disincentivize hacker groups from attacking. Currently, there are plenty of incentives for individuals and groups to hack critical infrastructure and few drawbacks. This is because the U.S. takes a primarily defensive approach to cybersecurity. However, once an attack is attributed to a particular actor, cyber retaliation would cause that actor to reconsider the costs of attacking again in the future.

(3) Establish legal standards for basic cybersecurity practices and penalize businesses that do not meet these requirements. Since improving cybersecurity capabilities is extremely expensive, companies are often willing to offload the cost of an attack on their users, such as a lack of service or a leak of private information. CISA should set basic requirements and punish those who do not meet them in order to incentivize companies to bolster their defense mechanisms. The threat of a fine changes the calculus for organizations and ensures that it is in their best interest to invest in security.

(4) Create an organization dedicated to cyber-coordination. SACA requires companies to report cyberattacks to CISA, which ideally would create a database of attack strategies and responses that are available to all relevant actors. However, since CISA is responsible for nearly every aspect of government-level cybersecurity, a separate organization should be created that is devoted to coordinating responses before, during, and after cyberattacks. This will ensure that agencies and businesses are notified of imminent threats and can react swiftly. 

Acknowledgments:

The following student(s) worked on this nonpartisan proposal: Vedant Vamshidhar, University of Southern California 

Sources: 

“Top Cybersecurity Statistics, Facts, and Figures for 2021.” Fortinet, https://www.fortinet.com/resources/cyberglossary/cybersecurity-statistics#:~:text=Cisco%20data%20estimates%20that%20distributed,first%20half%20of%20the%20year. 

Crane, Casey. “42 Cyber Attack Statistics by Year: A Look at the Last Decade.” InfoSec Insights, 20 Nov. 2020, https://sectigostore.com/blog/42-cyber-attack-statistics-by-year-a-look-at-the-last-decade/. 

Frankenfield, Jake. “What Is Cloud Computing? Pros and Cons of Different Types of Services.” Investopedia, Dotdash Meredith, 5 Apr. 2023, https://www.investopedia.com/terms/c/cloud-computing.asp. 

Help Net Security February 17, et al. “Malware Increased by 358% in 2020.” Help Net Security, 15 Feb. 2021, https://www.helpnetsecurity.com/2021/02/17/malware-2020/. 

Waldman, Arielle. “FBI: Ransomware Hit 649 Critical Infrastructure Entities in 2021.” SearchSecurity, TechTarget, 24 Mar. 2022, https://www.techtarget.com/searchsecurity/news/252515076/FBI-Ransomware-hit-649-critical-infrastructure-entities-in-2021. 

Mariani, Joe, et al. “Incentives Are Key to Breaking the Cycle of Cyberattacks on Critical Infrastructure.” Deloitte Insights, Deloitte, 14 Mar. 2022, https://www2.deloitte.com/us/en/insights/industry/public-sector/cyberattack-critical-infrastructure-cybersecurity.html. 

Goldhammer, Jesse, et al. “Leading the Way with an Adversary Focus.” Deloitte Insights, Deloitte, 4 Aug. 2021, https://www2.deloitte.com/us/en/insights/industry/public-sector/government-deter-cybersecurity-adversary.html. 

Twachtman, Gregory. “HHS Issues Guidance on Ransomware Attacks.” MDedge ObGyn, Frontline Medical Communications Inc., 13 July 2016, https://medauth2.mdedge.com/obgyn/article/110333/practice-management/hhs-issues-guidance-ransomware-attacks.