It was late evening when the call came in to one of our law enforcement agencies. Nasdaq management was on the line asking for assistance with a security breach they had discovered. Within twenty-four hours, a joint Federal team was on the way to New York to provide support and begin the investigation. Shortly afterwards, I was in the White House Situation Room with other top officials to review what steps we needed to take to strengthen the security of our networks.
This intrusion taught us a few lessons about the shortcomings of our current cybersecurity system. For instance, we greatly appreciate it when corporate leadership alerts the Federal government to serious intrusions, yet there is no general national requirement that companies do so. In cases of cybersecurity incidents that can damage our critical infrastructure such as the electric grid or our financial, transportation, and communication networks – damage that can put our national security, public safety, and economic prosperity at risk – the Federal government must know what is happening so that it can take steps to bring adversaries to justice and help protect Americans.
Unfortunately, our critical infrastructure has suffered repeated cyber intrusions in the past year. Cybercrime, including online identity theft that hurts millions of Americans as well as the theft of intellectual property – American companies’ innovative ideas that are the lifeblood of our economic growth – continues to escalate. Many cyber intrusions could be prevented by implementing sound cybersecurity practices, but companies must be better motivated to make these investments. And while the Federal government continues to take actions to improve our nation’s cybersecurity under our existing legal frameworks, our laws need updating if we are to even the playing field with the cybercriminals.