The private sector is lagging far behind the federal government on implementation of a key cybersecurity practice that impedes hackers from using e-mail systems to launch attacks, according to the 2019 annual report of the White House Council of Economic Advisers. “The federal government is more prepared than the private sector to protect against phishing attacks, which are a primary method for hackers to gain access to enterprises,” said the report, which was issued yesterday.
A binding operational directive issued by the Department of Homeland Security in 2017 required federal agencies to adopt domain-based message authentication, reporting, and conformance (DMARC) systems that would instruct Internet service providers to block unauthenticated e-mails, the report noted. DHS says that a large number of civilian federal government agencies met a 2018 deadline to deploy DMARC (TR Daily, Oct. 16, 2018).
“Government agencies’ use of the DMARC e-mail configuration is 47.9%, which is better than the average of 26% in the private sector,” the CEA report said. “Though adoption of DMARC is only one of many indicators of cyber hygiene . . . these results nonetheless suggest that federal cyber best practices could set an example for the private sector.”
The report indicated that “incomplete incentives” could be contributing to the private sector’s lack of cyber hygiene. “Evidence on the lack of many basic cybersecurity practices among the most profitable companies in the U.S. economy suggests that a lack of information awareness and a lack of resources are unlikely to be the primary culprits behind existing vulnerabilities,” it said.
It noted, among other things, that a comprehensive and flexible cybersecurity framework produced by the National Institute of Standards and Technology had been available to businesses since 2014 and that sector-specific cyber threat information-sharing mechanisms had grown more robust in recent years, but that many companies did not participate.
“The degree of competition in the marketplace is an important moderating factor that determines whether a firm participates. In particular, unless firms in an industry understand the downside associated with their vulnerability to cyber attacks, they may not realize the gains that can come from collaboration through information-sharing,” the report said.
“Information-sharing and dissemination of best practices must remain a priority, particularly for small businesses that are more likely to lack the resources or infrastructure to search out and implement best practices. In particular, information needs to be publicly available, transparent, and shared to disseminate best practices and call attention to dangerous practices,” it added.
“The prevalence of cyber threats suggests that firms are relatively unprepared to protect themselves,” the report said, citing several academic studies. “In 2017 nearly three-quarters of organizations based in the United Kingdom, the United States, Germany, Spain, and the Netherlands failed basic cyber readiness tests.”
“Even though the United States ranks higher than most countries in cyber readiness, its preparedness is still poor enough to concern policy-makers studying the impact of cyber insecurity on the U.S. economy,” it said. “Data show that the majority of Fortune 500 companies are vulnerable to cyber attacks, and thus fail to take even the most basic security measures.”
“Given the limited preparedness among Fortune 500 companies — manifested by not only the failure to adopt DMARC, but also a range of other cyber vulnerabilities . . . an additional concern is that smaller firms may have even less robust cybersecurity measures in place,” the report said. — Tom Leithauser, firstname.lastname@example.org