The Invisible Enemy
Cyber hacking reports have generally focused on victimized companies and what they should do to protect their assets from theft, litigation and fines, as well as protect consumer privacy and safeguard brand reputations. But as President Obama emphasized in February’s State of the Union address, the focus is shifting to far more serious threats — cyber attacks that would bring down the nation’s infrastructure. “We know hackers steal people’s identities and infiltrate private e-mail,” Obama said. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems.”
That was why, the president explained, he had just signed an executive order “that will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs and our privacy.”
The order by itself is not enough to get the job done, he noted. “Congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”
Creating mechanisms for sharing cyber threat and vulnerability information between the government and the private sector is of tremendous interest — and concern — to retailers. The retail industry doesn’t object to protecting “critical infrastructure” such as the electrical grid or oil pipelines against cyber threats, but merchants are worried about their supply chains becoming snarled in a new level of government bureaucracy.
There is also the possibility that any measure dealing with Internet security could become a vehicle to which lawmakers would try to attach unrelated data security bills that could subject merchants to new costs and liability when they are the victims of hackers. (Past proposals would have forced retailers to spend millions to provide credit monitoring for customers after an incident, or to reimburse banks for the cost of reissuing cards.) And Congress might also try to add consumer privacy provisions that would hamper retailers’ ability to offer high-tech innovation to better serve customers.
“Cyber security legislation includes the laudable goals of increasing information sharing between the government and private sector, but the goals underlying the cyber security legislation and data breach notification legislation are fundamentally contradictory,” National Retail Federation senior vice president for government relations David French told members of the Senate in a letter. “Thoughtful examination and comparison of these pieces of legislation reveal that they are not properly aligned.”
As for consumer privacy, protecting customers’ information is retailers’ chief concern, but NRF believes self-regulation that allows retailers to quickly adapt to rapidly changing technology is the most effective approach.
Half a dozen cyber security bills — apart from measures on credit card data security or consumer privacy — are pending in Congress this year. While most are focused on “critical infrastructure” rather than retail, a key issue is how that term will be defined. Some lawmakers have favored spelling it out as a matter of law, while others have preferred giving the Department of Homeland Security leeway to set the definition — and NRF is concerned that a DHS definition could be expanded beyond traditional infrastructure to include retail supply chains. If the nation’s food supply, for example, were deemed “critical,” supermarkets might be included, along with other retailers that sell food.
While legislation would carry more authority than what the President can do under his executive order, there is debate on whether businesses’ sharing of information with the government would be voluntary or mandatory.
“Once the government applies voluntary standards, there will be a number of players who will say voluntary becomes mandatory,” says Washington, D.C., lawyer David Z. Bodenheimer, who specializes in cyber security and privacy at the firm of Crowell & Moring. Another fear, he says, “is that once standards are carved in stone, the technology will move way too fast and the standards will not be able to keep up.” Some companies are “quite opposed to having the government have any hand in setting standards.”
Also of concern is whether “safe harbors” built into legislation would provide sufficient protection against lawsuits for retailers or other companies that share sensitive information with the federal government.
Without adequate safe harbors, businesses “will worry that if a cyber breach happens after they’ve shared sensitive information, they could be sued by shareholders or banks or scrutinized by the FTC,” Bodenheimer says. “The less risk from disclosures … a safe harbor can provide, the more information that will be shared.”
Senate Commerce, Science and Transportation Committee Chairman Jay Rockefeller (D-W.Va.) says a survey of Fortune 500 CEOs he conducted last year found “many companies supported an increased government role” and support Congress’s interest in passing cyber security legislation. But he conceded that others raised “concerns about any new federal program that would set mandatory cyber security requirements [and] create obligations that would impact their ability to address cyber security issues in a flexible manner or duplicate efforts already underway.”
As retailers address these issues, they need to realize how “the hazards … are growing,” Bodenheimer says — cyber attacks are coming from an increasing number of directions. “It’s not just organized retail crime or individual hackers anymore,” he says. “It’s street gangs shifting from the more dangerous drug trade to identity theft, it’s individuals and/or businesses trying to uncover corporate secrets such as merger/acquisitions activities [or] new product innovations and it’s terrorists using identity theft to fuel their activities.
“As a result, any industry that holds consumer and/or corporate data is being targeted,” he says.
While hacking incidents against major retailers have drawn headlines, NRF has emphasized that retail data breaches have almost exclusively involved efforts to obtain credit and debit card numbers, not the attempts to attack “critical infrastructure” targeted by President Obama. Cyber security as a threat to national security and data security in order to prevent credit card fraud are separate issues, NRF says.
Nonetheless, cyber attackers have become increasingly sophisticated. “For every advance in cyber security defense, hackers come up with their own advancements in breaching technology,” Bodenheimer says. “So cyber security is not a one-time investment. It requires an ongoing commitment, ranging from little things like patching your software to working with industry trade groups to identifying the latest best practices and doing ongoing training.”
He also stresses “the extreme value of retailers and industry associations like the National Retail Federation doing as much as possible to inform others about the threats posed by cyber hackers, and the actions that can be taken to defend against them.”
Years ago, businesses thought of cyber security “as a loss prevention function,” he says. “Today, given the frequency of cyber hacking incidents and its cost, cyber security is recognized as a management function, a corporate-level function.”