An FDIC-style federal agency could help businesses protect themselves.
In recent weeks, the Biden administration has increasingly treated cybercrime as a national security issue. The topic headlined discussions at both the conference of leading industrial nations and President Joe Biden’s meeting with Russian President Vladimir Putin. And officials have vowed a broader response in the wake of last week’s ransomware attack on the Kaseya software platform, which affected over a thousand companies worldwide.
Almost simultaneously, federal law enforcement sent a powerful message about its capabilities by initiating efforts to recover bitcoin paid to certain cybercrime groups, including successful recovery of some of the ransom paid by Colonial Pipeline and override access to certain foreign-backed websites linked to misinformation and theft.
These efforts are an important turning point in how the U.S. government engages with cybersecurity and state-sanctioned cybercrime. Still, diplomatic and law enforcement efforts, much like forward-looking regulatory solutions, do little to address a critical consequence of cybercrime that is affecting much of America today: the recent surge in cyberattacks is threatening to cripple businesses and hamstringing government at nearly every level, from hospitals to meatpackers, and from municipalities to federal agencies.
The result is a largely unaddressed disruption that threatens to pass substantial costs to the American people. Because of this, it may be time to treat cyberattacks as not just a national security issue, but as a national disaster.
The economic consequences of cybercrime are staggering. The FBI reported nearly 800,000 potential cyberattacks last year and, according to IBM, the average cost of a cyberattack to a company is just over $8 million. Due to underreporting of financial crimes, the FBI estimates the real number of cyberattacks could be nearly five times as high.
While some companies have insurance to help mitigate costs, others do not. Many small businesses, in particular, did not foresee themselves becoming the target of state-sanctioned hacking cartels. Either way, the cost of cyberattacks is being passed to consumers through increased prices or increased insurance premiums, at a time when inflation worries are already at the fore.
So how do we mitigate the cost of state-sanctioned cyberattacks? By treating them like the disasters they are and providing government-backed relief for affected businesses and insurers.
One approach could be to create an agency, or task the Cybersecurity and Infrastructure Security Agency, with acting as the cybersecurity version of the Federal Deposit Insurance Corporation. The goal would be to provide government-backed, mandatory cybersecurity insurance that could help cover remedial costs, such as forensic investigations and credit monitoring, in the event of a cyberattack.