Could CEOs Face Criminal Charges for Negligent Cybersecurity Standards?
The Colonial Pipeline Attack: An Authentication Crisis
If you live on the east coast of the United States, you are probably still facing the consequences of the Colonial Pipeline Attack: scrambling around to six or seven gas stations until you finally find some premium gas for over $3.00/gallon. Even though the pipeline has resumed operations following a cyberattack earlier this month, the east coast of the United States is still facing a gasoline shortage while the product delivery supply chain is resuming normal operations.
The Unexpected Aftermath of the Colonial Pipeline
For some corporate executives, the consequences of the Colonial Pipeline Attack could be far greater than overpriced gas. In the days following the Colonial Pipeline Attack, Senator Ron Wyden called for congressional action for private firms that operate in critical infrastructure sectors, according to a recent Gizmodo report by Dell Cameron. Sen. Wyden, a Democrat from Oregon, claims that the recent Colonial Pipeline breach should be a warning about how vulnerable US companies are to cyber attacks.
Sen. Wyden worries that “dangerously negligent cybersecurity” at critical US companies could lead to a higher frequency of more devastating attacks in the future. His solution is for Congress to mandate higher security standards for critical infrastructure companies. It is Sen. Wyden’s belief that any company that has the power to disrupt the lives of millions of Americans should be thoroughly audited by the US government so cybersecurity issues can be discovered and solved more promptly.
This perspective goes beyond President Biden’s recent Executive Order, which focuses on modernizing the cybersecurity standards for the government and its contractors. Sen. Wyden is pushing Congress to not only improve cybersecurity standards for the government and critical infrastructure businesses, but also to impose severe criminal penalties on CEOs who do not comply.
How Zero Trust Helps Companies Reach Higher Cybersecurity Standards
Zero Trust is a buzzword with which cybersecurity folks are quite familiar. In 2009, John Kindervag (Forrester Research) introduced the concept of a “zero trust model,” in response to rising security challenges.
Zero Trust can be summarized in four words: never trust, always verify. The main assumption Kindervag made is that traffic within an enterprise’s network cannot be more trustworthy by default than traffic coming from the outside. He was spot on, it turns out. After all, 60 percent of data breaches actually come from insiders.
Zero Trust is a security concept that requires all users, even those inside the organization’s enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data. This approach leverages advanced technologies such as multifactor authentication, identity and access management (IAM), and next-generation endpoint security technology to verify the user’s identity and maintain system security.
Now, 81 percent of data breaches are due to password mismanagement. Concretely, this means that if at any point during the day you need to submit a username and password to access a system or an app to conduct business effectively, your organization is a sitting duck.
But that’s not all, even if you’re required to leverage solutions (2FA, MFA) that leverage passwords in any shape of form, then your organization is also a sitting duck. So, how compatible is the Zero Trust security framework and the use of passwords for workforce authentication? The answer: They are not!
1Kosmos-BlockID: The Only Zero Trust Passwordless Authentication Solution
Zero Trust is impossible if the passwordless solution does not combine ID-proofing and passwordless authentication and, consequently, is unable to reach the highest level of identity and authentication assurance per the NIST 800-63-3 guidelines, or IAL2 and AAL2. The compatibility between Zero Trust and 1Kosmos BlockID can also be summarized in four words: never trust, really verify.
Again, pertinent user authentication is impossible without indisputably proofing beforehand the identity of the user who is authenticating. We all agree that passwordless authentication is much safer than password authentication. But in terms of Zero Trust, most passwordless solutions do not cut it, because they do not combine indisputable digital identity proofing with advanced biometrics, passwordless authentication. 1Kosmos BlockID is the only cyber security solution on the market that does this.