Unintended Consequences of the Red Line Cyber Warning

President Biden's recent proposal to President Putin appears to have defined much of our nation's critical infrastructure as "off limits" to cyberattack. This will likely spawn a similar list from Russia. It seems unclear whether espionage would be included. It is also unclear as to the severity of our response and whether it would include our military? Both countries agreed to begin a dialogue that ultimately creates a management framework. The fact we've agreed to consider this should be a positive step. Done right, this could extend to other countries, friendly and those not so.

While we no doubt need to begin the dialogue let's just hope that the private-sector doesn't quickly become the unintended 'prey of choice.' By stating what is off-limits you've also implied what is at least "more acceptable."

So, what's on the horizon for the private-sector? The President's Executive Order will not only place greater cybersecurity standards on US Government entities but also on it's 3rd party supply chain providers. The development and product life cycles will require clear disclosure if you want to sell hardware/software to the USG. The SEC and Congress are exploring mandatory incident reporting requirements of any company breached, perhaps within 24 hours. Congress is also wanting to place blame more so where it belongs, on company's that have taken a laissez-faire approach to the safguarding of their digital assets. We may see changes in how cryptocurrency exchanges are accounted for. Ransomware payments may have greater restrictions. For example, taking more than $10,000 in currency outside of the United States without first disclosing it is illegal. Illicit payments in violation of FinCEN and OFAC policies will see closer scrutiny. Boards may be required to on-board a cybersecurity expert. Insurance premiums and requirements are already increasing exponentially. Shareholders in public companies will expect greater focus and accountability. Because government cyber capabilities far exceed those of private business we will likely see enhanced partnerships and information sharing, to include investigative assistance and even foreign diplomacy. Agencies such as NIST and CISA will see increased funding.

Enough really is enough! It's great to see the beginnings of a more concerted effort.