Corey E. Thomas

In 2015, Chrysler issued a 1.4 million-vehicle recall to plug a security hole that could enable hackers to take over a car remotely. It’s the frightening reality that internet-connected systems in cars can present new vulnerabilities, which only stand to get worse as such systems proliferate and cars become more autonomous.

Reacting to this danger, Michigan lawmakers initially introduced legislation to make car hacking punishable by up to life in prison. But cybersecurity researchers argued that hacking for testing purposes can be a good thing because it reveals vulnerabilities—as it did for Chrysler—that can then be corrected by manufacturers. Therefore, placing a blanket restriction on car hacking could interfere with keeping the public safe.

It’s only through dialogue between industry and government that such thorny policy problems can be effectively resolved. Doing so is vital to the national interest as well as to individual companies, and boards of directors can play an important role in reviewing the work being done by executives and legal counsel to connect the company to the right partners in government.

Combating Cyber Threats Together

The ever-expanding complexity of cybersecurity drives a need for those with deep expertise to engage policymakers in informed discussion. Given that the increasing adoption of connected technologies makes cybersecurity vital to everything from manufacturing to healthcare, this discussion needs to take place across industries. That’s why lawmakers and regulators rely upon experts with specific industry expertise for input, factoring this advice into their final decisions.

This presents companies across a range of industries an opportunity to engage in meaningful conversations about the threats they are seeing. The board can plan a role in encouraging that dialogue by asking its executives how they are engaging with government officials on information sharing, for instance.

Industry leaders can often spot areas for improvement in proposed regulations that others may miss due to a lack of expertise. For example, in 2013, officials aiming to stop the distribution of hacking technologies to oppressive regimes proposed broad new restrictions on cybersecurity-related software as part of the Wassenaar Arrangement, an international export control agreement.

At Rapid7, we foresaw that the new controls could actually compromise global security by blocking access by legitimate international organizations to the tools they needed to stay secure. So we joined with other cybersecurity firms and experts to publicly comment on the proposed controls. After lengthy discussion, education, and effort—so often a prerequisite for complex issues—the export controls were recently modified to create new protections and exceptions for legitimate cybersecurity activity.

Being a part of the conversation helps avoid policies that are poorly executed or one-sided. And since good policies and a strong industry are in the best interests of each country, lawmakers around the globe often welcome that dialogue.

But what’s the best way for companies to engage? And how should directors oversee work done by their companies to actively work with national and international agencies on cyber issues?

Different Levels of Engagement

Corporate boards can play an important role by ensuring that engagement is incorporated into the company’s broader risk management strategy. Companies can opt into different levels of engagement for policy advocacy, much of it at negligible cost. And while official public-private partnerships generally require more significant resources, less formal opportunities for collaboration are in no short supply.

For example, many industries, such as healthcare, transportation, and the financial sector, have established information sharing and analysis centers (ISACs), providing resources for gathering information on cyber threats, coordinating with government agencies, and disseminating critical advisories.

Another example: Before government bodies issue a policy, report, or guidance, they often solicit public input and feedback. In fact, they’re often required to consider those comments in decision making. At Rapid7, we write letters and comment on policy drafts on topics that we feel are important to the business community at large. To engage on the low end of the bandwidth scale, however, companies can also simply sign on to letters or comments that others have opened to group signatures. Directors should consider asking what the company’s plans are for engaging in such action.

The board can also push the management team to make use of available educational opportunities such as workshops. One we recently attended centered on botnets and other automated attacks. The US Department of Commerce solicited public written comments and held a workshop where the public was encouraged to lend their opinions and expertise. This and other feedback will help shape the final report and subsequent action to tackle the problem.

Engagement for the Greater Good

Cybersecurity is critically important to every major industry. Policymakers want to hear from these industries about the issues they face, and how they overcome them. This provides an opportunity for businesses, experts, and consumers to positively influence policy for the greater good. Conversely, poorly implemented policies can be ineffective, inefficient, and even harmful.

In the case of the Michigan car hacking bill, nearly two dozen cybersecurity researchers, academics, and companies wrote a letter to Michigan legislators detailing concerns about the effect of the proposed law on cybersecurity. Ultimately, the lawmakers created new protections for security research carried out in safe conditions. Without sustained engagement between the business community and policymakers, the result would have been much different.

It may require some effort and even some expenditure of resources, but it is essential that experts at companies work to assist officials with crafting well-informed and effective policies.


Corey E. Thomas is CEO of Rapid7. Read more of his insights here.