This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
In their 2019 book The Fifth Domain, Richard Clarke and Bob Knake note that the U.S. has basically not changed its cybersecurity approach since the Clinton Administration.
Given the recent events – SolarWinds, Microsoft servers, Colonial Pipeline, rampant ransomware attacks – it would be hard to argue that the U.S. strategy is working.
In fact, there is a very good argument to be made that the U.S. doesn’t really have a cybersecurity strategy; it has a disparate collection of tactics like information sharing and standards development – all quite important – but not really a strategy.
However, all that might be about to change as we prepare for the creation of the Office of the National Cyber Director as mandated in last year’s National Defense Authorization Act. Mr. Chris Inglis, as well-respected cyber expert, has been nominated to be the first director, and he has his first confirmation hearing this week.
According to the NDAA, the Cyber Director is charged to “lead the coordination of national cyber policy and strategy.” It’s interesting to note that the statute doesn’t actually say the director is in charge of creating a strategy – it just says he is to lead the implementation of the strategy. It is silent on if he creates it or even coordinates the creation of a strategy.
Virtually every senior policy maker, from the Chairs of the Senate and House Homeland committees to the acting Cybersecurity and Infrastructure Security Agency director and the former CISA director, have said we need to re-think our approach to cybersecurity, and no one is going to be a better position to do so than Mr. Inglis. Moreover, the new Office of the Cyber Director is designed to have a home where this rethinking turns into reality. As the sage said, every good plan eventually turns into actual work, and that is what the office is for.
Mr. Inglis, however, will miss this enormous opportunity if he defaults into the disjointed approach (I won’t dignify it with the term strategy) that mimics what we have been doing ineffectively for 30 years.
This begins with understanding that we really do need to have a public-private partnership.
No, I mean we actually have to HAVE a public-private partnership, not just say we should have one – as we have been doing for the last 30 years.
This means, for one thing, joint ownership over the process. Mr. Inglis should develop joint task forces covering specific cybersecurity policy issues.
Not tech issues. That’s CISA’s job. There are multiple such cyber policy issues that have received virtually no serious study and need to finally be addressed. For example, seven House committee chairs and ranking members last month wrote a letter saying that cybersecurity is no longer an IT issue – it is an economic and national security issue. Great, now let’s all get together and figure out how we approach this issue from an economic point of view – not the economic effects of cyber-attacks but the economic causes of cyber-attacks. How, specifically, can we bridge the gap between commercial-level security investments made by critical infrastructure and the national security needs that arise from nation-states attacking these private entities.
How can incentive programs used in agriculture, environment, pharmaceuticals, and other sectors be adapted to enhance cybersecurity in a cost-effective way for both industry and government?
Or how are we going to address the issue that smaller companies will never have the economies of scope and scale to deal with sophisticated attack methods, yet are critically vulnerable elements of our national supply chains?
There are a lot more economic issues to work through, but it’s not just the economics. Government itself needs rethinking. We prosecute less than 1 percent of cyber criminals. How do we fix that? Do we need to rethink the silos among law enforcement? (Spoiler alert – yes, but how?) Should our budgeting for cybersecurity be shared with the military and law enforcement? Dicey issue – but it needs to be addressed. Why do individual banks spend more money on fighting cybercrime than the FBI does? (And why did Attorney General Merrick Garland fail to mention cybercrime as a priority when he recently spoke to the House Appropriations Committee?)
And the new cyber director needs to look into regulation, starting with whether the current regulation works? Do we have any way of knowing? Can a more effective and efficient model of cyber regulation be adapted to the digital age?
What creative methods can be developed to finally address the massive and growing disparity between available cybersecurity positions and the people we need to fill them? Has this problem ever faced another industry (more spoilers – yes) Can we learn from how they solved it?
How can the private sector, with its broader experience, assist government in understanding and managing systemic cyber risks?
There are ideas for addressing all these issues floating in the cyber community, but government to date has shown little interest, preferring to fall back on the old tried-and-truly-failing methods and aggressively blaming the private sector for doing what government can’t even do with its massive powers to protect itself. That has got to stop.
The bad guys are after all of us, so we really need to actually develop a partnership. Mr. Inglis is in the best possible position to lead us all there. I, for one, am counting on him.
Join the Rethink Cybersecurity Community click here