This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
Whose job is it to secure cyberspace?
The U.S. Constitution clearly states that among government’s obligations are to “provide for the common defense and promote the general welfare.” However, it also states that the government is created by “we the people” implying there is more than a hands-off responsibility for the private sector to help achieve these goals.
This has never been truer than in the digital age when the cyber systems operated by both the private and public sectors to promote the general welfare are under constant attack and demand a modern, truly collaborative, defense model. This requires creating a cybersecurity policy and strategy by the Federal government to effectively fulfill its constitutional obligations and define a viable and appropriate role for the private sector.
When creating the joint industry-government Policy Leadership Working Group in 2017, DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra noted that “government and industry must work together now more than ever if we are serious about improving our collective defense. We cannot secure the homeland alone and a company can’t single-handedly defend itself from a nation state attacker.”
Yet. after years of trying, the nature and degree of this relationship and each sector’s roles and responsibilities is still unclear. Some in government have argued that if a private entity has risk, it is responsible for securing itself from that risk. However, that, sort of simplistic analysis fails to consider that in the information age private entitles are regularly being attacked by nation-state actors (and affiliated nation-state actors) from which they can never hope to adequately defend as the Solar Winds and Microsoft Serve attacks proved.
Moreover, this “pass the buck” philosophy fails to acknowledge the well understood fact that different entities assess risk in different – yet acceptable ways. This is especially true when one considers how government and industry assess risk. Fully appreciating these facts of life is essential to crafting a pragmatic and effective collective defense strategy.
The National Infrastructure Protection Plan (NIPP) first crafted during in the Bush-Chaney Administration in 2012, and then confirmed in an Obama-Biden Administration update in 2016 provides a thoughtful analysis that clearly delineates the appropriate role for private companies providing commercial-level security and where the national security concerns, and hence governmental responsibilities, take over.
The NIPP notes that industry and government have legitimate differences in how they assess and manage cyber risk. The private sector is responsible for commercial-level security wherein each entity balances the financing needed to secure their systems with investment to maintain growth and profit thereby attracting private capital creating jobs, growing the economy, and funding the government through their resultant taxes while providing citizens goods and services.
The public sector has multiple additional security considerations the private sector does not have such as national security, economic safety nets for disadvantaged, and securing public services, such as elections. These legitimate differences create a natural gap between the security the private sector can reasonably be expected to bear and what the government needs to fulfill. Chris Krebs, former Director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA) noted at the 2018 DHS Cyber Risk Summit that “private companies fund security at a commercial level appropriate to their needs while the government funds at a higher, national security level. To create a sustainable ‘collective defense’ we must find a way to fill this economic delta.”
If policy makers develop and implement a policy and strategy to close this economic divide between funding at a commercial security level and funding at a national security level, this will allow us to meet the challenges of nation state attacks directed at private sector organizations either as the ultimate target or as an entrée to a larger pool of victims including the Federal government.
While it is true that a handful of companies with massive economies of scope and scale may be able to finance security at levels approximating a national security level, and after SolarWinds even that presumption is debatable, even if that were true this is not a practical option for most of the private sector. Such expenditures by the private sector would inherently divert resources from other pro-societal requirements commercial sectors must meet such as innovation, capital formation, job creation, and overall economic growth.
It is the responsibility of the government, constitutionally charged with providing for the common defense, to fill this gap. If government attempts to shift this responsibility and exert greater control over private industry (e.g., through uneconomic security mandates), the unintended consequences would be disruptive to the other critical roles industry is charged with fulfilling, (as well as being ineffective as we have discussed in previous blogs). The 2017 joint industry-DHS Collective Defense White Paper concluded “in a world in which reliance on critical infrastructure is shared by industry and government and where industry may be on the front lines of national defense, such as in a cyber-attack, a sustainable partnership must be developed to address both perspectives by finding creative mechanisms while taking into consideration the issue of limited resources for industry and government.”
The current interest in and momentum behind strengthening our Nation’s cybersecurity that has been fomented by the SolarWinds attack and the Microsoft Exchange Server compromise should be directed towards filling the funding gap between commercial cybersecurity and national security. Congress and the Biden Administration can begin this process by developing sector specific economic and regulatory incentives for private sector organizations to offset the costs of securing networks beyond a commercial level of cybersecurity. Incentives have been successful in shaping private sector behavior in agriculture, aviation, government procurement, and tax policy among other areas. By studying successful implementation of incentives in other contexts and applying the lessons learned to incentives for cybersecurity, we can begin the process of building a national cybersecurity strategy that is not constrained by the current, government blessed economic models that are not designed to accommodate spending at a national security level.
Join the Rethink Cybersecurity Community click here