The Cyber Policy Path Forward

March 12, 2021

Guest Blog: Robert Mayer USTelecom’s Senior Vice President of Cybersecurity & Innovation

There can be no clearer evidence of the need for industry and government to work together on cybersecurity than the recent SolarWinds attack on our nation’s digital infrastructure.

In the analog realm, an attack of this type would be a call to arms – recognized as an obvious invasion by the troops of a hostile foreign nation. In the digital realm, the situation is more complex on every level: from attribution to damage assessment to response and proportionality. It is this complexity that requires us to reimagine more effective and enlightened policy solutions, and equally, to recommit ourselves – across all parts of the public and private sectors – to shared accountability and responsibility for their implementation.

With a new administration and new leadership in key federal government roles, we have the opportunity both to assess and to act on the lessons of past cyber successes and failures. This requires setting aside long-standing institutional, bureaucratic, and cultural barriers that diminish our collective ability to defend our values and our way of life.

It also means federal agencies must work collaboratively, not only in setting strategy and policy, but in the actual implementation of those efforts. As long as government agencies operate in silos to protect turf and funding, results will be sub-optimal. This also includes Congress where competing committee jurisdictions can frustrate legislative progress.

In a recent Brookings Institute blog, former FCC Chairman Tom Wheeler points to the SolarWinds supply chain software attack that compromised numerous federal agencies and lays this breach at the feet of the FCC. He faults the agency for, among other things, failing to ensure that the over 1,000 broadband network providers did not “eradicate the malicious compromise of networks that provide critical infrastructure capabilities.”  In doing so, he implies that network service providers bear a unique responsibility for the attack by drawing on the historical analogies that “all roads lead to Rome” and “Britannia rules the waves.”

But such thinking – and such analogies – are both misguided and anachronistic. Today’s communications sector has the characteristics of a federation and can hardly be compared to empires of a bygone era. One might argue that prior to the 1984 breakup of Ma Bell, where the phone company controlled who could connect to its network and how, that the network provider could have exerted this type of authority.

However, the current highly distributed nonhierarchical digital ecosystem comprising a matrixed web of software developers, cloud and information technology and network service providers requires an entirely different approach to security; one based on shared responsibility and the adoption of strong security protocols. Moreover, given that the vast amount of network traffic (over 75 percent) is encrypted (i.e., service providers do not know its contents), preventing and eradicating malicious traffic must happen as close to the source of the traffic as possible.

None of this is to suggest that network service providers working cooperatively with our government and technology partners can’t or don’t deploy advanced technologies and invest massively to defend against the array of present and future cyber risks we face. We do, with our work addressing botnets and the security of the Internet of Things as prime examples. But we shouldn’t be deluded into thinking that only one part of our increasingly interdependent digital ecosystem can or should solve for the problem just because a regulator can assert its narrow authority under an 87 year-old statute.

We must also address the tendency to “chase the soccer ball” and create agency-specific initiatives with overlapping and duplicative regulatory and administrative oversight. For example, we have identified as many as 15 U.S. government initiatives on 5G deployment and related security considerations. Early indications are that the current Administration understands a systemic lack of effective and meaningful inter-agency coordination undermines our security goals.

Industry must understand government has legitimate interests and concerns to protect national/economic security and public safety. Evidence of avoiding responsible stewardship and shifting burdens to others in our shared digital ecosystem will only lead to prescriptive government-imposed mandates. Industry must establish clear accountability for cybersecurity at every level of the enterprise, the sector and across industries writ large. By demonstrating and verifying such accountability, a relationship of trust between government and industry can flourish. Recognizing we are all on the same team can better equip us to address the cascading cyber risks that presently threaten us all.

The communications sector has been working for years to refine this trusting relationship with government partners, and we continue to evolve that partnership with the shared goal to demonstrate real and measurable progress. Industry relies on government to highlight areas of interest and concern, in turn relying on industry subject matter expertise, as well as technical and operational wherewithal to enhance security.

Industry can be an important ally with the federal government when facing attacks from advanced nation-state actors. But it can’t be expected to shoulder that burden without consideration to the economics of cybersecurity which clearly favor much better funded national adversaries. Government must not transfer such risk to the private sector by simply imposing mandates and checklists that value compliance over security.

The bottom line: after decades of strategic and operational engagement with government, the communications sector knows what works well and what does not. Where we see opportunities for advancing our societal defensive capabilities, we engage willingly and wholeheartedly in those efforts. Where we see opportunities for refinements or an approach we believe to be counterproductive, we will not shy away from engaging in that debate.

With the right people, the right policies and the right intentions, we can build a better and safer tomorrow for future generations. This first requires a stronger trusting relationship between diverse parts of industry and government, realizing that only by working together will we be able to thwart hostile invasions of our nation like SolarWinds.

Robert Mayer is USTelecom’s Senior Vice President of Cybersecurity & Innovation, follow him @RHMcyber and @USTelecom.