Published by The Lawfare Institute
in Cooperation With
As I prepared this week to address the more than 3,000 customers, stakeholders and other interested parties at our annual FOCUS conference—Intel Security’s annual cybersecurity conference—I thought a lot about my 20 years in the cybersecurity industry and how the nature of the industry has fundamentally changed. The threats are more serious and the malware more malicious, and the digital battlefield is spilling over from the digital world to the physical one. In just a few years, we've seen cybersecurity go from a function of the IT back office to a priority of the nation's Oval Office.
The current Administration has done a commendable job of making cybersecurity a top-tier issue. The Obama administration clearly recognizes the critical role that secure IT systems play in our national security, economy and daily lives. The many Presidential directives, executive orders, and initiatives the administration has issued are proof of this. Some of the many accomplishments that stand out are:
- The creation—with industry—of the Framework for Improving Critical Infrastructure Cybersecurity (known as the NIST Framework), which lays out a clear roadmap for organizations to follow to first evaluate then enhance their cybersecurity readiness;
- The creation of Information Sharing and Analysis Organizations, and related working groups, to help make the information sharing effort real;
- The creation of the Cybersecurity National Action Plan, including the appointment of a Commission on Enhancing National Cybersecurity; and
- The Continuous Diagnostics and Mitigation (CDM) program that the Department of Homeland Security (DHS) initiated—a program that moves civilian government agencies and others from a compliance-based model to risk-based cybersecurity.
These and other cybersecurity initiatives propel us into a digital future where safety considerations are paramount. But cybersecurity is one area where the phrase, “What have you done for me lately?” actually applies. And while the next administration will reap some of the benefits of what’s been done, it can’t afford to relax on this front. If anything, the next administration must prioritize cybersecurity even more.
To address the challenges that lie ahead, here are some cybersecurity recommendations for the next administration to consider:
Take an International Approach to Cyberspace
The digital world is global, cyber criminals and hacktivists act globally, and our approach to cybersecurity policy must be global as well. The next administration should focus on establishing international norms in cyberspace, as well as promoting a voluntary approach to international standards. Where we have good tools in the U.S., such as the NIST Framework, we should work to disseminate them globally. Other nations have already taken an interest in this common sense tool that focuses on risk management, rather than static compliance, and embodies the government-industry partnership necessary to help transform cybersecurity on a global scale.
There’s no reason citizens should stand in long lines at government service offices or wait on phones in the age of e-government. So far, however, major hacks have not inspired confidence in the security of civilian government systems and data. Citizens need to trust in their digital interactions with government to fully realize the promise of e-government, which can also reduce operating costs and create efficiencies for government agencies. Government systems need to have comprehensive, end-to-end cybersecurity, and citizens need to be provided tools such as digital certificates, secure IDs, and encryption to enable more secure interactions with government.
Solidify Information Sharing Strategy
Sharing threat information has been a necessity since I started in cybersecurity, yet we still haven’t locked down the standards and processes for doing so meaningfully. DHS and its working groups have created a path to get there, but we’re not far enough along. The next administration should double down with the private sector to further evolve the way cyber threat information is represented and transported. Cyber criminals are excellent at information sharing; the government and private sector ought to be too.
Invest in Paying Down the Cyber-Debt
As IT innovation has accelerated and technology has assumed a dominant place in our lives and economy, we invested very little in cybersecurity. Many preferred to take the risk of being hacked—a risk many did not think was that great. With each passing day however, we’re exposed to more cyber breaches for which we are ill-prepared. That’s because of the cyber-debt—the ever-widening gap between investments necessary to secure our growing digital world and the resources actually deployed to do so. We’re playing catch-up, and we still have years of cyber-debt to pay down.
Invest in Cyber Education and Training
One piece of the cyber-debt that’s been ignored is developing the next generation of cybersecurity experts. A report we conducted with the Center for Strategic & International Studies found that a majority of IT professionals around the world think that their governments are not investing enough in building cybersecurity talent, and that the skills shortage does direct and measurable damage. We need to invest more in programs like the CyberCorps Scholarship for Service program, which trains students and places them in government jobs for a few years, equipping them to pursue a cybersecurity career wherever they want.
Maintain Voluntary Engagement on Securing Critical Infrastructure
Historically, cyber incursions remained in the digital world: data was stolen or held for ransom; networks were breached or brought down; systems were infected with malware that executes immediately or remains hidden until ordered to launch. These exploits were bad enough, but attacks are moving from the digital to the physical realm. We’ve seen attacks on dams and other critical infrastructure, and the Internet of Things has exponentially expanded opportunities for hackers to infiltrate the physical world. The federal government has a legitimate interest in making sure critical infrastructure is secure. But the private sector must continue to lead—without regulatory mandates—lest regulation substitute compliance for real security.
There are additional areas where the new administration should focus, such as setting well-balanced encryption policies and investing more in basic cybersecurity research. I’m confident the incoming President will share the industry’s goal of continually striving to keep our nation, government and citizens safe in digital and physical environments. Much of industry wants to remain engaged in driving solutions. There are many learnings from the current administration, but the main one is this: keep cybersecurity front and center.
Editor’s note and disclosure: Intel is a generous financial supporter of Lawfare. This article, as with all articles, underwent Lawfare’s normal editorial process and review.