INDUSTRIES
Why develop thoughtful cyber policies when disjointed activities and remaining vulnerable feel good?
The United States is being targeted by nation-state cyberattackers and criminals alike, exploiting the current crisis and taking aim at our nation’s most vital critical infrastructures, including healthcare, energy and elections.
Currently, the government’s ability to protect us and respond to these threats is hindered. Cyber responsibilities and capabilities are spread across various agencies that often operate in silos. This patchwork of disjointed cyber activities and approaches undermines accountability and puts citizens at risk. Within other important public functions and businesses, there is one centralized office overseeing security programs, managing risk and coordinating incident response activities; one accountable executive. The U.S. government needs a central, coordinating authority, who has visibility and oversight of cyber activities across all government agencies. This will help assure we have an accurate understanding of risk, are taking the appropriate measures to reduce risk and can coordinate a whole of government response to incidents of national consequence. This role is also critical to form coherent policies around important topics such as our international engagement on cyber issues, formulating a national encryption policy that balances the desires of law enforcement with cybersecurity and public safety, cyber workforce development and inclusion programs and many others.
The Cyberspace Solarium Commission was formed last year to develop a consensus on strategy for best defending the U.S. against significant cyberattacks. Commissioners Representative Jim Langevin, and Representative Mike Gallagher, and other congressional leaders have submitted legislation to codify many of the Commission’s recommendations. They call for establishing a National Cyber Director that has policy and budgetary authority to coordinate and harmonize cyber defenses and policies across government. Thoughtful and well coordinated cybersecurity policies or lack thereof impact just about every aspect of how this nation is governed and operates. I fully support legislation establishing the National Cyber Director position. And I would urge Congress to consider some additional authorities and responsibilities to this role.
Encryption Policy
The National Cyber Director’s role should bring a cyber practitioner’s knowledge of encryption to balance industry and government objectives in security and access to information. Strong encryption improves cybersecurity, privacy, economic competitiveness, and increases public safety. An informed National Cyber Director can ensure law enforcement leverages lawful tools and methods and has robust technical training to access the information needed to conduct investigations without weakening security. The National Cyber Director should be the focal point for developing a national policy on encryption.
Cyber Workforce Diversity
There is a well-documented shortage in the cybersecurity workforce, and just as importantly, a great lack of diversity in thought and creativity. The lack of inclusion in the cybersecurity industry is a contributing factor. The workforce shortage is projected to reach 1.8 million people by 2022, according to the Global Information Security Workforce Study released in February. Minority representation within cyber is 26%, only slightly higher than the overall U.S. minority workforce (21%). Women represent only 14% of the cybersecurity workforce in North America and just 11% globally. Only through increased inclusion and diversity—of race, gender, perspective and thought—can the cybersecurity industry effectively address our biggest challenges. We need a bold cyber workforce strategy that develops and advances people from all walks of life. We need buy-in and partnership from the government to invest in recruiting, developing and retaining talent. Ensuring that the U.S. remains competitive for the best cyber talent available will require top-level attention and should be at the forefront of priority initiatives for the National Cyber Director.
Zero Day Disclosure
Businesses have been caught off guard in the past when hacking tools leveraging zero days—or previously unknown and unpatched vulnerabilities—have leaked out of the confines of federal law enforcement. Specifically, the publication in 2017 by Wikileaks of the Vault 7 trove of documents stolen from the CIA included zero days that have been used to compromise U.S. businesses. The National Cyber Director should oversee the Vulnerabilities Equities Process and Review Board which determines whether and when the government should weaponize a specific vulnerability for intelligence purposes or disclose it so that it can be remediated and improve the nation’s and the world’s cybersecurity. A strong process which properly weighs the benefits and risks of disclosure and drives towards consensus will protect our overall cyber posture, critical infrastructure and economy, while considering national security and law enforcement needs.
Regulatory Coordination
The National Cyber Director should coordinate cybersecurity policies and practices with regulatory agencies like the Securities and Exchange Commission (SEC) to promote accountability and mitigate risk. The Cyber Solarium Commission Report recommends Congress amend the Sarbanes-Oxley Act (SOX) to explicitly account for cybersecurity, which would increase transparency and drive better behavior, without dictating specific technologies or practices. Even shy of amending SOX, interpreting the existing rules to be more inclusive of cybersecurity risk and requiring explicit attestation might be the single most impactful way to improve private industry’s cyber hygiene practices and reduce cyber-related losses.
Today government agencies, critical infrastructure and businesses across the country have greatly expanded the cyber attack surface. Internet of Things (IoT) devices are everywhere, sensitive data is in the cloud and critical infrastructure providers now connect operational technology systems to the internet. In a report from the Ponemon Institute in 2019, 90% of critical infrastructure operators said their environments had been damaged by at least one cyber attack over the past two years, with 62% experiencing two or more attacks.
With COVID-19, malware, phishing and ransomware attacks on critical healthcare and government systems are on the rise. At a time when the government is crucial to helping to maintain vital services and state and local governments lack the resources to reallocate to cyber, it’s more critical than ever to prioritize funding and budget investments based on risk, and to provide better coordination of cyber at the federal level. We need a National Cyber Director to lead this charge in partnership with industry.
This article was written by Amit Yoran from Forbes and was legally licensed through the Industry Dive publisher network. Please direct all licensing questions to legal@industrydive.com.
Keep up on the latest
Sign up now to get additional stories on connectivity, security and more.
Ready to connect?
Talk with a sales representative