All levels of government, as well as the private sector, face growing dangers from cyberthreats. That’s why there needs to be a centralized approach to cyberpolicies before a crisis occurs.
The oil crisis of the 1970s showed us that reliance on imported energy resources threatened the economy and tested military readiness. This vulnerability stemmed in part from a fragmented and inefficient energy policy and regulatory authority spread across several federal agencies. In response, President Jimmy Carter moved to centralize energy policy by creating the Department of Energy and a cabinet-level position for the secretary of energy so we could better respond to a complex international crisis and pursue a more strategic future direction.
Today, the United States is in a very similar place when it comes to cybersecurity: cyberthreats challenge our economy, our military, our national security and our infrastructure, and it’s time for the federal government to act definitively.
Currently, military, law enforcement and civilian agencies each have their own approach to readiness and resiliency with little interagency cooperation and no strategic coordination. In July 2019, a Government Accountability Office (GAO) report found that nearly 50 percent of the 23 federal agencies reviewed lacked a process for assessing cybersecurity risks, and 70 percent don’t have an established management strategy to make cyber-risk-based decisions.
To effectively defend against the cyberthreats that both nation-states and cybercriminals pose, the U.S. government must consolidate its cyberpolicies. We need a cabinet-level position to give cybersecurity the attention, consistency of policy and funding needed to be effective.
Complicating our nation’s cyber-resilience is the structure of our government — dividing power between state and the federal government. States complain that the cyberthreats they face are as real and dangerous as those facing the federal government, but that cybersecurity funding is insufficient and trained personnel are difficult to find.
The federal government will have to provide significant funding and knowledge transfer to the states and local governments to help them secure their networks if resilience is truly going to happen nationwide. The Cyber Resiliency Act, introduced in the Senate this spring, provides grants to assist states in developing and implementing plans to address cybersecurity threats. The grants probably won’t be enough, but they are a step in the right direction.
Like the oil crisis that surprised our nation in the 1970s, most of us don’t yet feel the looming threat from cyberattacks, nor can we fully comprehend the implications of a successful attack. Those that work in the security sector know that bad actors constantly target our infrastructure, businesses and military, and it is only a matter of time before an attack threatens our economy.
To make matters even worse, the private sector has been left to protect itself. The Verizon 2019 Data Breach Investigations Report found that 43 percent of cyberattacks target small businesses, an important part of the economy that doesn’t have the resources to protect itself. When there is an attack, there is no requirement that all businesses report what happened to authorities.
Wary of sharing information about a breach or vulnerability, few companies are using Homeland Security’s Automated Indicator Sharing program, which compounds security issues and weaknesses. Further, the private sector includes many sensitive and key infrastructure functions. From electric power to health care to banking and beyond, these core industries are important to the functioning of our economy and society.
To successfully protect our nation and our economy, as we did in response to the energy crisis in the '70s, we need to establish a cabinet-level cybersecurity position. It must have the mission, the authority, the budget, and the clout to engage the nation with cybersecurity and foster resilience in our digital systems with vigor and focus. The oil crisis created high gasoline prices and long lines — a minor inconvenience in hindsight. The threat from cyber is insidious and silent for the most part. We need to learn from our history and tackle the problem and win — before it’s too late.
Author’s bio: Ray Rothrock is a global advocate for digital resilience, which is an organization’s ability to rapidly respond to attacks, minimize damage and quickly return to business as usual. He serves as CEO and chairman of RedSeal, which provides critical cyber and business insights via its cyberterrain analytics platform to more than 40 government agencies and hundreds of commercial enterprises. He recently authored the book, Digital Resilience: Is Your Company Ready for the Next Cyber Threat?