Cybersecurity is out of control. Literally.
Over 3 billion people use the Internet, and we are led to believe that cybersecurity is everyone’s responsibility. To put it bluntly, that doesn’t work, and it never will. As the saying goes, when everyone is responsible, nobody is. It’s time for a change.
Recently, I had the great privilege of serving as a member of a non-partisan commission appointed by President Obama. Our task was to put together specific recommendations for the next Administration to strengthen cybersecurity in the public and private sectors. We issued our Report on Securing and Growing the Digital Economy last month, which includes 53 recommended actions. Here are a few of the report’s significant, overarching principles:
Drain the Cyber Swamp
It is not possible or optimal for every person and every company to be on the frontlines of cybersecurity. We should focus on fewer, higher level solutions that benefit everybody. Shifting the burden away from end users will require a sustained international effort to tackle common Internet ecosystem threats, such as eliminating botnets that infect millions of victims and can take down power grids. Products, protocols and systems should be secure by design and by default, their complexity reduced, and their security capabilities disclosed. Finally, we need to ratchet up threat deterrence. The bad guys, whether criminal or military, won’t relent unless we improve our abilities to detect, identify and penalize them using all elements of national power.
Measure by Effectiveness, Not by the Undertaking
The NIST Cybersecurity Framework is a simply stated document, but don’t let that fool you. Attempting to achieve the Framework’s list of 98 specific outcomes would be enormously difficult and costly. And to what end? Unfortunately, nobody seems to know, not even the regulators that are so quick to determine whether a breached company’s actions were “unreasonable.” We quickly must address our lack of fact-based metrics that would establish not only whether the NIST Framework and related standards are cost-effective, but whether and to what extent they are effective at all. Regulators also should get their acts together by harmonizing their rules around common principles, as well as with one another.
Find New Ways to Win
The government and the private sector must resolve how to work together to jointly defend the nation in cyberspace. We also must continue to innovate with substantial advances in automation, artificial intelligence, machine learning and identity management. Finally, we must promote international standards that foster security, privacy and interoperability in ways that make it easier for businesses to innovate and operate with certainty across geopolitical boundaries.
The commission’s report is like a pitch straight down the middle. It’s packed with energy, urgency and direction. The new Administration, working internationally and with industry, can knock it out of the park. We have to. We’re currently down in cybersecurity, and it feels like the bottom of the ninth.