As cybersecurity advisor to President Barack Obama from 2012 to 2016, I led the development of our country’s cybersecurity strategy and policy. During that time, we established a suite of effective cyber policies, responded to numerous cyber incidents, and better protected critical infrastructure from malicious cyber activity. Included among the administration’s landmark cyber policies was the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD-41) on cyber incident coordination, which outlined how the federal government is organized to respond to cyber incidents.
In addition to these executive branch actions, we also worked with Congress to pass key legislation, such as the Cybersecurity Information Sharing Act, which incentivizes the public and private sector to share more cyber threat information. We also made tremendous strides in raising awareness among average Americans of cybersecurity as an issue that directly impacts their day-to-day lives, which is important as we become ever more digitally dependent on connected devices, from wearable technology to smart cars. We’ve seen greater investment and collaboration in the private sector in not only sharing information but also best practices. Yet, cyber threats continue to worsen. With greater interconnection comes the increased potential for malicious cyber activity that could cause havoc on the home and business front.
Certainly, an individual company or governmental agency can take steps to enhance its cybersecurity. Businesses and agencies must break free of old ways of thinking to adapt to the realities of the modern threat environment, and stop treating cybersecurity as a purely technical problem. Instead, they need to treat it as a complex business or operational risk that needs to be managed on a continuous basis. They need to adopt a holistic risk management framework and ensure that the operational managers are communicating with the cybersecurity leaders. Other measures they can take include developing incident response plans, building relationships with law enforcement and network defenders in advance of incidents, focusing the C-Suite’s attention on the issue, and joining information-sharing organizations.
But while these measures would make individual organizations better at cybersecurity, how do we strengthen cybersecurity for the entire nation?
First, we need to rethink how we collectively share and divide responsibility for combating cyber threats between the private sector and government. Because the rules of cyberspace differ from those of the real world, the organizational roles they play in cyberspace may differ from those they play in the physical world. For example, in cyberspace, borders don’t operate the way they do in the physical world, so asking the federal government to provide cyber border security is neither realistic nor desirable. Therefore, we need new mental models, drawing on disciplines such as public health and disaster management, to allocate responsibilities among the relevant players, including government, the private sector, critical infrastructure owners and operators, cybersecurity service providers, and individuals in a way that effectively addresses the cybersecurity challenge.
Second, while we made substantial progress in improving the coordination among executive branch agencies with respect to cybersecurity, substantial variance remains among the independent regulators. These regulators have generally embraced cybersecurity as a mission, and most work together in good faith. However, they often still take slightly differing approaches to cybersecurity requirements, which causes issues for companies facing multiple regulators. But the executive branch can’t really drive coordination among these agencies. They’re independent for a reason and we don’t want to change that. Instead, Congress must act in this area and require greater coordination in the approach the Federal government takes to cybersecurity.
Third, we need to increase cybersecurity information and threat intelligence sharing. We can start by evaluating the status of the information-sharing ecosystem—we have dramatically improved sharing in a few sectors, such as financial services and health care. However, these improvements are still insufficient. Changes we can make include more clearly delineating between incident reporting and cybersecurity threat-sharing—while both are equally important, reporting incidents (after the fact) is distinct from sharing information (before the fact). To further encourage collaboration among the public and private sector, the government should consider establishing reverse Miranda protections for business and industry, while industry should consider what a realistic standard of care would be for handling consumer or business data. Settling on such rules of the road would reduce the uncertainty that inhibits many information sharing efforts. We also need to enhance the amount of information analysis that occurs in the threat-sharing process. Raw information by itself is not entirely useful—effective intelligence-sharing requires context.
Within the information sharing environment, though, we also need to distinguish between the different kinds of sharing required, because it’s not all the same. For example, the cybersecurity industry needs to focus on sharing indicators, observables, tools, and techniques, while industry information sharing organizations should focus on sharing threat trends, best practices, and the information most relevant to their constituencies. Differentiating among types of information sharing will make us all more effective at this critical task.
Finally, the U.S. government should engage with other nations to further refine the rules of the road for what we will collectively consider to be acceptable and unacceptable activity in cyberspace for all the relevant actors. We need to ensure that malicious cyber activity does not become de-stabilizing and escalatory in the international environment. Achieving this goal will require governments and industry to cooperate on a global scale, in some cases expanding existing institutions but also building groups and cooperation mechanisms when necessary.
Going forward, the current administration and Congress needs to build on progress to date, including continued modernization of federal IT systems, greater use of shared services, heightened accountability for senior government officials, increased efforts to protect our critical infrastructure, and improved capacity to disrupt malicious cyber actors. We need to facilitate the policy debate over how to achieve the goals I outlined above and continue to invest in long-term cybersecurity efforts, such as research and development.
Overall, the nation has reached a strategic inflection point. For over 40 years, we have leveraged cyberspace to obtain huge economic benefits, enhance national security, and encourage broader social interaction. Yet, malicious cyber activity threatens this progress and risks turning cyberspace from a strategic asset into strategic liability. We must take these steps now to ensure that we can continue to reap the benefits from cyberspace and the Internet.
On Thursday, September 21 at 11:00 a.m., ET, Ann Beauchesne and former White House Cybersecurity Coordinator Michael Daniel will participate in a Facebook Live chat on the global security landscape. Watch it live on the U.S. Chamber's Facebook page.