Why Cybersecurity Is a Whole-of-Society Issue

It's clear from the comments by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), at a recent Congressional hearing on Chinese cyber operations, and from documents leaked from a Chinese hacker-for-hire ring, that there's a growing threat from and demand for a market for cyber vulnerabilities. Even more alarming, however, was Easterly's assessment that "we've made it easy on" attackers through poor software design. To secure our systems and prevent a whole-of-society or whole-of-economy attack like the one that Easterly and her peers descripted to Congress, it will take a whole-of-society effort to reshape the market for cybersecurity to create technologies that are both high-performing and secure.

Cybersecurity statistics from 2023 paint an even clearer picture of how easy it is for hackers: In Chromium, the engine that powers Chrome and Edge, eight previously unknown vulnerabilities (zero-days) were identified. Even software designed to keep users and networks secure was not immune from compromise. CISA opened 2024 with an emergency directive for federal departments and agencies to patch a series of vulnerabilities in VPN software designed for securing employee connections to federal networks. In the coming months, it's also likely that the creation of a market for hacks and hacked data by the likes of iSoon, as well as the growing offensive threat posed by AI, will make cyber defense even more challenging.

As CISA articulated in its Secure by Design initiative, vendors are the first step to creating technologies that are both secure and usable. Taking security into account along with performance and features from day one of a product's development will not only help build a secure technology stack but will also ensure that products truly balance security and performance instead of creating hurdles to good user experience masquerading as security features. But even CISA's ambitions to bring Secure by Design to life as a regulatory framework is insufficient to drive the sea change that's needed to turn the tide against emboldened and AI-empowered hackers — without support from the market, even the most well-intentioned and well-informed regulations will devolve into a box-checking enterprise.

Cyber-Risk Is Business Risk

To secure our economy and privately operated infrastructure, businesses must realize, as Easterly put it, that "cyber-risk is business risk" by incorporating cybersecurity into all their business practices. By increasing the stature of CISOs and giving them holistic cybersecurity oversight of the entire business, particularly procurement decisions, companies can incorporate cybersecurity as an organic step in business processes. In doing so, cybersecurity will become less of a last-minute hurdle to business effectiveness and more of an enabler to build a technology ecosystem and operations model that are both successful and secure.

As executives prioritize cybersecurity as a factor in their strategic decisions, cybersecurity and IT professionals — two closely related but often clashing groups — must come together to build networks that are both secure and functional for their users. IT professionals must realize that shortcuts to bypass security controls in favor of user experience or network efficiency incur unnecessary risk for their companies; in return, cybersecurity professionals must proactively look for technology that provides users a good experience while isolating them from technical risks. Both groups need to collaborate to create education for their workforces that are based on a real-time understanding of the risks they face and empowering good decisions about those risks rather than annual, quarterly, or monthly training that too often runs in the background while employees do their "real jobs."

The final piece of a whole-of-society approach to cybersecurity is both the most difficult and the most critical: integrating cybersecurity into the day-to-day lives of citizens. While CISA and the US government writ large have put much of the burden for secure development and secure decisions on companies, citizens must realize that the cybersecurity stakes go far beyond individual credit cards and bank accounts. The doomsday scenario of a simultaneous power, water, and communications disruption brings these stakes into focus, and day-to-day citizens must be willing to increase their cyber literacy and compliance to stop this scenario from unfolding. Just as we accept and comply with the incessant tones that remind us to buckle our seatbelts when driving, we must accept minor cybersecurity "nudges" like multifactor authentication of sensitive work and personal.

It's easy to catastrophize the consequences a Chinese cyberattack could bring — and it's certainly worth talking about response, resiliency, and recovery policies. It's hard to look in the mirror and realize that, in the rush to develop, purchase, and consume feature-rich technology, we've made it "easy" for our adversaries. But this doesn't have to be the case. If we work together and integrate cybersecurity as part of our corporate and individual thinking, we can make life harder for the hackers and safer for ourselves.