Today's headlines are depressingly familiar: wide swaths of personal data are stolen; ransomware locks out access to vital medical records; hostile nation-states exploit social media to influence our political system; electrical grids are compromised; another company loses intellectual property to a foreign competitor.
Despite over $90 billion spent per year on cybersecurity, progress in securing our business systems, protecting our critical infrastructure, and ensuring consumer data is safe appears to be halting. Clearly, we are at an inflection point. The digital ecosystem that supports our economy, protects our national security, and empowers our society must be made more secure, more trusted, and more reliable. We propose government and business leaders take the following steps immediately.
Step 1: Rethink the distinction between critical and noncritical infrastructure. The economy runs on data and digital networks, from hospitals reliant on electronic medical records to serve patients to sophisticated payment networks that power small businesses. The proliferation of these digital ecosystems across all facets of our economy and society make it very difficult to differentiate between critical and noncritical systems. We need to rethink our risk models in such an interdependent environment.
Step 2: Make more use of market and legal incentives to drive adoption of best practices, and harden our digital infrastructure across all industries. The key to securing and making networks more resilient is the greater use of market incentives and less reliance on regulation. Currently, most businesses spend enormous resources satisfying the requirements of dozens of cybersecurity frameworks and standards. This compliance-based approach adds to the cost and complexity of security with a questionable reduction in risk. A case in point: most of the large data breaches over the last several years occurred at organizations that were "compliant" with government and industry control standards.
Step 3: Leverage the efforts of the National Institute of Standards and Technology (NIST). The federal government should take the lead by creating and promulgating one framework with associated controls standards, measurable performance criteria, uniform audit approaches, and breach disclosure criteria to replace the myriad of federal, state, and industry regulatory models. Liability protection should be extended to those entities that adopt this framework, which then can be translated into action by leveraging the purchasing power of the private sector, government, and consumers using market-based incentives.
Businesses need to hold their vendors and suppliers to a better standard in terms of protecting sensitive data, and ensure that digital services are safe from disruption, destruction, or tampering. They can leverage their tremendous purchasing power to demand a higher level of cybersecurity and resilience in the same manner they currently screen vendors for financial soundness and their ability to deliver goods and services.
The US government spends hundreds of billions on suppliers and vendors as well. This purchasing power should be translated into contract language requiring basic levels of digital security. NIST's current efforts are a good start but need to be fully implemented into the federal government's acquisition and procurement systems to be effective.
US consumers spend over $600 billion per year on information technology and telecommunication services. To improve consumer awareness of the level of security of digital products and services, the government and industry should create the cyber equivalent of Energy Star — a rating system to inform consumers about the level of security of the products and services they buy. This would compel companies to improve the security of their products and services using market mechanisms.
Step 3: Improve information sharing and collaboration. One of the lessons learned from our war on terror is not only the need to share information between government agencies and between the private and public sectors, but also the need for greater collaboration. We propose the creation of a National Cybersecurity Center that would include the various federal government cyber centers, the private sector's information sharing and analysis centers (ISACs), and nonprofit entities. The goal of the center is to co-locate a diverse group of stakeholders to work collaboratively to better prepare for, prevent, detect, respond to, and recover from cyber threats.
Step 4: A "Manhattan Project" to improve the research and development of next-generation technologies for the sensitive systems that drive our modern economy. This private-public initiative will require the government to lead efforts to ramp up R&D, in concert with the private sector and academia, with particular focus on securing Internet of Things technologies, quantum computing and cryptography, and improving the security of autonomous systems.
Step 5: Make a large investment in our cybersecurity human capital base. Currently, over 500,000 cybersecurity jobs are unfilled, resulting in substantial gaps in key industries and bidding wars for talent. We need the equivalent of the National Defense Education Act passed after the Sputnik launch in 1957 to produce the tens of thousands of cyber specialists we need each year. Not only would this produce high-paying jobs, but it would ensure the United States maintains its competitive advantage in cyberspace for decades to come.
What we are proposing here is not new; in fact, it is been part of recommendations from dozens of previous studies and task forces over the last 25 years. What has been missing is the leadership and commitment to translate these recommendations into action.