The digital infrastructure that supports our economy, protects our national security, and empowers our society must be made more secure, more trusted, and more reliable. Here's how.

Mike McConnell & Patrick Gorman, Mike McConnell & Patrick Gorman

January 3, 2018

5 Min Read

Today's headlines are depressingly familiar: wide swaths of personal data are stolen; ransomware locks out access to vital medical records; hostile nation-states exploit social media to influence our political system; electrical grids are compromised; another company loses intellectual property to a foreign competitor. 

Despite over $90 billion spent per year on cybersecurity, progress in securing our business systems, protecting our critical infrastructure, and ensuring consumer data is safe appears to be halting. Clearly, we are at an inflection point. The digital ecosystem that supports our economy, protects our national security, and empowers our society must be made more secure, more trusted, and more reliable. We propose government and business leaders take the following steps immediately.

Step 1: Rethink the distinction between critical and noncritical infrastructure. The economy runs on data and digital networks, from hospitals reliant on electronic medical records to serve patients to sophisticated payment networks that power small businesses. The proliferation of these digital ecosystems across all facets of our economy and society make it very difficult to differentiate between critical and noncritical systems. We need to rethink our risk models in such an interdependent environment. 

Step 2: Make more use of market and legal incentives to drive adoption of best practices, and harden our digital infrastructure across all industries. The key to securing and making networks more resilient is the greater use of market incentives and less reliance on regulation. Currently, most businesses spend enormous resources satisfying the requirements of dozens of cybersecurity frameworks and standards. This compliance-based approach adds to the cost and complexity of security with a questionable reduction in risk. A case in point: most of the large data breaches over the last several years occurred at organizations that were "compliant" with government and industry control standards.

Step 3: Leverage the efforts of the National Institute of Standards and Technology (NIST). The federal government should take the lead by creating and promulgating one framework with associated controls standards, measurable performance criteria, uniform audit approaches, and breach disclosure criteria to replace the myriad of federal, state, and industry regulatory models. Liability protection should be extended to those entities that adopt this framework, which then can be translated into action by leveraging the purchasing power of the private sector, government, and consumers using market-based incentives.

Businesses need to hold their vendors and suppliers to a better standard in terms of protecting sensitive data, and ensure that digital services are safe from disruption, destruction, or tampering. They can leverage their tremendous purchasing power to demand a higher level of cybersecurity and resilience in the same manner they currently screen vendors for financial soundness and their ability to deliver goods and services.

The US government spends hundreds of billions on suppliers and vendors as well. This purchasing power should be translated into contract language requiring basic levels of digital security. NIST's current efforts are a good start but need to be fully implemented into the federal government's acquisition and procurement systems to be effective.

US consumers spend over $600 billion per year on information technology and telecommunication services. To improve consumer awareness of the level of security of digital products and services, the government and industry should create the cyber equivalent of Energy Star — a rating system to inform consumers about the level of security of the products and services they buy. This would compel companies to improve the security of their products and services using market mechanisms.  

Step 3: Improve information sharing and collaboration. One of the lessons learned from our war on terror is not only the need to share information between government agencies and between the private and public sectors, but also the need for greater collaboration. We propose the creation of a National Cybersecurity Center that would include the various federal government cyber centers, the private sector's information sharing and analysis centers (ISACs), and nonprofit entities. The goal of the center is to co-locate a diverse group of stakeholders to work collaboratively to better prepare for, prevent, detect, respond to, and recover from cyber threats.

Step 4:  A "Manhattan Project" to improve the research and development of next-generation technologies for the sensitive systems that drive our modern economy. This private-public initiative will require the government to lead efforts to ramp up R&D, in concert with the private sector and academia, with particular focus on securing Internet of Things technologies, quantum computing and cryptography, and improving the security of autonomous systems.

Step 5: Make a large investment in our cybersecurity human capital base. Currently, over 500,000 cybersecurity jobs are unfilled, resulting in substantial gaps in key industries and bidding wars for talent. We need the equivalent of the National Defense Education Act passed after the Sputnik launch in 1957 to produce the tens of thousands of cyber specialists we need each year. Not only would this produce high-paying jobs, but it would ensure the United States maintains its competitive advantage in cyberspace for decades to come.

What we are proposing here is not new; in fact, it is been part of recommendations from dozens of previous studies and task forces over the last 25 years. What has been missing is the leadership and commitment to translate these recommendations into action.

Related Content:

About the Author(s)

Mike McConnell & Patrick Gorman

Mike McConnell & Patrick Gorman

Mike McConnell, Senior Executive Advisor, Booz Allen Hamilton & Former US Director of National Intelligence

Mike McConnell was appointed Director of National Intelligence (DNI) under Presidents George W. Bush and Barack Obama and served as a member of the National Security Council managing the US Intelligence Community's global engagement in support of US and allied national security objectives. As DNI, McConnell was successful in persuading the president and Congress to invest over $17B in improving cybersecurity defenses of the nation. McConnell is a senior executive advisor and former vice chairman of Booz Allen Hamilton, where his primary roles included serving on the firm's leadership team and leading Booz Allen's cybersecurity business. McConnell led the development of the firm's information assurance business and intelligence business focused on policy, transformation, homeland security, and intelligence analytics. McConnell's career spans over 40 years focused on international development and foreign intelligence issues. His 29-year career as a US Navy intelligence officer included significant assignments that impacted national security issues

Patrick Gorman, CEO, CybrIQ Solutions & Chairman, Advisory Board, CyberGRX

Patrick Gorman is the CEO of CYBRIQ Solutions and serves as the advisory board chairman for CyberGRX. With 30 years of experience, Gorman has worked in multiple capacities in technology, risk and cybersecurity. Gorman recently served as the chief security officer (CSO) for Bridgewater Associates where he was in charge of cyber, physical, and staff security for the world's largest hedge fund. Mr. Gorman was the senior vice president and global chief information security officer (CISO) for Bank of America/Merrill Lynch, where he led security policy, technology, management and operations. Prior to that, Patrick worked at Booz Allen Hamilton as senior executive advisor of cybersecurity responsible for strategic planning, business development, capability development, marketing and capture management. His rich background stems from holding the position as assistant director of national intelligence for policy and strategy and chief information officer for the US intelligence community, as well as several cyberwar and intelligence positions in the military.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights