President's Commentary: First and Foremost, Educate for Cyber
When we closely examine U.S. cybersecurity policy, one point stands out. Many in the public, industry and government are not well-educated or informed about the causes and effects of our cybersecurity failings or their remedies. These knowledge gaps differ among and within each sector, but cumulatively they add up to the vulnerable state of affairs that defines securing our national cyberspace. Policy must be continually assessed, focused and adjusted to meet the needs of this dynamic domain.
The debate, strategy and emphasis on securing cyberspace need to be advanced at an accelerated pace. Our thinking tends to address the cybersecurity challenge in a linear and sequential manner, yet the technology and creativeness of friends and foes alike are moving at an exponential rate.
We need to foster increased understanding and clarity about cyber-security for a heightened awareness and a more appropriate and thoughtful allocation of resources to meet the challenge. In many instances, vital information has not been absorbed by people who must understand cybersecurity issues to frame effective policy. This knowledge gap, in large measure, can be reduced by entrusting the professionals leading our national cybersecurity efforts to share threat information more openly. Their actions should occur across a much broader expanse of the U.S. public sector and private industry.
It is not realistic to expect individuals to make sound decisions without being properly educated on cyberthreats. An opportunity exists for collaboration among industry, government, academia and the private sector to unravel much of the mystique and some of the secrecy that has shrouded the world of cybersecurity. This can begin with increased public and private exposure to cyberthreat information and the consequences of failing to act. The gain in collective cyber understanding and attendant security outweighs the risks of exposure to what until now has been considered sensitive or classified information.
Revealing methods and sources of information and intelligence is not necessary. What is required is greater information sharing and education among all parties—potentially even in the form of a national campaign. (Does anyone remember Smokey the Bear?) The argument for a national campaign, beyond the annual October cybersecurity awareness month, is compelling and overwhelming given the significance of the threat.
Among the many challenges we face in cybersecurity public policy is the fundamental and deeply complex issue of balancing privacy and security. It is a timely matter, yet the problem is increasing in complexity. The solution is not clear-cut, and much negotiating—as well as wisdom—must be applied.
Ironically, much of the data we want to protect already resides “somewhere out there” in a ubiquitous network or data repository, waiting to be combined with other data and sources of information or shared with other entities. Most people have bought something online or registered their cars digitally, for example. As a result, more data and information is accessible outside of government than many people realize. This likely will increase exponentially with the advent of the Internet of Things.
For the private sector’s part, many companies want to see policies they can implement. But many issues remain unresolved. For example, does a company have the right to conduct active defense measures when its cyber experts sense that it is being exploited, and what form would that response take? What are the implications of pre-emption? Under what authorities? What are the consequences of misjudgment? The list of questions goes on. However, the debate must be conducted in a more public arena.
The country needs a national forum that brings together industry, academia and government officials in an appropriate setting to discuss the issues. The risks of withholding information are greater than the risks of sharing it. That tenet should be at the core of cybersecurity efforts.
Cyber education is a critical issue that must be tackled and dealt with successfully. Education must occur at all levels, from the board of directors down through an organization. To that end, the AFCEA International Intelligence, Cyber and Homeland Security committees will host a classified (Secret/NOFORN) Cyber Forum on July 21. We hope to see you there.