President's Commentary: Igniting Cybersecurity Action
My hope is that the general public at last is beginning to develop a basic understanding of the vulnerabilities the nation faces in cybersecurity. My fear is that, while these vulnerabilities affect the public at large, this developing understanding has not yet integrated itself into the culture and broad practice of cybersecurity. People still tend to view cyber attacks and scams as isolated incidents with little impact. They don’t seem to grasp the pervasiveness of the threat and its accompanying short- and long-term consequences. The result is a continuation of a cavalier attitude toward cyber hygiene on the part of many individuals as well as government, industry and academia.
Part of the problem is that most people do not realize the relative ease with which data and networks are compromised on a daily basis. It happens stealthily and often in small degrees; most computer and smartphone users do not even realize what is happening until they are contacted by a bank or credit card company. The level of sophistication of these attacks dramatically is outpacing our ability to stop them. Barring a catastrophic identity theft or similar event, behavior usually is not modified. The general public does not seem to understand the sophistication, the level of skill and the consequences hostile adversaries bring to cyberspace.
The government has been highlighting the cyberthreat for years, but it has failed to take the necessary steps to implement well-developed and enforceable cybersecurity measures. Foremost among these measures is better educating the public to the world of cyber risks and the attendant consequences.
Contrast this with automobile safety measures introduced in the 1960s and 1970s in which the government developed and continually improved on standards for seat belts, lap-and-shoulder belts, child protective devices and airbags, among many other safety systems. The public was educated and aware of the dangers inherent in high-speed collisions and accepted the safety measures in the face of horrific consequences. That type of awareness and understanding about the cyberthreat and its consequences is wantonly lacking among the general public today. Just as the ways in which the government educated the public about automotive safety measures in the past, it can—and should—do the same for cybersecurity today.
The trust factor weighs heavily on the government’s efforts. There is a need for more information sharing between industry, academia, government and the public, as well as among government-related organizations. Additionally, the government must develop a better balance between accepting the additional risk of sharing select and heretofore classified cyber information and the reward of increased public awareness that leads to improved policy adoption and acceptance.
Congress has introduced multiple bills touching on cybersecurity over the years. Yet few of these bills have offered an effective remedy to the problem and even fewer have become laws. The lack of well-thought-out, bipartisan legislation that is able to pass both houses on Capitol Hill and then signed into law by the president is one of the biggest impediments to the nation moving forward with an effective cybersecurity policy. Political and legislative leadership is needed at a time when we, as a nation, are under increased threat. We are well past the time to address the challenge politically and legislatively.
Unfortunately, it may take a Sputnik-type event to spur government into action. I’m not referring to watered-downed legislation that falls short of the need. When the Soviet Union launched the world’s first artificial satellite in October 1957, the United States awoke from a technological slumber and focused its already-extant aerospace resources on a concerted effort to catch up to, and eventually surpass, Soviet space capabilities. That relatively benign event was the catalyst for a national effort from the highest levels of government and industry down to the lowest level of individual education in the nation’s schools. At its heart, a Sputnik-type cyber event that spurs the U.S. public into action on cybersecurity would be infinitely preferable to a cyber Pearl Harbor.