Cyber policy at the dawn of a new administration
Thu 5 Jan 2017
Carmen Krueger, Senior Vice President of Cloud Operations at SAP NS2, argues why implementing an actionable cyber strategy is critical for defending national infrastructure under a new administration…
No one will debate the need for security in our nation’s critical infrastructure, including our digital and telecommunications networks. Taking that as a truism, the most urgent need before us is how we can best protect these precious assets.
Innovation and agility
First and foremost, we must enable innovation and agility. Many leaders have called for public-private partnerships that turn yesterday’s answers into today’s innovation. Innovation and agility enable us to stay ahead of malicious actors. The cyberwar is not about brute strength – it is about ingenuity. At the recent Reagan National Defense Forum, the under-secretary of defense for intelligence, Marcel Lettre said, “The need for innovation is particularly acute in the cyber domain. The pursuit of artificial intelligence, of autonomy, of deep machine learning and human/machine teaming, automatic automation, speed and agility and scaling of technology constructs are all the features of innovation in cyber that we are beginning to drive.”
Cyberattacks: An act of war?
Industry cannot be afraid to share information, nor should it be completely shielded from poor security practices
Policy changes are critical to improving the protection of our nation’s critical infrastructure and networks. Our policy needs to be clear, cyber-attacks from nation states are exactly that, an attack. Once we acknowledge this and policymakers set a clear framework for what constitutes a cyber act of war, it will forever change the dynamic and role of the private sector, including its relationship with the public sector.
Commercial industry cannot bear the primary responsibility to prevent an attack, and at the same time bear all of the risk when such attacks take place. If these were physical attacks, our elected leaders and the American people would have zero tolerance for the resulting damage and loss of life suffered. We need to accept that borders do not have to be crossed or physical weapons used in order for damage to be inflicted upon our country. Make no mistake, the damage could be equally catastrophic.
Improving security postures through authentic dialogue
We need to have a comprehensive review of the various compliance regulations followed by an honest discussion as to whether or not they are truly improving our security posture. Compliance and security are not always synonymous. There are regulations in place today that create disincentives for corporations to seek out breaches, data leakage, or insider threats. Ignorance is NOT bliss. Industry cannot be afraid to share information, nor should it be completely shielded from poor security practices. Regulators in the new administration should have an imperative to create a broader and far-reaching dialogue, to invoke a more streamlined set of standards, and to audit those standards. Additionally, with a clear eye toward what incents industries to improve their cyber posture, the regulatory cybersecurity regulatory framework must be modernized.
Transparency above all
Our national sense of direction on where we go from here is very unclear and indecisive
Policy should mandate transparency in meeting those established standards for the consumer of both commercial or government services. Individuals should understand the precautions that industry and government are or are not taking. Policy also has to comprehend that there is not a zero-risk option on the table without bringing our economy to a standstill. Risk-based decisions need to be made in collaboration with private industry and government.
We make risk-based decisions every day, and there is nothing like using the free market to enable consumers and businesses to calculate risk and in turn raise the bar of security through competition. Equally, there is nothing like a scorecard to shore up agencies adherence to security policy.
Aligning our forces for cyber defense
We need to develop an actionable strategy and roadmap for a cohesive defense of our critical infrastructure and networks. This includes leveraging the Defense Department, Federal Civilian agencies, our NATO allies, federally-funded research and development centers, and of course private industry to come together and execute an orchestrated and purposeful strategy.
Cyber-attacks are not diminishing and yet, even with the recent set of recommendations and action items from the Commission on Enhancing Cybersecurity, our national sense of direction on where we go from here is very unclear and indecisive. Who is in charge based on what set of circumstances?
Early in our overseas and domestic defense of terrorism following 9/11 we faced similar disorientation as our traditional structures did not neatly define how we addressed terrorist attacks. We need not respond after a cyber 9/11. We can and should accelerate the journey now to organize our capabilities and policy in the defense against cyberterrorism.