It’s interesting to see how words like "ban" and "wall" have become intertwined with our basic understanding of national security. Yet, while these terms rile passions everywhere, there is a different set of borders that is potentially more vulnerable and maybe even more dangerous.
The behavior toward these barriers is reckless, even lawless, all while there’s ubiquitous access and uneven safety, and it doesn’t get nearly enough attention.
These are the "borders and roadways" seemingly and virtually built around information — the lifeblood of modern society, with all the benefits and flaws. For years, we’ve seen attacks on everything from retailers and banks to political parties and government agencies, and each takes its toll.
The sheer volume has a curious effect on our consciousness. On one hand, as the assaults pile up, we’ve become largely immune to the bad news. On the other, the hacks and the motives behind them have gotten more sophisticated, more complicated and more damaging.
Ours is a society that has become somewhat desensitized to large-scale breeches. Recall the massive distributed denial of service (DDoS) attack that took down much of the internet across the eastern seaboard last October. You don’t have to know what DDoS is to understand that hack affected everything from the New York Times to Reddit, imposed significant costs on our economy, and consumed large-scale resources in the process.
Or, how about the multi-year breach at the U.S. Office of Personnel Management (OPM), which targeted as many as four million people? Those are just a couple of high-profile assaults among the thousands that occur every month.
Converting Policy into Sound Practice
Different government agencies are holding an open discussion about the issue, though the focus and urgency vary. A new plan to combat cyberattacks is in the works, with the onus on government agency chiefs for cybersecurity.
The Federal Information Security Management Act (FISMA) defines accountability as part of a comprehensive framework to protect government information, operations and assets against natural or man-made threats. That’s just the rules of the game for federal agencies.
For the last four years, the private sector, where the overwhelming majority of our country’s critical infrastructure is owned and managed, has been guided largely by a voluntary information security framework developed by the National Institute of Standards and Technology. While promulgating sound policies like FISMA and the NIST framework are important, converting them into sound practice is critical.
It’s not whether an organization will get attacked, but when. The goal is to close the risk aperture for corporations, government agencies and individuals, including critical infrastructure, particularly given the virtual connectivity to nearly every entity we enjoy every day.
To do so, we need to build effective defenses and detection methods through technology evolution. However — and perhaps most essentially — we also must drive individual and institutional practices that are preventative in nature and push risk down substantially.
The most significant factors are awareness and personal responsibility. It is imperative to drive cultural change, which requires continual education about the importance of cyber ‘hygiene’ surrounding interactions with the internet. The human factor is still the most critical one — the vast preponderance of system penetrations can be traced to a human action or inaction — with successful spearfishing remaining the most likely culprit.
The lines between personal and business, and between public and private, are blurred to the point of being indistinguishable. In effect, we know how to generate, locate, share and use information, but are less cognizant of protecting it. The message that security is everyone’s responsibility must be ingrained in us as consumers and as a society.
This responsibility extends to the technology professionals to ensure the latest updates, patches and other capabilities are enabled to close the threat windows as rapidly as we discover them.
Boards, agencies and other governance bodies must promote such awareness and evolve a healthy sense of vigilance around cyber interactions that might not appear to be right. Further, leadership must assume threats are already inside to enable cultural awareness and the associated technologies to be able to rapidly detect intrusions before real damage is done.
Policy Landscape — Collaboration and Leverage
We need to evolve the existing legislation, regulatory and standards frameworks that we have developed over the years. The 2015 Cybersecurity Act, which established the guideposts for information sharing, was an important step that was long overdue. The 2013 NIST framework has helped guide enterprises on ways to better manage risk and protect our networks and critical infrastructure.
However, both of these measures are policy snapshots based on the technological innovations and best practices of the time. Threats, risks, vulnerabilities and our responses to each are a never-ending, organic, evolving process. Therefore, the most important thing policymakers and regulators can do is promote an environment that allows for continuous, robust collaboration between private and public actors and reduces unnecessary or unintended barriers to these efforts.
This takes at least two forms — rapid sharing of threat information between and among industries, government and other stakeholders and leveraging commercial technologies within government to more effectively counter current and emerging threats.
Despite progress in both domains, we must do more. There often remains reticence for the private companies to publicly admit breeches or share information with government for a variety of reasons — public reputation (real or imagined), fear of regulatory sanctions, liability or other externalities.
In addition, the information flow from government to the private sector can be much improved. We must encourage more communication between all parties for the good of our nation, and that starts with reducing legal or practical barriers that impede two-way communication.
Public and private sector players are investing substantially in technology to defend public and private information networks from cyber threats. Differences in the ways of doing business in both sectors coupled with policy divides make cooperation more difficult than it should be.
The monumental shift in research and development resourcing over the past 50 years from the federal government to Silicon Valley makes it inherently important to our nation that the key players in both domains work toward the common good.
To do so, we must address the fundamental conflict points between industry and government, including acquisition approach and pace, privacy, intellectual property ownership and legal issues around disclosure.
This is the kind of work policymakers should embark on now in concert with tech industry leadership. Our adversaries using available technologies to steal, disrupt and destroy information and infrastructure, are under no such restrictions.
The Road to the Promised Land or ‘Abilene’
For more than 240 years, our country has conquered difficult challenges with the odds stacked against us. Liberation by fire, a difficult civil war, an industrial revolution, two world conflicts, a geopolitical cold war and an information revolution are among the many hurdles that we have cleared. In parallel, we’ve driven unprecedented global prosperity and worked through some debilitating economic downturns.
In the cyber arena, we’ve arguably become the greatest global enabler and most challenging threat to our own stability. Are we ready to come together to better manage and lead the quest to minimize the exponentially growing risks that cyber threats continue to generate? It starts with leadership in Washington, Silicon Valley and other places.
Add to that our own personal responsibility as individual and corporate users of technology to be better educated to do our part. That is a very imposing hurdle before us, but we should set our sights on crossing it. We’ve done it before.
Mark Testoni is the CEO and president of SAP National Security Services (NS2).
The views expressed by contributors are their own and not the views of The Hill.