Defending the nation in cyberspace — a call to action
Four cybersecurity priorities for Congress to confront active threats
The 116th Congress may have difficulty finding common ground on most issues. But there is at least one area that presents the opportunity for bipartisan action: cybersecurity.
Cyber threats do not discriminate based on party affiliation.
There are four key issues within cybersecurity where this Congress has the potential to make progress with impactful legislation that would make all Americans - and our democracy - more secure.
Election security: The Department of Homeland Security has made considerable progress on election security over the past 18 months. But, with 10,000 local jurisdictions responsible not just for administering elections but now for protecting our democracy against nation-state threat actors, more must be done.
The answer does not lie in funding alone. Paper ballots paired with risk-limiting audits are critical; and Congress should take a hard look at the vendors who play an outsized role in our democracy. We also must share expertise and training across jurisdictions and ensure that jurisdictions are prepared to recover in the face of a cyberattack. The election security provisions in the House Democrats' first bill are an excellent start and should not fall way to partisan rancor.
Data privacy and security: Data breaches should not be the new normal. Yet, even after compromises of 3 billion Yahoo email addresses, the credit profiles of 150 million Americans at Equifax, and the personal information of up to 500 million Marriott guests, the U.S. government has yet to take action. Congress can do so now by legislating policies that help to move security away from the end-user.
Congress must incentivize companies to bake security and privacy protocols into the design of products and services. Individuals also must take responsibility by making security a component of consumption choices. This integrated approach - of both moving security away from the end-user and creating a culture where individuals take responsibility for their security - will ensure a more resilient nation.
Infrastructure protection: The United States must protect its critical infrastructure, including elections, power, transportation and financial, from cyber threats. The recent establishment of the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security is one necessary step in doing so. Yet, more is required.
Congress must push for a better understanding of the interdependencies of our critical infrastructure, as well as rapid reassessments based on the current and future threat environments. A new critical sector has emerged over the past several years, yet our government is failing to organize itself to respond to it. Social media now directly affect the national and economic security of our nation. Congress must work with the executive branch and industry to identify what appropriate measures must be instituted to manage it.
Workforce development: Any effective cybersecurity strategy will require the right people to do the job. Right now, we don't have them. There is a dangerous shortage of people to implement what needs to be done to make America safe in the digital age. Right now, there are an estimated 300,000 cybersecurity jobs going unfilled in this country, from top managers and technicians to every kind of support personnel. It is a number that will only grow.
We also must reconsider who is responsible for cybersecurity and create a culture of cybersecurity. Every individual who uses a phone or laptop to perform a function of their job is now part of the cyber workforce. More education and training are needed. Congress should pass legislation prioritizing and incentivizing cyber education throughout the public school system, as well as throughout the workforce.
There are additional cybersecurity priorities Congress must address, especially protecting the defense supply chain and regulating the unsecured explosion of the internet of things. There is a reasonable path forward on these issues in groundwork laid in the 115th Congress.
As Americans increasingly are recognizing, cybersecurity is critical to the national and economic security of our nation. Congressional legislation that focuses on election security, data privacy and security, critical infrastructure protection, and workforce development is an important and necessary step in helping our nation confront these active threats.
David Hickton is the founding director of The University of Pittsburgh Institute for Cyber Law, Policy and Security and was formerly the U.S. attorney for the Western District of Pennsylvania.
Kiersten Todt is a resident scholar of the Institute and was the executive director of the Obama administration's bipartisan Commission on Enhancing National Cybersecurity.