view counter

Obama’s cybersecurity initiative: a start but businesses – and individuals – need to do more

Despite the fact that the executive order lacks the force of legislation (only Congress can introduce liability protections, for instance), private sector companies may choose to cooperate. And corporate compliance, while voluntary, is crucial because more than 80% of U.S. critical infrastructure is privately owned and operated. Each such sector is, in and of itself, essential to U.S. national and economic security.

Models for cooperation
Keeping enterprises up and running is all the more important because their operations may be intertwined with one another. Taking down one sector, such as the electric grid for example, may therefore bring down others, yielding cascading and potentially catastrophic effects for the country. The good news is that collaboration between and among private entities is already underway, and one size need not fit all.

Take, for example, the Financial Services Information Sharing and Analysis Center (FS-ISAC), which facilitates sector-wide exchanges regarding cyber-related threats and their remediation. Or consider Microsoft’s Cybercrime Center, which works in tandem with law enforcement and other partners worldwide to disseminate information and thwart criminals. These are just two examples of corporate actors spearheading initiatives that pre-date the executive order and that serve both the public and private interest.

Letting a thousand flowers bloom — or encouraging flows of information between industries and government — may seem like a chaotic approach, yet existing efforts have achieved some real success. More such endeavors, tailored to context, may in fact prove constructive as the cyber-threat ecosystem continues to evolve.

For example, a group of U.S. companies (including McAfee and Symantec) are banding together to form a “Cyber Threat Alliance” which aims “to disperse threat intelligence on advanced adversaries across all member organizations to raise the overall level of situational awareness to better protect both the…organizations and their customers.” After all, it is companies themselves that usually have the greatest incentives to protect their own assets. Yet companies need to understand and respect the contours of what constitutes lawful defense and response, consistent with government’s rules of the road which, admittedly, are a work in progress, at best.

Other countries are also grappling with the question of how to effectively protect systems and networks, both private and public. Leading the pack is Estonia, an early target of cyberattack (2007) and an early adopter of e-governance (government services provided online), with a continuing commitment to innovation and digital security that is widely shared by officials and entrepreneurs alike. The country’s latest cyber-initiative is bold and ambitious: creating “digital data embassies” worldwide and offering “digital citizenship” (“e-residency rights”) to all who are prepared to meet the requirements. This gambit has dual goals: protect data and services in the event of cyber-attack and, secondly, facilitate additional foreign investment in the country and thereby generate economic growth.

National imperative and individual duty
What works for Estonia may not be a good fit — at least in totality - for other nations. The country is small in terms of terrain and population, and did not have to contend with legacy issues when building its infrastructure from the ground up after regaining their independence from Soviet rule in 1991. But the principles of Estonia’s policies are certainly instructive.

These include a whole-of-society approach to cybersecurity that incorporates the discipline (coding, programming, etc.) into the education system and curricula, beginning in first grade and continuing through to university. The result is a prevailing culture and mindset that conceives of cybersecurity as both a national imperative and an individual duty.

As the United States seeks to elevate its cybersecurity posture in ways that best suit its size, economy, circumstances, and traditions (based on history, respect for privacy and civil liberties, and so on), it will be important to complement private sector information-sharing efforts with a host of other measures.

These include building a cyberworkforce that is sufficiently large and skilled to meet existing and future U.S. needs. It means designing and engineering secure systems and architectures. It also includes cultivating an operating culture (in government and business) that recognizes cybersecurity to be a priority from the get-go as opposed to an afterthought. Falling short here will negatively affect U.S. national and economic security.

This month’s executive order is a spur to get the ball rolling but, frankly, there is a limit to what government alone can (and should) do in this area. Changes in attitudes and behaviors are needed across the board, right down to families and individuals.

Frank J Cilluffo is Associate Vice President & Director, Center for Cyber and Homeland Security at George Washington University; Sharon L Cardash is Associate Director, Center for Cyber and Homeland Security at George Washington University. This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives.

view counter
view counter