The release last week of the Department of Homeland Security’s first ever Quadrennial Homeland Security Review (QHSR) highlighted how central cybersecurity has become to the agency’s mission. "Our vision is a cyberspace that supports a secure and resilient infrastructure, that enables innovation and prosperity, and that protects privacy and other civil liberties by design," the document said.

Key to success in realizing the vision of a national cybersecurity strategy according to a new research paper by two University of Cincinnati professors will be strengthening the weakest link in the security chain, the general public,

The paper titled The Cybersecurity Triad: Government, Private Sector Partners, and the Engaged Cybersecurity Citizen argues that even if responsibility for cybersecurity is successfully moved to the Executive Office of the Presidency, much more reorganization and governance changes will be required to implement cybersecurity policy effectively throughout the American federal system.

“The reorganization required to achieve cybersecurity is strategic and adaptive in Nature,” the paper says. “Simple centralization will not produce cybersecurity.”

Rather, the paper outlines several key parameters that should guide this reorganization.

First, it says, “ is the essential recognition that cyber threats pose a national security challenge. Cyber threats are more serious than a nuisance or crime.”

Second, it says, “intergovernmental management problems are inevitably a part of the cyber challenge. State and local governments are destined to be key actors in meeting future cyber threats.

The third necessary step in reorganization, the paper urges, is for state and local governments will facilitate partnerships with the private sector corporations that operate critical cyber infrastructure.

Finally, and most importantly, “ the general population, the end users of computer technology, must be mobilized and involved in any successful cybersecurity. “Securing cyberspace,” it adds, “ is iterative rather than linear and can be understood best as resting on three legs of core institutional and process relationships – a cybersecurity triad. The first leg is intergovernmental, which is defined both in terms of federal interagency relationships and in the layers of relationships between the federal government and state and local governments. The second leg is public-private in terms of government to private business and critical infrastructure relations. The final leg is integrating the general population into this endeavor. Current analysts tend to go little beyond superficial considerations of citizenry privacy rights versus government cyber regulation.”

Elaborating on the last point, the paper explains that “the ubiquity of computer technology throughout the civilian population will require full societal engagement if the national objective is a secure cyberspace.”

As the digital environment grows in scale and scope, it says, “ so too will the need for a cyber civic culture to emerge to manage it. Ironically, because the citizenry is less conscious of the cyber than the nuclear threat (as national security threat), a much greater degree of civic mobilization and understanding will be required to face this 21st Century challenge.

The most significant departure from current policy, the paper concludes, must be a concerted education effort that establishes a relationship between the general public and cybersecurity. Cybersecurity oriented intergovernmental relations and public corporate coordination will be difficult to perfect, but advances in those areas will be impossible if cyberspace continues to be conceived primarily as a private concern rather than a public good.

This campaign would bear some similarity to the Civil Defense efforts of the 1950s, according to the authors.

As with mobilization against potential nuclear threat in that era, “Cybersecurity must become a national civic responsibility.”