I’ve been asked to address the cybersecurity security posture of the United States. That’s simple. A few years ago I wrote, tongue in cheek, that based on my analysis the entire world economy would be consumed by cybercrime in 2025. Bye-Bye World Economy. With Solar Winds, JBS Foods, wholesale destruction of municipal and educational networks, and older but equally significant events like WannaCry and NotPetya, my prediction is far closer to the truth than I would have dreamed.
In summary, the cybersecurity posture of the United States, and indeed the world, is in scientific terms “not good.”
That’s not to say the cyber defenders are not getting better. They are. But the bad people are getting better, too, and they treat the issue of cyber insecurity far more seriously. They make real money. Governments and businesses still like to pretend that cybersecurity is a niche problem, and not one of the top echelon of problems facing the world, like climate change and extremism. National and homeland security problems must be dealt with by effective measures, not platitudes and wishful thinking.
“We don’t need more partnerships; we need more effective partnerships and actions that work at scale”
The overarching problem is scale. Trying to secure a single device is a very difficult task, because no one knows how to write vulnerability-free code in a commercially-reasonable way. And there are billions and one day trillions of smart devices with vulnerabilities connected to the Internet, along with millions of even more complicated devices and services. “The Internet is complication, wrapped in complexity, undergoing exponential growth.”
Our current policies and strategies do not work given the size of the problem. Instead, we sometimes focus on public events that are generally more about demonstrating concern as opposed to making progress on substantive issues. Some of the “new strategies” I hear, that we need “more public-private partnerships to strengthen cybersecurity,” fill me with despair. We don’t need more partnerships; we need more effective partnerships and actions that work at scale.
There are positive signs, for example, that the current administration intends to build private sector buy-in for setting and near-mandatory implementation of effective requirements for critical infrastructure cybersecurity. If that’s true, I’ll dance a jig. Imposition of requirements for the most critical infrastructure is one approach that can work at scale. Also, the past few years have seen a significant focus on enhancing the resources and authorities of the Cybersecurity and Infrastructure Security Agency (CISA), which is also a very good thing that will bear short- and long-term benefits.
We need to focus on what matters and what works, now.
- CISA needs more resources and authorities, and the ability to manage itself and its personnel free from the bureaucratic overlay of DHS.
- There must be a national effort to move government and businesses to the cloud, where cybersecurity can be achieved at less cost.
- The Solarium Commission recommended establishing the Bureau of Cyber Statistics, which should be a priority for this Congress. We can’t make optimal progress on cybersecurity until we understand what is actually happening now and what progress looks like. The Bureau of Cyber Statistics is essential to do that.
- We need a global community to collaborate to attack cyber risks at scale. One of the most effective ways to do that is through nonprofits, but those of us who work in this space are resource-starved as governments and businesses struggle to meet even their own needs.
This isn’t rocket science. Making faster progress on cybersecurity takes commitment and resources. But we built the Internet, and we can change it for the better.