Key Takeaways:
> Adopt a national cyber hygiene standard.
> Leverage general influence to drive adoption of minimum cybersecurity standards.
> Restore true public/private collaboration.
> Establish an integrated National Cybersecurity Collaboration Center.
With new leadership and fresh perspectives in national cybersecurity, there may be opportunities to shift from a check-the-box regulatory approach to real-time risk management. This change could enhance detection, prevention, mitigation, response, and recovery efforts for attacks on critical infrastructure and the cybersecurity ecosystem. The economics of cybersecurity have favored the hackers, criminals, nation-states, and other bad actors for far too long. We should work collectively to raise the level of protection by improving the implementation of cyber hygiene measures for all users, thereby increasing the cost and difficulty for those trying to pursue unauthorized intrusions, and making a meaningful difference in safety, security, and resilience.
Although detailed discussions about specific details, processes, and timelines are necessary, certain steps should be considered immediately to enhance cybersecurity and critical infrastructure protection. These initiatives include, but are not limited to, the following recommended actions:
• Adopt a national standard for government and industry for cyber hygiene with the Center for Internet Security Critical Security Controls Implementation Group 1.
Experts state that poor cyber hygiene accounts for up to 80% of cybersecurity issues across various environments, from industries and government to non-profits and individuals. Many small and medium-sized businesses, who may also be integral partners in a complex and even multi-national supply chain, simply lack the expertise or resources to meet the various existing and emerging standards, frameworks, and legislative measures that produce regulations or other requirements for addressing the cybersecurity challenge. As a nation, let us reduce the confusion and instead coalesce around the CIS Critical Security Controls Implementation Group 1, which includes 18 distinct measures of cyber hygiene and represents an emerging minimum standard of information security for all enterprises. This approach aligns with industry standards and could significantly enhance safety, security, and resilience by tackling a substantial portion of the cybersecurity challenge.
- Leverage the federal procurement process to require the adoption of minimum cyber hygiene practices through the CIS Critical Security Controls Implementation Group 1 as a condition of federal contract eligibility, AND
- Establish a tax incentive for those entities that adopt, maintain, and update CIS Critical Security Controls Implementation Group 1.
For those organizations that compete for federal contract opportunities, establish a provision that requires the adoption and ongoing maintenance of the CIS Critical Security Controls Implementation Group 1 as a condition of eligibility for contract award.
While not all entities engage in competition for federal contracts, those that do must establish a minimum standard of cybersecurity hygiene. This requirement would serve as a catalyst for fostering a culture that embraces our collective responsibility to enhance the nation’s safety and cyber security.
The U.S. Government (USG) should require all state and local governments to follow suit as a condition for receiving federal funding of any type. In addition, Congress should consider establishing a financial incentive for adoption of the CIS Controls in the form of an allowed tax credit for all small and medium-sized businesses that make the investment and validate adoption. Make that tax credit available for 12 months from the date of ratification in order to create a sense of urgency.
• Restore and re-establish a true collaborative public–private partnership between government and industry, especially the owners & operators of our nation’s critical infrastructure, to improve cybersecurity and critical infrastructure protection & resilience.
The USG national security apparatus, and especially the Department of Homeland Security (DHS), should immediately re-establish a genuine partnership engagement commitment with industry, especially the private-sector owners and operators of our nation’s critical infrastructure. The USG should pause efforts to continue imposing burdensome and unwieldy requirements, processes, and procedures onto the private sector that divert limited resources from a real-time, dynamic risk-management approach to cybersecurity protection to a compliance model that does little to improve protection or resilience.
Rather, an honest effort should be made to review all existing and emerging cyber-related regulatory measures to determine how it will or will not contribute to improving cybersecurity protection and resilience. It also should seek to harmonize the plethora of current and emerging cyber-related measures to provide greater consistency and predictability to reduce unreasonable impact and cost.
Current government efforts, such as sector-based Cyber Risk Assessments, Cyber Risk Management Plans, cyber incident reporting, and updates to the National Cyber Incident Response Plan, could benefit from genuine collaboration. Several of the current efforts have failed to consider feedback from industry stakeholders, and some include duplicate and even contradictory measures that create confusion and consternation while diverting limited resources away from real-time risk management and incident response.
The USG should consistently share timely and actionable threat intelligence with key private-sector stakeholders with cleared personnel and established, proven, industry-led operational capabilities, such as sector-specific Information Sharing & Analysis Centers (ISACs) in order to make more informed, risk-management decisions. ISACs have been foundational to the security and resilience of our nation’s critical infrastructure and cyber ecosystem since self-organizing shortly after the issuance of PDD-63 in 1998.
Such a true partnership would leverage the strengths and capabilities of both government and industry, improve trust, and more productively address the shared responsibility for the protection and resilience of our nation’s critical infrastructure and cyber ecosystem. National and economic security would be enhanced with an effective and productive partnership.
We have done it before and we can do it again.
• Establish a Joint, Integrated, Public–Private Operational National Cybersecurity Collaboration Center.
The USG, working in partnership with the private-sector owners and operators of our nation’s critical infrastructure, should establish and maintain a joint, integrated, public-private, operational National Cybersecurity Collaboration Center (NCCC). The NCCC would include representation from across the federal government, including the Departments of Defense, Intelligence, and Justice, DHS, and the National Security Agency at a minimum, along with those cleared operational experts from established ISACs from sectors including IT, Comms, Energy, Financial Services, and more.
The NCCC would be a nerve center for receiving reports of unusual, abnormal, suspicious, or malicious network activity combined with timely and actionable threat intelligence to inform the issuance of timely alerts and warnings to improve the detection, prevention, mitigation, response, and recovery to attacks against our nation’s critical infrastructure and cyber ecosystem. The inputs could be received anonymously through respective ISACs; aggregated, analyzed, and integrated with actionable threat intelligence to create and deliver alerts and warnings that could include recommended mitigation measures; and be updated as more information became available.
A national and even international alert network would be established, leveraging existing communication distribution networks that could deliver appropriate alerts, warnings, and updates to users across industry and government. Such a capability would be game changing.
This 24/7 operation would include the ability to draw on additional participation and expertise in the occurrence of an event of national consequence that could also include a physical event with cybersecurity implications or impact.
• Launch a White House-driven and -led National Education & Awareness Campaign for Cybersecurity Protection & Resilience.
While there are currently a number of well-intentioned and valuable non-profit organizations focused on cybersecurity education and awareness, it is important to create a comprehensive national campaign that will not only raise awareness, but also provide recommended steps that individual users; small, medium, and large businesses; non-profits; associations and community-based organizations; and any others users can undertake to make them safer and more secure as they conduct activity in cyberspace. Understanding and implementing basic cyber hygiene as a national effort would produce a meaningful improvement to overall cybersecurity protection.
Creating a national website with Executive Branch sponsorship that includes information for a variety of categories of users that will allow a one-stop shop for citizens and others to learn about how to better protect themselves including no-cost, low-cost practices that will address security and privacy. Specific campaigns targeting K-12 students, higher education, and small-business users would be examples of targeted efforts to raise awareness about simple measures to improve online security.
The campaign, again driven by the White House, should recruit and include many organizations with information distribution capabilities that are able to deliver alerts, warnings, updates, and other relevant information to assist users in staying current on measures of cyber hygiene that will assist with their protection and resilience. Organizations such as the U.S. Chamber of Commerce, the National Retail Federation, the National Association of Manufacturers, and others have established information distribution networks that could add tips and other information on a regular basis or as needed to raise the level of education and awareness. The Small Business Administration, Department of Commerce and other like agencies would be key participants.
Similarly states and local government could be great partners in advancing the messaging of raising the bar of protection to make the efforts of the bad guys more difficult and more expensive. Identifying a national spokesperson or spokespersons from the world of sports, entertainment, business, media and others would add credibility and drive enhanced attention to the critical messaging about keeping ourselves and our nation safer and more secure.
This effort could be enormously productive and a lot of fun. All users want to be safe online, but many simply do not really know how best to protect themselves. By partnering together, we can help make everyone, at every level, safer and more secure. The time is now…let’s get to it!
