On Friday, May 29, the Obama administration announced the results of the 60-day review on cybersecurity conducted by Melissa Hathaway and laid out new priorities for cybersecurity.
Overall, the report delivers a solid overview of the current challenges and presents next steps for grappling with them. Key portions of this strategy include creating a “Cyber Czar” to oversee national cybersecurity initiatives; public-private partnerships to better share data and resources; efforts to create and retain a skilled cybersecurity work force; and plans to increase public awareness of cybersecurity threats and challenges.
The report’s near-term action plan also includes updating the national strategy to secure cyberspace; developing a framework for additional research and development of security technology; and preparing a cybersecurity incident response plan.
The fact that the Obama administration is making this a priority speaks volumes about the growing need to secure our critical infrastructure. With two wars, a growing nuclear threat from North Korea, and a still-struggling economy, the President already has more than enough to keep him busy. But many important policy objectives of this administration rely on digital infrastructure — from modernizing the healthcare system with electronic medical records to building a “smart” energy grid.
Government leadership is needed to make this happen. But responsibility for cybersecurity should not rest with any single government agency, as it has become an important component across all agencies. In particular, this responsibility should not be usurped by the defense agencies, because the threats are much broader than national security.
In addition, many cybersecurity activities need to remain unclassified for continued innovation and adoption on non-military systems. The Pentagon has already released new plans to build a cyber command center to conduct both offensive and defensive online computer warfare. A national cybersecurity strategy needs to be much broader than this and address the broader economic and consumer issues raised by these online threats.
For example, government needs to work with industry to develop secure systems for electronic medical records; but it needs to work even harder to get healthcare providers to start using those systems and make sure the systems are interoperable. Similarly, the electric grid should be secured from online attacks by foreign adversaries, but the more pressing priorities are to upgrade the transmission and distribution networks to increase their overall performance and reliability.
But the path forward will also require new thinking and new ideas. The past problems with cybersecurity were not simply a lack of sufficient government involvement. Nor will these problems be solved by merely shuffling around the government hierarchy.
Government agencies need to actively partner with the private sector to identify risks and mitigate threats as a necessary component of a national cybersecurity strategy. Private industry controls many of the networks, hardware, and software that make up our national digital infrastructure, and it will continue to be on the frontlines of any efforts to improve cybersecurity.
Government also needs to work with industry to facilitate better data sharing and develop better metrics for risk management. Likewise, citizen engagement and education will similarly be important; otherwise, the weakest link will be the American citizen. While attempts to hack into the electric grid are more likely to show up on the president’s daily brief, consumers must contend daily with other cybersecurity threats, such as spam, malware attacks, phishing, and identity theft. Fortunately, the administration seems to recognize the limitations of the federal government working alone and has indicated that it will work closely with the private sector on many of these issues.
At the end of the day, the cybersecurity strategy outlined by the new administration will be just one part of a global effort to make digital infrastructure more secure. Just as global climate change cannot be solved by a single country, neither can one nation solve all of the cybersecurity challenges of this century.
Although it has the opportunity to become a global leader on the issue, the United States will be just one country among many working to address cybersecurity threats. But it does have an important role to play in encouraging innovation, setting standards, and building partnerships with other nations.
One more thing: Words matter, but so do actions. The administration has laid out a bold plan for cybersecurity — now we will have to wait to see how well it can execute this vision.