The recently retired top cyber cop of the FBI, Shawn Henry, stated that “the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.” The sky is not falling, but if the US persists in dragging its feet, ground will continue to be lost.
There is much that can be done to better protect America in the cyber world. All of them trace back to failures of leadership. The blame lies very broadly at the feet of leaders everywhere and at multiple levels. This is not just a technology issue; it involves people, and so far people in all levels of leadership have neglected to act where they could have.
Of particular concern is the growing vulnerability of industrial control systems, which run our factories and utilities. These networks are the point where the digital world meets the physical one. An enemy that penetrates our industrial control systems can do physical damage by manipulating the computer-controlled processes upon which we depend.
If the U.S. wants to rectify the present situation and protect itself, it should begin with education and awareness at every level of school, in every business and government agency, and in every community in America. We do not have that today. It is not government’s responsibility alone, however. The government can assist, but cyber education should be a cooperative effort led by leaders everywhere.
Cyber should be taught and trained in dynamic ways that meet the challenge of the dynamic and motivated foes we face. It cannot be relegated to an annual online course, which neither provides good training nor energizes people. The American people must know the threats and know what they can to protect themselves and contribute in fighting back. Their leaders, public and private, owe them that information and training.
There are many different views on how we should improve our cybersecurity. Some say we should we mandate security improvements. If this can be done wisely, with cooperation from business, it is a way forward. The dynamic nature of cyber, however, makes our regulatory system a singularly poor vehicle for crafting a solution. Others have said that we should incentivize the private sector to better protect itself. This should be a component—but with full public recognition that business has a responsibility to begin acting in its own self-interest.
Lastly, we should be motivating the tech industry to make seminal breakthrough discoveries in security. We invented the Internet and most cyber innovations; we should be able to defend them. Any effective solution should be comprehensive and should not constrain the wealth and convenience producing innovation that gave birth to the new world of cyber.
The hackers of the world to whom Henry said we were “losing” are good—very good, in fact. But so is America. This is an area in which America is very vulnerable, and time is slipping by. It is a situation that must change in a way that does not cripple the very systems and methods through which we have grown great. Put simply, it requires old fashioned American leadership.