Since the last time a new president entered the White House, there's been a sea change in how Washington views cybersecurity.
During the Bush administration, the government took a largely hands-off approach to protecting corporate data, relying instead on market forces to compel businesses to improve their digital defenses.
At the same time, however, congressional critics such as Sens. Jay Rockefeller (D) of West Virginia and Olympia Snowe (R) of Maine called for regulation, cybersecurity compliance standards, and penalties for noncompliance.
But neither approach took hold, giving rise to a third way known as the "cybersecurity social contract" that was inspired by an understanding between government and industry that developed a century earlier when telephones and distributed electricity were the hot technologies of the day.
Initially, telephone and power companies provided service only where they had the best chance of making money: high-density and affluent areas. Policymakers of the day realized that phones and electricity needed to be offered universally for the benefit of society so they made a deal with the private sector.
In return for providing universal service, the government promised to guarantee the investments that companies made in necessary infrastructure.
The cybersecurity social contract offered a similar deal. It recognized that regulators couldn't keep up with the fast pace of development in cybersecurity technology let alone the evolution of digital threats.
So, the cybersecurity social contract emerged as a model in which industry and government collaborated and determined standards and practices both could adopt.
By 2010, a broad group of trade associations adopted the model. By 2011, the House of Representatives GOP Task Force Report endorsed the model's core recommendations. In 2013, President Obama issued Executive Order 13636, which adopted the model. And, in 2016, Mr. Obama signed the Cybersecurity Information Sharing Act that adopted the model by encouraging collaboration to confront emerging digital threats.
As a new administration is about to be born, the model is even more important. Here's how the next president can use it more aggressively:
1. Attack the cybersecurity problem with greater urgency
Compared to the speed with which hackers compromise our information technology systems, federal policymaking has moved at a glacial pace because of bureaucratic processes and constant turf battles. A new president can set the proper aggressive tone to address the issue. Cybersecurity needs to figure prominently in the new president’s first 100-day agenda.
2. Recognize the importance of economics in cybersecurity
In cybersecurity, virtually all economic incentives favor the attacker. Attacks are cheap, easy to access, and immensely profitable. Defense is hard, reactive, and it's hard to show return on investment to what you have prevented.
Research continually shows that cost is often the principle obstacle to improved cybersecurity, but the government's answer to digital issues is typically to bulk up on IT. Cybersecurity is not a technical issue. It's a risk management issue with a technical component. The new administration needs to expand the focus on cybersecurity beyond the information technology silo, and rebalance the economic-incentive structure.
3. Dramatically increase cybersecurity funding
Improving cybersecurity costs money. Estimates of the cost of cybercrime run to $1 trillion a year. Nondefense government spending for cybersecurity is about $9 billion, rising about 9 percent a year. Private sector spending on cybersecurity is about $120 billion going up 24 percent a year. Two commercial banks currently spend more annually on cybersecurity than the entire Department of Homeland Security. Government must invest more.
4. Organize to reflect current digital realities
Well into the Digital Age, our government is still organized on an Industrial Age model. This creates gridlock and massive inefficiency. There are 87 different congressional committees with jurisdiction over cybersecurity. Government itself needs to be modernized. The incoming administration needs to reorganize for the Digital Age, and government needs to fully integrate the private sector into its cybersecurity planning and operations.
5. Focus more on cybersecurity from a law-enforcement perspective
We successfully prosecute less than 2 percent of cybercriminals. Law-enforcement agents are vastly overmatched and under-resourced. The legal structure, particularly internationally, has not adapted to deal with modern cybercrime. The new administration should engage in a multitiered program to bolster cyberlaw enforcement, review legacy law enforcement spending, and help create a practical, operational international legal structure to address international cybercrime.
6. Test the NIST cybersecurity framework
No private sector organization launches a product or service without testing it. Yet, nearly three years since its release we have not a single piece of objective data to show that the National Institute of Standards and Technology's Cybersecurity Framework has changed behavior, that any changes have improved security, or that they are cost effectiveness.
Executive Order 13636, directed that the framework be prioritized and cost effective, yet virtually nothing has been done to objectively demonstrate this. If the voluntary framework system survives, it must be supported by data. Companies will naturally use systems that have been shown to be cost effective. Small companies in particular need a prioritized framework that is more practical.
7. Help smaller companies
Smaller companies are more vulnerable than ever. They spend less on cybersecurity technology and often don't fully understand the issue. We cannot develop a sustainably secure system by focusing exclusively on large companies. Government must increase its emphasis on smaller businesses.
8. Make cybersecurity cool
We need an integrated, multifaceted, and targeted program with research-based messaging. Career influencers, such as school counselors need to be targeted with proper messaging. We should use the gaming community to attract kids, and integrate cybersecurity into existing games. We need to make cybersecurity cool.
Government should also focus on training at the top. The National Association of Corporate Directors operates a highly successful training program for boards. We need a similar training program for the government executives.
9. Modernize and streamline regulation
The NIST Framework is supposedly a voluntary program yet since its inception we have an explosion of cybersecurity regulations. Companies now often face multiple inconsistent regulatory and quasiregulatory "NIST-based" systems that are driving up costs while diverting scarce resources away from security to focus on compliance.
The new president ought to develop a cross-government program for streamlining regulations. Congress should aggressively require federal agencies to reduce duplicative regulations and eliminate those that have not been proven to be cost effective as a condition of their annual appropriations.
10. Reward good cybersecurity behavior
Both the House of Representatives GOP Task Force Report on Cyber Security and Obama's EO 13636 called for the development of market incentives to promote cybersecurity. Yet, other than the recently enacted information-sharing bill, there has been virtually no work done in on developing incentives. We need more incentives for companies to improve their overall cybersecurity stance.
11. Define government's role when industry is hit with a nation-state attack
Virtually no private institution can adequately defend itself from a concentrated nation-state attack. There is no clear policy or systemic assistance private companies can expect from the federal government when dealing with nation-state cyberthreats. The federal government should offer (on request) equivalent federal assistance to private companies that suffer a cyberattack by a nation-state as if it were a physical attack.
12. Government and industry should partner to rethink the cybersecurity compliance model
The traditional regulatory model is ill suited for cyberspace. Instead of the current backward-looking, finance-based, pass-fail, blame-the-victim model, we need to create a forward-looking, risk-management model powered by growth and incentives, not penalties and compliance.
The new administration must work collaboratively with the private sector to develop this model.
Larry Clinton is the president and chief executive officer of the Internet Security Alliance, a trade association focused on cybersecurity. Follow the Internet Security Alliance on Twitter @ISAlliance. The Internet Security Alliance’s new book, "The Cybersecurity Social Contract” is available here.