What Should the Government do about Cyber-Security?

News related to cyber-security has jumped into the spotlight with the recent hacks on the Office of Personnel Management. The first hack was discovered in April despite being committed in December of last year and resulted in the theft of 4 million federal employee’s records. The second hack from just last week, which was noted by now former-director Katherine Archuleta as a “separate, but related” breach, saw the theft of 21.5 million people’s records, those of not only federal employees, but private citizens as well.

Commentary on the issue has ranged from calling for the now former-director’s resignation (an obviously successful effort), to pushing for a congressional investigation, to demanding that the White House discover who initiated the hacks and issue some sort of response, to ridiculing OPM management for prioritizing measures such as hiring diversity instead of significant issues such as cyber-threats and security. At the center of each of these is the question, what should the government do about cyber-security? In order to answer that and provide a somewhat clearer path forward, one must look at what the government has already done, and why it has been ineffective.

Two of the bigger federal actions related  to cyber-security were the cyber-security directive issued by the President and the Cybersecurity Act passed by Congress in 2014. The President’s executive order focused largely on information sharing, while the Cybersecurity Act attempted to set up a centralized government strategy based on regulations and protocol mandates. According to a White House press release, the President’s directive, “refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration.” Well at least, that’s what it’s supposed to do. In reality, the directive, also known as the Presidential Policy Directive on Critical Infrastructure Security and Resilience, or PPD-21, does little to clarify anything in regards to cyber-security. It charges various agencies with cyber and infrastructure security responsibilities. Some of these include: engaging foreign governments to increase security, engaging private sector and academic organizations to encourage security, identifying and prioritizing communications infrastructure, and informing the situational awareness capability for critical infrastructure. If those sound vague and undefined for you, you’re not alone. For a document that aims to clarify functions across the federal government, this directive is woefully inadequate at its task.

A related directive discussed in a White House press release one day later charged the Secretary of Homeland Security to “strongly encourage the development and formation of Information Sharing and Analysis Organizations” to facilitate information sharing between the federal government and private entities. In this, the President has addressed a critical element of a holistic cyber-security strategy – information sharing. There is an incredible amount of information related to cyber-security practices and breaches that is currently spread across a vast network of public and private systems. The federal government should prioritize the development of an information clearing house to encourage businesses and other private entities to cooperate with the government in assessing and addressing cyber-breaches. The directive attempts to do this with the ISAOs, but these are not centralized and have little connection to each other, and therefore are unlikely to be truly effective.

Part of the reason why the government is so terrible at addressing cyber-attacks is because it doesn’t know how to do so. Setting up an information-clearing house would allow businesses who are victims of cyber-attacks to have a single point of contact to be directed to the proper agency (FBI, DHS, etc…) in order to address the breach. Additionally, this would allow the government to learn the extent and intensity of cyber-breaches against U.S. entities and get a sense of best practices for addressing these attacks.

The Cybersecurity Act, meanwhile, takes a different approach to dealing with cyber-security threats. It attempts to create a series of regulations to combat cyber-security threats. Unfortunately, such proposals make no allowance for individual actors and businesses to address their own cyber-security needs. There is no single approach that will comprehensively address cyber-security concerns, and these government mandated regulations will only serve as a setback for developing a truly effective national strategy on cyber-security.

What more can the government do? First, and most importantly, the President needs to send a clear signal that cyber-security is a priority for the administration. This would serve a dual purpose. First of all, it would require the development of a comprehensive national security strategy on cyber-security. Second of all, such a strategy would allow Congress to produce more targeted legislation aligned with the overall goals and priorities of that national security strategy. Congress doubled the funding for U.S. Cyber Command and cyber-security measures last year, and yet we’ve seen more data breaches this past year than ever before. How do we account for that? The problem is not one of money, but of information – or in this case, a lack of information: information about national priorities, industry best practices, and current threats. This is not a problem that will be solved by simply throwing money at it.

I’ve already mentioned that the President should push for the development of a comprehensive strategy for responding to cyber-attacks and cyber-threats. This strategy should include specific responsibilities for relevant federal agencies, strategies for reaching out to private entities, summaries of current industry best practices, recommendations for how to apply those specific practices to an overarching national strategy, and the development of a framework for an information clearing house to partner with private firms and share information on cyber-breaches in order to more effectively respond to them. We must be careful here. When it comes to information sharing by private firms with the federal government, it must be entirely voluntary. Further, this must not be used as an excuse to take private information. Any legislation on this front must be written with a view towards privacy and protecting personal information – theft of private information is part of the reason why such legislation is necessary to begin with, after all. The clearing house must also include a focus on distributing information related to counter-measures and preventative measures for cyber-attacks, and education on how to mitigate the risks of such attacks. Many cyber-attacks could be prevented or responded to effectively if the relevant actors had all necessary, available information. The clearinghouse would provide a way to more easily distribute such information. Additionally, the government should provide strong FOIA (Freedom of Information Act) protections to firms that cooperate in identifying risks.

When it comes to cyber-security, the government must lead by example. Yet it cannot do so alone. Finding a way to incentivize private entities to cooperate with the government is a necessary first step. But in order to be effective at managing such public/private partnerships, the government must show that it is serious about addressing cyber-security concerns. On the federal side, government agencies such as the State Department and the Department of Defense should provide incentives for their employees to develop effective cyber-security measures and report cyber-breaches. Compliance is key here. Government agencies at the federal level ought to be required by federal law to have periodic systems checks performed by outside contractors in order to discover security flaws. These evaluations could be published online after a period of time – say 6 months or a year – in order to encourage government agencies to take these evaluations seriously and incentivize them to address security concerns as they are identified. This would go a long ways towards addressing a significant problem in U.S. cyber-security. The firm Veracode reported recently that, “only 27 percent of identified vulnerabilities in government applications get remediated,” thus leading to breaches such as the ones at OPM.

Other measures can be mentioned as well. The government could begin providing stronger oversight for cyber-related contractors, thus ensuring that they are providing sensitive access to trustworthy sources. They could also make encryption of federal systems and data a priority to better protect government computers and networks. They should do everything possible to enable information sharing. Additionally, the government should look towards the future by encouraging universities to develop and incorporate cyber-security programs into their STEM curriculum in order to provide for systems professionals in future years. In regards to other nations, the U.S. should punish nations that support cyber-crime or cyber-terrorism by naming them and ceasing to cooperate with them – either militarily, economically, or through cyber means. The U.S. Attorney General could be charged with pursuing legal recourse against foreign firms that traffic in stolen information. Finally, the government ought to set a standard of accountability for those in positions of authority at federal agencies so that those in management who fail to protect cyber-security will be held accountable for cyber-attacks brought on by negligence, such as those at OPM.

What should the government do about cyber-security? It should focus on supporting and encouraging the safe sharing of information to the best of its ability within the context of a cohesive, detailed national security strategy. Anything else will invite further cyber-attacks and ultimately weaken U.S. national security.