Progress in cybersecurity has been slow, and government, rather than leading by example, has often lagged behind other sectors. The rate of progress could be accelerated, but this will require a sustained effort by multiple stakeholders to understand the current context, make changes, and monitor the consequences of actions taken. Resilience, flexibility, and adaptability may be more useful than heavyweight defenses.
Given the importance of information technologies in modern life, government has a responsibility to take extra precautionary steps. Governments could make new efforts to protect information to the proper level, prioritize resources, and achieve both oversight and transparency.3
Trust has a technological dimension. For example, establishment of identity is being advanced in both the United Kingdom, with the Identity Assurance Programme, and the United States, with the National Strategy for Trusted Identities in Cyberspace program. These programs allow private sector firms providing authentication services to
3For example, in 2013 the U.K. government increased funding for the National Cyber Security Programme by £210 million, putting the total for the 5-year program at £860 million. As part of an upgrade in cybersecurity after recent breaches, senior civil servants now have increased responsibility for managing risks. Organizations that supply services to the U.K. government must now comply with a “Cyber Essentials” scheme by adopting a set of technical controls.
federate identity and use the right identity for the right purpose. Large companies with hundreds of millions of users across the world may be able to provide more trustworthy authentication services than the government. They perform billions of authentications per day and may be better placed to spot attacks and block them faster than smaller players, including small nations. The current trend is for people to use authentication services from large firms such as Google, Facebook, or Microsoft rather than government-issued IDs when accessing private-sector services.
The users of IT have a role in maintaining cybersecurity. User education—for instance, in the area of phishing—can strengthen this role, although it is not clear what kinds of education would be most effective or long-lasting. Moreover, in many cases users have little choice about whether and how to participate in certain systems, for they are compelled to share or use data or use certain technologies. Imposing additional, complex responsibilities could be unfair. In any case, studies are needed to determine how education can be most effective in this domain. For example, it could be focused on areas with the lowest marginal costs for users to change behavior and the highest marginal benefits in terms of cybersecurity.
A critical boost to cybersecurity could come through developing national talent, including elite individuals and teams. Today, both the public and the private sectors are having trouble finding enough qualified cybersecurity workers. Furthermore, professions such as the law and psychology also need people with cybersecurity backgrounds. Especially important are people who can translate or mediate between those who focus on organizational intent and those with expertise in technology.
Hiring strictures and lower salaries in government are among the factors that impede progress in the public sector, but not in all agencies. For example, the U.S. National Security Agency generally has been able to get the people it needs, in part by identifying and attracting people with strong backgrounds and providing the necessary specialized training in cybersecurity. The signals intelligence agencies in both the United States and the United Kingdom work with colleges, universities, and schools to interest students in science, technology, engineering, and mathematics and demonstrate how these skills might be applied in government. Intelligence agencies have many different kinds of jobs, allowing people to follow multiple career paths.
Cybersecurity could be enhanced if the leaders of organizations pressed for cybersecurity, not just the people within the organization with responsibility for IT and cybersecurity. If leaders had an understanding of and interest in the topic, cybersecurity could be an ongoing concern, not something to be checked off and forgotten. For example, senior decision makers could be running desktop exercises in the boardroom or at the executive management level to test how their organizations would respond in times of a cyber crisis. They could disseminate informed and proactive messages about organizational resilience.
Leaders do not need to be experts in cybersecurity, but they do need to ask how security fits into their organizations. Can security be managed? What risks are being taken? Can security be outsourced to another organization? These kinds of benchmarking questions are being asked by leaders and in boardrooms today, which is a sign of progress.
Leadership within government and its agencies can encourage thinking in terms of risk and resilience.
Stronger leadership could also provide organizations with greater flexibility. Business executives, for example, might argue that they succeed in part by taking and accepting risk and that accepting some cybersecurity risk, rather than focusing on comprehensive cybersecurity protection, is the best approach. Such an approach provides further incentive for shifting focus from compliance to risk management, a direction already outlined in the U.S. National Institute of Standards and Technology (NIST) framework for critical national infrastructure cybersecurity programs. In this way, the need for security could become more widely accepted by leaders even though they may not understand all the technical details and even though the risk-based approach also has problems.
While some government agencies respond to ongoing assessments of risk itself, they tend more often to be driven by compliance. But compliance-based measures tend to look to the past, not to future threats, and they can lead to a “box-ticking” approach to security. Again, leadership within government and its agencies can encourage thinking in terms of risk and resilience.
Cybersecurity is a high-stakes issue that will continue to grow in importance. What happens with IT will affect many aspects of public and private life, so cybersecurity policies need to be considered carefully. At the same time, cyberspace continues to change very rapidly, creating new opportunities for malevolent actors to disrupt the system. It can be hard to change a system that always has to be on and is used by most of the population almost continually, especially with limited funds and time.
The fundamental importance of the Internet to modern life points to the need for a continuing multistakeholder governance model with open standards. The problems people have are different and require different solutions, which calls for a multifaceted approach. Many entities have interests in these decisions, which requires not only that they have a voice in them but that people have a common understanding of cyberspace. This can be difficult, since different perspectives need to be combined to see the larger whole. Also, since many parties will be involved in improving security, the technical infrastructure will need to accommodate a wide range of inputs into the decisions about what is going to be allowed.
Innovative ways of thinking about the problem—for example, a complex systems approach, or biological metaphors for predator–prey relationships, or evolutionary perspectives on privacy policies over time—may bring progress. Technological developments, too, can yield major progress. For example, moving the operations of a government agency or of a business to the cloud could raise cybersecurity concerns, but such a move could also enable the upgrading and rethinking of an entire network.
In both the public and the private sectors, some groups are farther ahead than others in providing cybersecurity. All groups can benefit from becoming more resilient, which can put one in mind of some other relevant “R-words”: respond, retaliate, restore, repair, reconstitute, reroute, reboot, write out, and recover. Groups are now better at recognizing incidents, but many still have not implemented the cycles of improvement and change that can steadily improve strategies, capabilities, and resources. All organizations would benefit from acknowledging that they are vulnerable to cyberattack and cybersecurity failures and that they have issues that need to be addressed.
The challenges that will arise in the future are difficult to anticipate, since most of the important applications of the future almost certainly have not yet been invented. Even a decade ago, important features of the world that exists today could not have been anticipated, and the pace of innovation shows no signs of slowing down. Cybersecurity is a problem that cannot be fixed quickly or easily. Rather, many partial solutions and potentials paths forward exist and will need to be implemented, which will require collaboration, collective action, and—most of all—determination.
FOR FURTHER READING
For more detailed discussion of many of the topics addressed in this document, see the following National Research Council reports, published by the National Academies Press, Washington, D.C. (before 2002, National Academy Press):
At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, 2014
Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment, 2008
Engaging Privacy and Information Technology in a Digital Age, 2007
Toward a Safer and More Secure Cyberspace, 2007
Trust in Cyberspace, 1999
Cryptography’s Role in Securing the Information Society, 1996
Computers at Risk: Safe Computing in the Information Age, 1991