(In the spirit of open sharing, I’ve decided to expose my rejections. Specifically, I will begin posting recent Op-Ed proposals from me that the Wall Street Journal and New York Times have decided to ignore. My motivation with these articles is to enhance the dialogue between our community and the average citizen. Americans are clueless of cyber, and I am determined to improve this situation. Let me know what you think of this piece. Based on my submission record, I could use the advice.)
During the past two decades, a period in which United States politics has swung wildly back and forth between successive Administrations, America has been governed by a surprisingly consistent National Cyber Security Doctrine. Starting with Bill Clinton’s Presidential Decision Directive 63 in 1998, and culminating with our current Government’s cries of foul against Chinese intellectual property theft, the underlying cyber security beliefs influencing decisions from each White House have not shifted, despite evidence of their stunning ineffectiveness.
The first component of our national cyber security doctrine is the belief that hacked companies and agencies must be punished. The size of the punishment has tended to track closely with the severity and consequence of the incident – but hefty fines, management firings, and even public humiliation have been common post-cyber attack occurrences. The painful image comes to mind of Kathryn Archuleta, Director of the Office of Personnel Management, raising her right hand in shame before a Congressional hearing after her agency’s serious data breach.
The second component of this doctrine is that preventing exploitation of national infrastructure is best accomplished through expert negotiation and intense pressure aimed at the nation-state sponsors of such malicious activity. This strategy includes the use of warnings and rhetoric from each President, as well as more formal actions such as Department of Justice charges being raised against foreign hackers. The implicitly held view is that if only these nation-state actors would just stop, then perhaps America could return to some sort of cyber normalcy.
The third component of cyber security doctrine held uniformly across the last twenty years is that most breaches could have been avoided by common sense. That is, cyber risk might be avoided if only organizations would just share information more freely; and if only users would just select better passwords for their Facebook accounts; and if only companies would just watch for obvious signs that hacking has commenced. Luddite members of Congress tend to gravitate to these common-sense arguments because they require no technical skill or insight.
If one could demonstrate – quantitatively or even qualitatively – that the United States has benefitted from this doctrine of victim punishment, adversary warnings, and user lament, then any discussion of change would be moot. But by any reasonable measure, Americans have seen a substantive increase in cyber security risk across virtually every aspect of their lives – from personal data losses in non-regulated industries such as social media, to severe breaches of trust from large regulated companies or government agencies handling sensitive data.
What this suggests is that a change of thought is required – and the belief here is that literally inverting our existing views, flipping them upside down, offers an excellent template for the current Administration. Setting aside the obvious concerns with a President who mishandles technology in the most abysmal manner from a security perspective (consider that no Fortune 500 security chief would ever allow its CEO to tweet sensitive information in the manner of Mr. Trump), the following three adjusted views are suggested to help our nation get on track:
First, the routine punishment of hacked organizations must cease. Cyber security has reached the point where any pick-up game between hackers and defenders will always be won by the offense. The implication is that defenders need help – and this requires a shift in cyber doctrine. That is, when a company is breached, the response by our leaders should involve meaningful assistance and thoughtful support. Imagine a building in an American city being strafed by an enemy air attack. Would our response be to fine the owner and humiliate the superintendent?
One can only expect critics to claim that this softer touch would encourage sloppy, lazy cyber security and poor compliance. But this flies in the face of reason: It is in the interest of every organization to improve their cyber security posture. The problem is that this is easier said than done – even for the largest organizations. Conventional wisdom amongst Chief Information Security Officers is that the US, China, Israel, Russia, and the UK could break into any system under even the strictest compliance. We must replace our blame culture with one of support.
Second, we must accept that determined pleading with malicious nation-state actors will not lessen the cyber security threat. Every security expert is quick to point out the asymmetric nature of the cyber threat; that is, consequential attacks do not require significant sponsorship or funding sources. Rather, they only demand the persistence of some clever individuals with sufficient motivation to accomplish a targeted malicious objective. Cyber security lives in the ultimate mouse-that-roared environment, and our leaders need to recognize this fact.
In its place, I’d recommend that we dramatically shift our focus toward truly defending ourselves. Our new doctrine should include the belief that if our country is hacked, then we must all look in the mirror and bear collective blame. Certainly, we must continue to seek and prosecute cyber offenders, but our doctrine should hold that it is our joint responsibility as a nation to self-protect ourselves and neighbors, and that no level of negotiation with Russian or Chinese leaders will lessen the potential for rogue actors to bring down our infrastructure.
Third, our doctrine must be adjusted to accept that cyber security is an enormously difficult task. It requires expert attention to complex technical detail. It requires tools that are intricate in their design, and delicate in their operation. It requires trained staff from universities and expert teams in industry who can provide the apprenticeship required for any budding cyber security professional. This belief that cyber security is just one good “Top Ten Tips” compliance poster from stopping foreign attacks is patently ridiculous. Cyber security is demanding.
An implication is that our nation should commit itself toward meaningful promotion of education for our young people in technology and cyber security. President Trump has the great opportunity now to direct significant, additional funding toward our small and fractured cyber corps programs. He should appoint a modern-day Sargent Shriver to excite our youth to follow a career of service to their country in cyber security. It is hard to imagine a more obvious and exciting way to bring our entire country – both red and blue – back together.
A final warning regarding cyber doctrine: Americans have a long tradition of waiting until after an attack occurs before springing to action. Pearl Harbor and 9/11 are cases in point where we napped quietly until nudged. While this romantic view might make good script, I would warn that cyber security is a different animal. If our country’s power, water, food, communications, and transportation are suddenly yanked from our control, then we might not have the response tools or national resolve required to fire a successful cyber Hail Mary after a serious attack.
Edward Amoroso is currently CEO of TAG Cyber LLC, Distinguished Research Professor at NYU, Adjunct Professor at the Stevens Institute, and Senior Advisor at the Applied Physics Laboratory at Johns Hopkins University. He is former Senior Vice President and Chief Security Officer at AT&T, former member of the M&T Bank Board, and former member of the NSA Advisory Board.