National Cyber Director Chris Inglis calls for ‘new social contract’ to redistribute risk

Cyberspace needs a “new social contract” where “isolated individuals, small businesses and local governments” no longer shoulder “absurd levels of risk,” says a top U.S. cyber official.

National Cyber Director Chris Inglis, writing in Foreign Affairs over the weekend with a senior adviser, said that the tech sector should make deeper investments in hardware and software security and the U.S. government should take a greater role in fostering digital defenses.

“Those more capable of carrying the load — such as governments and large firms — must take on some of the burden, and collective, collaborative defense needs to replace atomized and divided efforts,” write Inglis and Harry Krejsa, the acting assistant national cyber director for strategy and research. “Until then, the problem will always look like someone else’s to solve.”

Their overarching message about the need to improve private-public cooperation has been a refrain of cyber experts for decades. The duo touted how the Biden administration, however, has sought to advance that cause with policies like an expansive May executive order, or the Cybersecurity and Infrastructure Security Agency’s creation of the Joint Cyber Defense Collaborative that focuses on teaming with industry before cyberattacks rather than after.

As of now, just one cybersecurity slip-up can wreak untold havoc, as with incident response firm Mandiant’s discovery that a single compromised password likely originated last spring’s Colonial Pipeline ransomware attack, Inglis and Krejsa noted.

“The private sector must prioritize long-term investments in a digital ecosystem that equitably distributes the burden of cyberdefense,” they write. “Government, in turn, must provide more timely and comprehensive threat information while simultaneously treating industry as a vital partner. Finally, both the public and private sectors must commit to moving toward true collaboration — contributing resources, attention, expertise, and people toward institutions designed to prevent, counter, and recover from cyber-incidents.”

Getting that right is important to the advancement of key technologies like autonomous vehicles, Inglis and Kresja contend. It’s also key to data privacy, they argue.

“Americans are increasingly confused and anxious over the lack of control over their personal information, and the regular drumbeat of mass breaches does little to soothe their nerves,” according to the essay. “By contrast, an absolutely secure digital world is one where a comprehensive privacy regime becomes more practical.”

Inglis and Krejsa also make the case that their office has a role to play. Created just last year, the Office of the National Cyber Director has been trying to staff up and find its footing in a crowded field of government agencies and offices that hold cyber responsibilities.

“From its position in the White House, ONCD must use its perspective to champion and drive coherence across U.S. cyberpolicy,” they write. That includes reviewing budgets, identifying shortcomings in public-private collaboration and working in harmony with the National Security Council and State Department on international matters.