The US cybersecurity strategy won’t address today’s threats with regulation alone
Plenty of “unidentified flying objects” have appeared in the news over the past several weeks, yet cybersecurity professionals will tell you that we don’t need to look up to find a more daunting and real threat to national security.
Fortunately, President Biden just released the administration’s national cyber strategy. Coupled with industry collaboration, it’s an effective approach that represents a new hope for a safer and more economically prosperous future. Furthermore, the strategy is a much-needed step toward a clear roadmap for collaboration between agencies and industry partners, particularly in the technology sector. Prior federal cybersecurity strategic documents have lacked specificity, materially undermining their successful implementation and inhibiting stakeholder engagement.
But it is discouraging to those of us on the frontlines of cybersecurity to see that the strategy places so many of its “eggs” in the “basket” of regulation. As we hear more from the administration on their strategy, it is critical that the federal government articulates a vision of what specific gaps can be filled by new regulation. In addition, I urge the administration to follow through on its stated intention to harmonize, streamline and deconflict any new or existing regulations. We need clear and effective rules of the road. And, if much of the responsibility for defending cyberspace is to lie with the “most capable and best-positioned actors” in the public and private sectors, it is important that the administration follows through on its stated intention to involve industry in this vital conversation.
A successful strategy must also take into account the U.S. government’s responsibility to get its cyber house in order, too. The strategy notes that this will require real investment on the part of key government agencies. Congress and the administration must rise to this shared challenge and offer long-term sustainable investments.
On a more basic level, I applaud the administration for developing clear and measurable goals and hope that the promised implementation plan will deliver ambitious yet realistic timelines. As the old saying goes, “If you can’t measure it, you can’t improve it.” Without tracking progress in cyber risk reduction, the strategy will be nothing more than a thought experiment.
Speaking of risk, the cyber sector is increasingly global — and cybersecurity requires the engagement of countries around the world. It is critical that the new strategy delivers on the promised future vision for international, public and private collaboration — including the role of international standards bodies.
Lastly, and perhaps most importantly, this strategy is an opportunity to demonstrate that the U.S. cybersecurity workforce is a top priority for the administration. Our economy depends on innovative companies in the cybersecurity sector for unprecedented opportunities and prosperity. In real terms, this means good-paying jobs for Americans from all walks of life.
With this new strategy, industry will continue to step up to the plate to equip a new U.S. cybersecurity workforce to maintain our nation’s security and defend the digital and traditional economy, software vulnerabilities, and infrastructure. We don’t need a patchwork of disparate regulations, rather we need a consistent set of standards that allow for industry to drive security and resilience.
It is my hope and expectation that with this new approach, industry and government can come together to deliver comprehensive cybersecurity that is consistent, reflects a constantly evolving threat landscape and incorporates the interconnected, global nature of today’s digital environment.
With the hard work of cybersecurity professionals, the leadership of the technology industry and the strategic support of the federal government, we can work toward a U.S. cybersecurity posture that is fit for purpose and reflects the constantly evolving global threat landscape. Our economy and national security depend on it. Let’s get to work.
Jason Oxman is the president and CEO of the Information Technology Industry Council (ITI).