Oct 18, 2016 - 9:30am

Dear 45: Let's Make Strides Towards Better Cybersecurity

Dear 45:

During the run-up to the 2008 election, cyberattacks barely registered a blip on the political radar. Fast forward eight years, and cybersecurity has emerged as the most urgent threat to our national security, and it similarly threatens our nation’s economic security. Consequently, securing our country’s increasingly critical cyber networks must be a top priority for your administration.

There’s little question that America is vulnerable to cyberattacks, as evidenced by some of the high-profile attacks that have occurred during the course of your campaign. As the nation becomes more interconnected, it’s getting more difficult to defend against these constant and persistent threats, and that will become all the more challenging as nearly 20 billion internet-connected devices will be added to digital networks around the world during your first term in the White House.

Here at the Chamber, we have long embraced the government’s role in strengthening our nation’s cybersecurity, and businesses are seeking genuine partners in the fight against cybercrime and other illicit activities. Your administration won’t be able to nix every cyber threat—there are far too many—but together, we can take great strides toward better security. As this is an enormously complex challenge, we believe you should start by prioritizing three important issues.

First, we should build on the current momentum around the joint industry-National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. America’s business leaders and policymakers see this framework as a pillar for managing enterprise cybersecurity risks and threats, and it serves as a vital risk assessment tool and a facilitator of collaboration between the public and private sectors. We’re already working to urge businesses of all sizes and across all sectors to adopt the framework’s fundamental internet security practices, install new cybersecurity technologies, and partner with law enforcement— but we need your help.

We need you to encourage federal agencies to harmonize existing regulations with the cyber framework. Too often, U.S. companies are beset by multiple cybersecurity regulations coming from many agencies. These onerous and conflicting regulations are likely to shift businesses’ limited cybersecurity resources toward costly compliance mandates.

President Obama signed an executive order in 2013 and Congress a year later passed the Cybersecurity Enhancement Act, both of which call on government leaders to identify and reduce the cyber regulatory burden on business. So far, these responsibilities have not been met by officials in Washington. This is an opportunity for you to come in and lead the charge. One place to start: Appoint an official to focus on reducing (or better yet, eliminating) duplicative cybersecurity requirements for regulated industries.

Second, our country’s information-sharing ecosystem needs improvement. Due to poor information-sharing systems, our adversaries are able to deploy the same attack over and over again. Cyber threat information sharing must become so effective and efficient that once an attack is detected, every business should be protected against it by day’s end.

Here’s the good news: On this particular issue, your administration starts in a strong position. Congress and President Obama enacted the Cybersecurity Information Sharing Act (CISA) in 2015, which provides protections related to public disclosure, regulatory, liability, and antitrust matters to organizations that share cyber threat information. The law also required the Department of Homeland Security to establish an automated indicator sharing program, which will help sound the alarm when attacks occur.

However, companies are approaching this new world with caution. Many industry leaders have preconceived visions of bureaucrats lying in wait with regulations and privacy groups readying lawsuits behind the scenes. By working as an ally with the industry, you can be instrumental in leading a culture shift that will bring businesses off the sidelines to engage in threat information-sharing programs.

Third, Washington’s policies ought to encourage greater adherence to international norms of acceptable behavior and deterrence in cyberspace. Over the past several years, policy and legislation have tended to focus almost exclusively on regulating industry. Instead of punishing victims, we urge you to work with business leaders to battle cyber criminals and other bad actors.

We urge you to build on the Obama administration’s efforts to stop cyber-enabled economic espionage. There’s been progress in promoting the adoption of international rules of the road in cyberspace, but there’s still work to be done. We need to coherently shift costs associated with cyberattacks in ways that are timely, legal, and proportionate.

In addition, industry needs law enforcement’s help in combating cybercrime, but right now, law enforcement agencies in this space are outnumbered and understaffed. We encourage you to commit more resources to help law enforcement counter and mitigate cyber threats.

In the coming years, technology will play an increasingly central role in our economy, our government and our private lives. Unfortunately, the very devices that have made our society more convenient and efficient have also made us more vulnerable. It’s for this reason that improving America’s cybersecurity is a challenge that’s as complex as it is urgent. There is no silver bullet. There is no easy answer. And there is no way to know who or what will be the target of the next major attack.

What we do know is that working together, we can make—we must make—progress in strengthening our country’s cyber networks, and by doing so, we can promote economic growth and national security. We look forward to working with you to get the job done.


More Articles On: