Okay, the presidential primaries are winding down, and while I expect lots of name-calling, insults and general sophomoric behavior this summer and fall, it’s time for both parties to step up with a strong plan for cybersecurity.
Cybersecurity? You’d really never know that it’s a national issue based upon the proceedings so far. Governor Bush put out a two-page overview while Dr. Ben Carson’s team drafted a high-level proposal. Neither of these documents really dug into existing policies, domestic challenges, or International issues. With the exception of John McAfee, no one has gotten into any detail on this topic.
Now I know that cybersecurity can be the geekiest of geeky topics, so the Presidential candidates need to address it at the right level. The best plan will appeal to voters’ personal interests, offer financial incentives and opportunities, and demonstrate U.S. leadership in international affairs. Additionally, the plan should align cybersecurity issues with technology innovation and a changing economy.
I’ve been thinking about a national cybersecurity plan for the past 20 years. Here are a few more specific suggestions for the candidates (in no particular order):
- Create and fund a national strategy for cybersecurity education. While all candidates talk about bringing jobs back to America, many high-paying cybersecurity jobs remain vacant for months at a time. This is a pervasive problem, ESG research indicates that 46% of organizations claim to have a “problematic shortage” of cybersecurity skills.
Personally, I believe this is a national security issue putting our private data and critical infrastructure at risk, and thus impacting all citizens. The next president should address this with a national cybersecurity education plan that includes awareness campaigns, funding for scholarships, curriculum development, and special incentives to encourage states and commercial sector organizations to become partners in cybersecurity education investments.
A national cybersecurity education should be centrally managed and planned with the goal of improving cybersecurity education, creating opportunities and filling jobs. In other words, it should be viewed as a program to benefit all Americans, not just those living in particular congressional districts that accrue pork barrel spending.
- Develop a national cybersecurity public awareness campaign. The feds dabble in this with efforts like National Cybersecurity Awareness Month, but these are token gestures that don’t play outside the Beltway. What’s needed is a systemic national campaign that spans from K-12 to outreach programs targeting senior citizens.
The president should preach a, “we are all in this together,” message and be willing to be a leading participant in this effort. As part of a general government outreach program, the president should also appoint a federal cybersecurity liaison to work with the private sector, investors, and cybersecurity technology vendors. These responsibilities are currently spread across multiple agencies and done haphazardly at best. The president could really push his or her agenda with a trusted champion leading the way.
- Offer tax incentives for private sector cybersecurity investment. Business leaders are already investing in cybersecurity to mitigate risk but too many organizations still have their heads in the sand. The president has the power to translate cybersecurity issues into a language these laggards understand — money. For example, the president could offer tax breaks to companies that adopt and commit to the NIST cybersecurity framework. A savvy commander-in-chief could also enlist the help of the insurance industry as it also has a vested interest in seeing the cybersecurity framework proliferate.
- Insist on federal IT leadership and transparency. President Obama’s Cybersecurity National Action Plan (CNAP) called for a $19 billion increase for federal cybersecurity spending in the 2017 budget, a 35% increase. The problem here is there is very little indication of where this money will be spent. The next president should address federal cybersecurity with a tabula rasa by appointing a federal cybersecurity watchdog to question every dollar of public funding. For example, why should the feds continue to throw hundreds of millions of tax dollars at the Einstein program when this functionality could be easily replicated by cheaper commercial technologies? Additionally, the feds should establish purchasing standards where IT vendors must have a stringent security baseline before they can sell to the government. Finally, federal cybersecurity leaders must reach out to the private sector in a more organized and coordinated way to improve communications and collaboration.
- Push for a national dialogue on data privacy. This debate is long overdue. The next president must stop hiding behind scare tactics and push for a candid national debate on data privacy that includes legislators, law enforcement, and intelligence services as well as privacy advocates, technology vendors, telecommunication service providers, etc. Technologies have changed exponentially since the Clipper chip debate in the early 1990s, let alone since the Church commission in 1975. It’s high time we acknowledge this and update our laws accordingly.
Oh, and while we are at it, let’s not just focus on surveillance and national security. Let’s also make sure to address who can collect data on private citizens and what they can do with it. Former Chief Justice Louis Brandeis had some good ideas on this when he was wrote, “the right to privacy” in the Harvard Law Review in 1890. Hmm, maybe the time is right to chat about his ideas 126 years later.
- Lead a multi-lateral International cybersecurity effort. The U.S. has been lukewarm about an international cybersecurity agreement in the past. Why? Military and intelligence leaders are afraid that an international standard could limit their offensive and surveillance capabilities. I get this, but there has to room for some type of compromise that helps the U.S. mitigate risk and stem the flood of cybercrimes that cost our economy billions of dollars on an annual basis. A strong president can demonstrate American leadership and willingness to compromise by pushing an agreement and getting buy-in from assumed cyber-adversaries like China and Russia.
I could go on for several more pages, covering topics like critical infrastructure, drones, and IoT devices, but I work for an analyst firm, not a Washington think tank. Yup, the 6 points here just scratch the surface, but this blog is like the Magna Carta compared to the cybersecurity proposals of the remaining candidates.
A strong cybersecurity policy won’t get either candidate many votes but it is a critical issue that hasn’t received appropriate attention in the past. The next President should push for pragmatic and prudent cybersecurity strategy that appeals to both parties. He or she should then monitor, measure, and change the plan to maximize its success. Regardless of your party affiliation, we’d all benefit from this.