As the world is turning digital, warfare is following suit in a very rapid and devastating way. Countless organizations in all sectors (Target, Equifax, DNC, IRS) are continuously reporting data hacks. According to the Government Accountability Office (GAO), federal civilian agencies reported 35,277 cybersecurity incidents, such as web-based attacks, phishing and loss or theft of computing equipment in 2017.
The public and private sectors in the US have not adapted to cyber threats. Instead of presenting a unified front for defending against these attacks, and have a plan to go on the offensive when necessary, most organizations are busy doing damage control by themselves, without any real long-term plan. This is done despite the fact that countless studies show year after year, that cybersecurity is the number one priority for all IT leaders.
A recent survey of government organizations, private sector and citizens in the U.S., China, Russia, and India found that more than 88% of participants believe that cyberspace threats are significant.
In the United States alone, state and local government IT leaders have maintained for years that cybersecurity needs to be the government’s priority. A 2018 Digital Cities Survey of city government IT leaders put cybersecurity as the top priority. The same survey of county government IT leaders placed cybersecurity at the top of the list for the past 5 years in a row. Lastly, the National Association of State Chief Information Officers (NASCIO) published their top 10 policy and technology priorities for 2019, and cybersecurity was named number 1.
The conventional literature throughout our country claims that cybersecurity is everyone’s problem, and that it needs to be dealt with on multiple levels within the government, private sector, as well as individual citizens. While it is true that cybersecurity needs to be fought for on multiple levels, this fight is extremely inefficient when everyone does their own thing, without a leading organization to set the policy and bear full ownership of outcomes.
The reality is that our nation’s current organization for dealing with cyber-attacks is doomed to fail. Responsibilities, skills and talent are spread across too many different parts of the government, which creates confusion, and most importantly, a lack of leadership and ownership.
For example, the Department of Defense, through its US Cyber Command arm, is responsible for national defense. The FBI is responsible for investigating and enforcement. The Department of Homeland Security oversees damage control and recovery for cyber-attacks. Lastly, every military branch has their own individual cyber units. Lack of communication and too much bureaucracy makes our cyber security efforts extremely inefficient, putting our nation at risk with each second that passes. Each one of these organizations have many other responsibilities and are stretched too thin to give cybersecurity the focus and resources it desperately needs.
President Trump is trying to rectify this situation by further centralizing the management and oversight of federal civilian cybersecurity through the National Cybersecurity Strategy of September 2018. This strategy will enable the Department of Homeland Security to secure all federal department and agency networks, with the exception of national security systems, the Department of Defense and the Intelligence Community. This is a step in the right direction, but it needs to be taken further.
There needs to be a department that is one hundred percent responsible for our nation’s cyber security, in the same way our military is responsible for our physical security. This department could be called the “Department of Cyber Security” (DCS) and it should set the policy, provide the proper organizational structure, and work with all other parties (government, private sector, and citizens) to gain control of our nation’s cyber security.
The new Department of Cyber Security’s top priorities should be to:
I. Request and maintain adequate funding – this is a top national security priority.
II. Mobilize our country’s best talent and resources to operate under a single umbrella and a single coherent policy.
III. Fill in the talent gap by promoting cybersecurity workforce, training, economic development. According to the “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” there is an estimated 299,000 shortfall in cybersecurity professionals across all industry sectors.
IV. Incentivize research, contests, hackathons – it must adopt and encourage ways of unconventional warfare.
V. Collaborate with the private sector to share threat intelligence on an ongoing basis, as well as new advances in the digital world.
VI. Outline liabilities, reporting requirements, and course of action for the other organizations to follow.
The United States must treat the issue of Cybersecurity with the same seriousness it treats the military. It must be organized from top down, it must be prepared to defend our networks and to attack at a moment’s notice. Not prioritizing cybersecurity policy leaves federal, state and local agencies, U.S. critical infrastructure, businesses and citizens extremely vulnerable to attacks that could be absolutely devastating.
Creating a new Department of Cyber Security that is one hundred percent in charge and responsible for our nation’s Cybersecurity is the only solution that allows our country to gain control of the cyber space, successfully defend our networks and be ready to go on the offense when necessary.