It’s Going to Take Everybody to Fix This. It is Past time to get started.
In part I of this post, we reviewed the overarching, completely integrated nature of the cyberworld we now live in. We are increasingly interconnected, often in ways that are not apparent to us. We are exceptionally vulnerable individually and collectively.
So, what to do? As one might expect, there is no silver bullet solution, but a number of things are doable that could correct the imbalances. None will be fast, cheap, or easy, but they are essential – and doable.
This is a classic example of a large scale, complex problem that government cannot come close to solving alone, but government must be the pace setter and integrator, or we will not get there. That is a painful thing to say, since this particular administration has not a prayer of doing anything useful in this area, and likely has no inclination towards doing so. We will have to wait for the next administration, while the rest of us do prefatory work in the meantime.
The Obama administration did understand much of this and took some tentative steps to address the challenges. Unfortunately, they did not do enough, and various industries pushed back, wanting to avoid costs. History will not be kind to those who did too little in the last decade or so.
One of the key problems inherent in our defenses to date are the reactive and defensive approaches taken. Hackers keep breaking systems and patches are applied. Repeat forever. We will never get ahead of the bad guys with this methodology. How about a more proactive approach?
If I were king for a day (or a decade), I would decree the following dozen steps:
- Cybersecurity writ large is recognized as a preeminent threat to society. It is war in the purest since of the term, with all the attendant stakes.
- We take a Manhattan Project style approach going forward. A joint government- Congress – local government – industry task force will be formed with a five-year mandate to break the defensive cycle. The charge is to make self-detecting/self healing systems for all critical cyber functions. The task force reports directly to the President (not this one, the next one….).
- Participation in the task force is mandated. Concerns over commercial collusion and similar legal/business concerns will be resolved in the task force charter, exempting those who cooperate from such concerns. The private sector needs to know they are full partners in this, often leading partners, but government has the mandate to protect the country.
- Part of the goal is to expand and further develop the nascent capabilities to not only find the source of attacks, but to physically destroy the electronics of such sites with real time counter strikes. Put those like the Chinese and the Russians on notice, that continued attacks of the type we have seen will be met with aggressive defenses and counter attacks beyond just the source of the attacks.
- Ensure there is a sufficiently staffed, resourced, and empowered intergovernmental agency to get us ahead of threats and keep us there for the long haul. This agency would set cyber security standards for government and advise the government and congress on legislation needed to keep the private sector safe and secure.
- Establish a training program for government, congress, and support staff to understand the cyber age. If you have watched any of the recent congressional sessions in this area, you know how pathetically ill equipped most of our would-be leaders are to deal with any of this. To say most are completely clueless would be a kind description. With a few exceptions (SEN Mark Warner of VA comes to mind), most are like cave men trying to figure out a locomotive. They literally cannot grasp the technologies nor understand the issues. We need training and embedded expertise.
- We start over with social media. It is so large and so pervasive that suggesting we all quit using it is essentially nonsensical. The people who started social media had no idea how it would develop or how to measure its impact. Not their fault – this is all new stuff. But they have failed, and we pay the price. Does anyone see Facebook getting it right ? We need a national dialogue on what social media is, could be, and how it should operate in the future. Somewhere between the chaos of the Dark Web/hate sites and the Orwellian control of the Chinese government, we can find the right structures and processes. This will be remarkably difficult but let us get to it. Competition from new and better sites likely will be at least as important as any government mandates or industry codes of ethics we may develop
- Put everyone in the financial, personnel, and medical transactions communities on notice. We all work together for up to five years to break this vulnerability cycle in the financial and personal information sectors. After that, severe penalties are incurred by these firms for every breach. How does $5,000 penalty for every penetration of every account sound as a start point to get some attention, plus an omnibus fine for malfeasance? Those fines could go directly to consumers or to pay for the ongoing training of government personnel. Get this right or pay an ever-increasing price. We have been vulnerable to this type of threat for decades and industry has done little to break the cycle. Let’s make it pay to do so.
- Establish updated security standards, both physical and electronic for the national infrastructure, especially electricity and most especially for nuclear plants and fuel. Having 95% security is not good enough. Mandate what is needed and insist on its implementation with the greatest possible dispatch. If we need to increase utility rates, so be it, but we will not continue to be so vulnerable.
- Develop worst case scenarios for every sector (energy, transportation, communications, finance, etc.). War game each in detail and have ready to go proactive preventive measures and remedial actions where we fail to stop an attack (and that will happen).
- Take a page from recent history as to what works for innovation. The X Prize offered a handsome reward to anyone who could come up with major breakthroughs in space flight. For $10 million they were almost overrun with good ideas that advanced space travel dramatically. They have 17 more initiatives under way in different sectors. Let’s do the same here, in a big way. Identify a small number of key capabilities needed. Offer a cool billion dollars (that’s right, a billion. We are in a hurry here) to anyone or any group who can deliver on any of them). I guarantee you this will shorten timelines to success by half.
- Mandate that a detailed get-well plan be developed in the first year of the task force and a progress report be issued, one classified version and one unclassified version, every six months for the first five years and annually thereafter. As we go, much of this will have international implications for how things are done going forward. Working all that out will be challenging but done right this could lay the ground work for an international frame work.
There we are. All big works, but all doable. We have so many issues and challenges before us day to day, that it is easy to forget this terrible set of risks is nearby. Some days it feels as though we are in a Hagar the Horriblecartoon. We are in the sword fight of our life with opposing forces to our front, not seeing that behind us is a boiling caldron of hot oil into which we are about to step.
Technology defines humanity as never before. We have reached a point wherein we can peek into the future and see unimaginable gifts and progress. We also can feel the shadow of chaos and doom creeping up on us. We really do get to choose which future arrives but choose we must – or it will be chosen for us.
May I gently suggest we all waste no opportunity in asking our government officials and our technology industry leaders what the heck they are doing to secure our future? And make this a cornerstone of the 2020 election. This could, in the end, be a gamble for all the marbles.
If you find this blog worthy of your time and curiosity, I invite you to do two things:
(1) Join the conversation. Your voice counts here.
(2) Share the word about this post with friends and colleagues. Share a link in your emails and social media posts. Let’s grow our circle.