From investment in technology to investment in people, the government need to do much more to ensure a safer and more secure digital age — before it’s too late.
Cyberspace remains an environment conducive to malicious activity. Capabilities for both malicious and defensive activity will likely evolve at a faster rate than regulations can adapt. Vulnerabilities will continue to increase at an ever greater rate with IoT, and this will, in turn, increase the costs and externalities of cyber incidents.
Law enforcement resources may be spread increasingly thin. Even more worrisome is the potential for further escalation of the severity of cyber attacks. Should there be a shift toward cyber attacks targeting the integrity of data, the consequences could become even more damaging and cascading than anything seen before.
The existing state of cybersecurity at federal agencies isn’t the fault of anyone. The legal, regulatory, and cultural barriers hindering the adoption of new technologies, the lack of investment to aid in digital defense, a dearth of qualified professionals willing to commit their cybersecurity skills to protect the government, and a skeletal information exchange environment compounded to an already insufficient information security culture in the government.
The people who buy the IT goods and services are not the same people who use the IT goods and services. The Chief Information Officer (CIO) who is charged with overseeing good digital hygiene isn’t in control of the entire govt’s IT budget, and, because of the way the government is funded, agencies are unable to utilize savings they realize through the adoption of new technologies.
Having a political class that doesn't know anything about how technology and the internet works is a major national security risks as cyber warfare is and will be the key and primary strategy for a lot of dominant nation states. The onus of responding to cyber attacks is already emerging as a tall order for the government because of the difficult policy choices associated with the type of response or inaction against the perpetrators, even in situations where they can be confidently identified. Already now, nation states and their proxies are regularly spying and attacking in cyberspace across national borders. Present day conflicts are now fought as much in the information environment as on the battlefield and the line is blurring and soon would be dissolved. Even less sophisticated countries have acquired capabilities previously available only to the advanced and richer countries in support of their objectives.
Thus, we urgently call on the government to adopt technologies widely used in the private sector in developing and bolstering our national security. Often times, the government's progress is hindered by outdated tools and practices that lag far behind private sector standards. And at present, the government is focused on protecting governmental assets and national infrastructure, leaving themselves with modest residual capacity and resolve to underwrite other cybersecurity risks.
The government will benefit from the best practices practised by the private sector and collectively, build a better and secure future for the country. Currently, we believe faster response time and improved effectiveness are some of the best practices practised by the private sector. Often, the private sector can react faster and more effectively to defend its own networks than law enforcement agencies can. Individual corporations likely have a better picture of the unique threats they face and the risks they pose to their equities. They have a stronger motivation to defend themselves and, in some cases, they also possess superior technical and financial resources to allocate to that mission.
Compounding this is the challenge by the global and rapidly evolving nature of the cyber domain. In many countries, national laws governing this space are either absent, vague, or difficult to operationalize. International understanding and conventions to harmonize national responses are also largely absent, complicating efforts to manage cross-border incidents with political ramifications.
As stated in a 2016 World Economic Forum white paper, "it is an understatement to say that the government and industry are struggling to understand and prepare for the magnitude of systemic cyber risk".
Battlefield advantage is driven by who has access to the best information that can then be analyzed to inform decision making at the point and time of need.