Analysis & Opinions - The Hill
Simplifying Cybersecurity
The president has announced a new Commission on Enhancing National Cybersecurity and appointed his former national security advisor and the former CEO of IBM to lead it. Together, they have an opportunity to put the country on a path towards real cybersecurity. As they begin receiving briefings, they will soon find themselves overwhelmed with complexity and mired in technological minutiae. While there are undoubtedly aspects of the cybersecurity problem that demand complex technological solutions, we submit that the two most beneficial recommendations they can make are more straightforward. The first is to do everything possible to eliminate the vulnerabilities on which attackers depend. The second is to treat cybersecurity principally as a management problem rather than as a technology problem.
The reason you cannot read the news without learning of another hack is that attackers have an almost unlimited and constantly growing set of potential targets. Why? Think of "hacking" in the cyber context as a short-hand for exploiting vulnerabilities. The persistence of these vulnerabilities reflects the absence of incentives for developers to create secure software. In an era before software ran critical applications, this was tolerable; it is acceptable no longer. The problem is only getting worse with the growth of the Internet of Things, which connects more of our devices and our lives to the Internet but without much thought to security. In the ongoing debate about cybersecurity, there have been many sound proposals for investment in offensive and defensive cyber capabilities along with a skilled workforce able to employ these capabilities. Those are necessary moves, but they are themselves insufficient because they do not address the underlying vulnerability problem.
Improving cybersecurity for the long run requires doing everything possible to eliminate exploitable vulnerabilities. This will require a mix of carrots and sticks. The market has not yet sufficiently incentivized security. As a result, we may need to encourage industry to produce secure software by holding them liable when they don’t. Government regulates safety and security in other industries, and similar standards may at some point be necessary for software. But when companies do acknowledge vulnerabilities in their products and make timely efforts to fix them, they should be rewarded and shielded from liability.
Some will be quick to counter that imposing liability and regulation risks stifling innovation in one of the most powerful and transformative sectors of the U.S. economy. With its mix of public and private sector commissioners and an inclusive work process, we believe President Obama's cyber commission will be well positioned to address the liability issue in a way that breaks the cycle of cyber insecurity without unduly harming the competitiveness of our software sector.
In addition to leading the way towards the elimination of vulnerabilities, Obama's commission should examine how organizations in both the private and public sectors treat cyber issues. Too many senior managers see cybersecurity as a technology problem and delegate responsibility for it to technical experts who are neither qualified nor empowered to make decisions on behalf of their organizations. Shifting the lens through which managers see cyber issues is imperative: today's leaders must own cybersecurity. They need to educate themselves on the risks their organizations face, require their subordinates to monitor and reduce those risks, and then be held accountable for cybersecurity failures.
Obama's commission has the opportunity to shape the agenda for cybersecurity for the next administration and beyond. The challenges posed by our state of near-permanent cyber insecurity are only beginning to become apparent. The commission should not be expected to solve every problem, but with a focus on reducing vulnerabilities and framing the task as a management challenge, they can chart a wise course for how to improve America's cybersecurity.
Want to Read More?
The full text of this publication is available via the original publication source.
For more information on this publication:
Belfer Communications Office
For Academic Citation:
Sulmeyer, Michael and Peter Roady.“Simplifying Cybersecurity.” The Hill, February 26, 2016.
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Audio
- Radio Open Source
JFK in the American Century
Analysis & Opinions
- Foreign Policy
The Realist Case for the Non-Realist Biden
Newspaper Article
- Harvard Crimson
HKS Prof. Aldy Talks Clean Energy, Economic Policy at Belfer Center Webinar
In the Spotlight
Most Viewed
Policy Brief
- Quarterly Journal: International Security
The Future of U.S. Nuclear Policy: The Case for No First Use
Discussion Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Why the United States Should Spread Democracy
The president has announced a new Commission on Enhancing National Cybersecurity and appointed his former national security advisor and the former CEO of IBM to lead it. Together, they have an opportunity to put the country on a path towards real cybersecurity. As they begin receiving briefings, they will soon find themselves overwhelmed with complexity and mired in technological minutiae. While there are undoubtedly aspects of the cybersecurity problem that demand complex technological solutions, we submit that the two most beneficial recommendations they can make are more straightforward. The first is to do everything possible to eliminate the vulnerabilities on which attackers depend. The second is to treat cybersecurity principally as a management problem rather than as a technology problem.
The reason you cannot read the news without learning of another hack is that attackers have an almost unlimited and constantly growing set of potential targets. Why? Think of "hacking" in the cyber context as a short-hand for exploiting vulnerabilities. The persistence of these vulnerabilities reflects the absence of incentives for developers to create secure software. In an era before software ran critical applications, this was tolerable; it is acceptable no longer. The problem is only getting worse with the growth of the Internet of Things, which connects more of our devices and our lives to the Internet but without much thought to security. In the ongoing debate about cybersecurity, there have been many sound proposals for investment in offensive and defensive cyber capabilities along with a skilled workforce able to employ these capabilities. Those are necessary moves, but they are themselves insufficient because they do not address the underlying vulnerability problem.
Improving cybersecurity for the long run requires doing everything possible to eliminate exploitable vulnerabilities. This will require a mix of carrots and sticks. The market has not yet sufficiently incentivized security. As a result, we may need to encourage industry to produce secure software by holding them liable when they don’t. Government regulates safety and security in other industries, and similar standards may at some point be necessary for software. But when companies do acknowledge vulnerabilities in their products and make timely efforts to fix them, they should be rewarded and shielded from liability.
Some will be quick to counter that imposing liability and regulation risks stifling innovation in one of the most powerful and transformative sectors of the U.S. economy. With its mix of public and private sector commissioners and an inclusive work process, we believe President Obama's cyber commission will be well positioned to address the liability issue in a way that breaks the cycle of cyber insecurity without unduly harming the competitiveness of our software sector.
In addition to leading the way towards the elimination of vulnerabilities, Obama's commission should examine how organizations in both the private and public sectors treat cyber issues. Too many senior managers see cybersecurity as a technology problem and delegate responsibility for it to technical experts who are neither qualified nor empowered to make decisions on behalf of their organizations. Shifting the lens through which managers see cyber issues is imperative: today's leaders must own cybersecurity. They need to educate themselves on the risks their organizations face, require their subordinates to monitor and reduce those risks, and then be held accountable for cybersecurity failures.
Obama's commission has the opportunity to shape the agenda for cybersecurity for the next administration and beyond. The challenges posed by our state of near-permanent cyber insecurity are only beginning to become apparent. The commission should not be expected to solve every problem, but with a focus on reducing vulnerabilities and framing the task as a management challenge, they can chart a wise course for how to improve America's cybersecurity.
Want to Read More?
The full text of this publication is available via the original publication source.
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Audio - Radio Open Source
JFK in the American Century
Analysis & Opinions - Foreign Policy
The Realist Case for the Non-Realist Biden
Newspaper Article - Harvard Crimson
HKS Prof. Aldy Talks Clean Energy, Economic Policy at Belfer Center Webinar
In the Spotlight
Most Viewed
Policy Brief - Quarterly Journal: International Security
The Future of U.S. Nuclear Policy: The Case for No First Use
Discussion Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Why the United States Should Spread Democracy
