The Organizational Imperative for Our Nation’s Cybersecurity
An Organizational Model for Protecting the Public from Cybercrime
This is Civic Way’s second commentary on the Colonial Pipeline shutdown’s implications for American society (see our first commentary). It offers some organizational strategies for protecting government information and the citizens served by federal, state and local government. The author, Bob Melville, is the founder of Civic Way, a nonprofit dedicated to good government, and a management consultant with over 45 years of experience improving governmental agencies across the US.
To protect government (and American society) against cybercrime, we need a holistic, organizational approach that encourages individual entities to work together across traditional jurisdictional barriers
Improving America’s macro cybersecurity must begin with the federal government, an effective cybersecurity regulatory framework and an organizational model for segmenting public data networks around regional (multi-state) interests
Regionalizing our governmental approach to cybersecurity will require a clear federal commitment (legally and fiscally), comprehensive multi-state compacts and agile regional nonprofits with charters for leading the implementation of effective cybersecurity measures
The Colonial Pipeline shutdown was just the first of many shocking cyberattacks on vital American infrastructure. Large ransoms, like the one paid by Colonial Pipeline, will likely encourage more cyberattacks and even higher demands. Cybercriminals will become increasingly sophisticated, creative and brazen. The threat they pose won’t just be to our pocketbooks. It will be to our safety, health and lives.
The next wave of cybercrime won’t just harm individual organizations, it will bring devastation to entire communities and regions. The shift from attacking large private enterprises to government services and public facilities (like tunnels, ferries and subways) is already underway.
The cybersecurity measures we are taking—or considering—focus on the micro (e.g., one entity) rather than the macro (e.g., an economic sector or society at large). They help individual entities improve internal cybersecurity, but they require extensive collaboration and coordination to succeed across entities. In other words, virtually all cybersecurity measures are designed to help individual enterprises protect themselves, not civil society.
To protect government (and American society), especially state and local governments, from cybercrime, we need a more holistic approach. We need a new organizational approach to cybersecurity that encourages individual entities, especially states and localities, to work together across traditional jurisdictional barriers. As stated by the Combatting Ransomware report, the threat of cybercrime “demands a whole-of-government strategic response” and “structures” for coordinating “activities across authorities and capabilities.”
It is not too late for our nation to mount a counterattack. But, our response must be broader, more aggressive and bolder than the strategies now under consideration in corporate board rooms and political cloakrooms. It must involve a complete reimagination of the way our federal, state and local governments work together. It demands a wholesale revamping of American federalism.
Building a New Federal Cybersecurity Model
Many federal leaders recognize the seriousness of the cybersecurity problem. President Biden, for instance, just signed an executive order mandating stronger practices for federal agencies (e.g., data encryption, two-factor authentication and breach data sharing) and federal contractors (including individual gig workers and third party product and service vendors).
On the legislative front, there is a Congressional Cybersecurity Caucus. The Cyberspace Solarium Commission (CSC), created in 2019 by Congress, has urged several cybersecurity strategies, some of which were enacted through the 2020 National Defense Authorization Act (NDAA). Improved federal-private cooperation, starting with critical infrastructure. A cloud-based nerve center to improve cyber threat data sharing and analysis. Enhanced federal cyberattack recovery and enforcement tools.
Still, a nagging question remains—will such responses be too little, too late?
The fact remains that the US lacks a coherent, robust regulatory system for protecting the federal government and American society from cyberthreats.
The federal government’s cybersecurity approach has been lax for some time. For one thing, no single agency is empowered to enforce cybersecurity regulations. [The 2020 NDAA created a new cyber director position.] The Department of Homeland Security (DHS) issues some guidelines. The Federal Transportation Security Administration (TSA), housed within DHS, is responsible for pipeline cybersecurity guidelines. The Federal Energy Regulatory Commission (FERC) handles power grid cybersecurity rules. The Coast Guard requires cybersecurity reviews for port operators. In some cases, private nonprofits regulate cybersecurity issues (e.g., North American Electric Reliability Corporation). The list goes on.
Another problem is the federal government’s undue reliance on voluntary regulations. DHS and TSA, for example, issue suggested standards, but lack the power to enforce them or levy penalties for noncompliance. No federal laws mandate cyberattack reporting. Agency relationships, especially with private firms, are more conciliatory than arms-length. This timid regulatory mindset may appease the regulated, but it puts our nation’s critical infrastructure at risk. [DHS decided to replace its voluntary system after the Colonial Pipeline shutdown.]
Third, some extremely relevant matters are not regulated at all. For instance, there are no cybersecurity regulations governing the introduction of new software. We have such a system for drugs being brought to market, but not for products that could increase our vulnerability to cyberattacks. The current software development model (i.e., build, sell and patch later) increases the odds that new software products, including cloud, open source, commercial and government offerings, will make us more vulnerable.
Fourth, the federal cybersecurity effort remains underprioritized and underfunded (a problem that could be exacerbated by the increased focus on private cybersecurity). The result? Limited staffing (e.g., only 34 pipeline security employees). Thin cybersecurity expertise (confirmed by 2019 Government Accountability Office report). Infrequent cybersecurity reviews (e.g., TSA’s failure to review Colonial Pipeline). Inadequate assessments (TSA didn’t began detailed cybersecurity assessments until late 2018). Weak follow-up to those reviews that are conducted. Inadequate cybersecurity tracking metrics and an ineffectual cyberthreat reporting system.
Ultimately, no matter what else we do, we cannot ensure America’s macro cybersecurity without a comprehensive national strategy. At the federal level, this strategy should entail a new regulatory framework and a new organizational model.
In conjunction with the private sector, cybersecurity experts and state and local government, federal leaders should design and build a comprehensive, rigorous federal cybersecurity regulatory system. This system should revolve around defining cybersecurity as national security and interstate commerce functions under the Constitution. The federal regime should preempt all state cybersecurity laws and regulations.
The federal cybersecurity regulatory regime should include a range of measures for fighting macro cyberthreats. Global agreements to punish hackers, terminate foreign havens and mount offensive hacking operations against cybercriminals and host nations. Tough standards and enforcement measures for domestic entities, especially vital infrastructure providers and technology providers. Rigorous cryptocurrency regulations. Clear laws requiring full, immediate cyberattack reporting.
Congress should enact a new organizational model to facilitate the federal government’s macro cybersecurity program. It should designate two federal agencies for leading international and domestic efforts. The lead domestic agency also should oversee regional (multi-state) cybersecurity efforts and coordinate other cybersecurity measures (e.g., serve as a clearinghouse for cyberattacks, cybersecurity metrics and other relevant data). As it did when it established DHS, Congress also should provide sufficient funding for the designated agencies to fulfill their assigned missions.
Forging a New Cybersecurity Model for State and Local Governments
State and local governments are soft targets for cybercriminals, perhaps our nation’s weakest cybersecurity link. Their facilities and personnel are relatively accessible. Their records and data are comparatively open. They provide a broad range of public services that cannot be readily suspended or terminated. Their cybersecurity capabilities, especially among smaller governments, are relatively limited. In addition, their accountability policies for cybersecurity remain in their infancy.
The fragmentation of state and local governments poses a daunting barrier to our nation’s cybersecurity. With over 90,000 state and local governments, it is difficult to maintain any sustained collaboration among them, let alone enable them to fulfill their cyber incident, preparedness, response and threat detection capabilities. In most states, cybersecurity governance is federated or decentralized among state agencies. Some states are beginning to offer cybersecurity aid to local governments, but most local governments remain highly vulnerable, especially those in regions with a lot of independent local governments.
While private firms and federal agencies have boosted cybersecurity spending, state and local governments invest too little. State governments only spend about three percent of their technology budgets on cybersecurity, several times less than many federal agencies and private businesses. Most local governments lack sufficient funds to ensure minimal cybersecurity while some are simply unwilling to make sufficient operating budget commitments. Scrimping on cybersecurity has consequences—inadequate cybersecurity staffing and expertise, undue reliance on aging mainframe computers and heightened risk.
America’s macro cybersecurity readiness cannot be assured without a new cybersecurity model for state and local government. As echoed by IBM, state and local governments can strengthen their cybersecurity by “harnessing their collective wisdom, experiences and resources.” To help state and local governments do anything collaboratively—let alone collectively—we will need a new organizational model, one that enables (or requires) state and local governments to share cybersecurity resources and protocols.
What might this new model look like? We don’t have the luxury of redrawing existing jurisdictional lines, especially given the speed at which the cyberthreat is proliferating. Rather, we should draft and execute 15 to 25 multi-state cybersecurity compacts. These compacts should be structured around geographically coherent regions like New England or the Northwest. To the extent possible, they also should reflect regional population centers and economic hubs as well as existing intergovernmental agreements and initiatives.
Each region should establish a nonprofit entity to manage the cybersecurity program on behalf of its state members. The operating model for each regional entity may vary around the margins, but it should be based on an existing model that promotes member input, engagement and collaboration (e.g., electric cooperative). If the regions are aligned, this same entity also could provide a platform for navigating other regional issues (e.g., energy, water, transportation, broadband and economic development incentives).
The initial goal of the new regional cybersecurity entity will be to restructure (and segment) data networks and reduce their exposure to cyberattacks. This will require states (and their localities) to share data networks and cybersecurity resources across existing platforms. Each region could then standardize access controls and other security policies, but also segment the shared networks in ways that will decrease their vulnerability. That is, reorganize the networks (stripped of extraneous data) into subnets with smaller attack surfaces.
What else could the new regional entities do for local governments? They could deploy cybersecurity teams to tackle potential cyberthreats, provide incident response support and conduct cybersecurity training. They could establish a one-stop regional cybersecurity hub offering a Security, Orchestration, Automation and Response (SOAR) platform, expanded (and more secure) storage capacity and free cybersecurity tools like anti-malware.
The new regional model will enable existing state and local governments to confront the mounting cybersecurity threats with the urgency, speed and resources model those threats demand. However, the model won’t work without strong federal enabling legislation and the wholesale revamping of relevant state legislation. And it won’t work without sufficient federal funding to encourage state alignment.
The new regional cybersecurity model is a short-term play. It will no doubt have to be refined over time as mistakes are made, cybercriminals evolve and lessons are learned. A related long-term strategy should be to support the growth of the new cybersecurity industry. Congress should make a massive long-term investment in the development of cybersecurity capacity. With diverse, dedicated funding (e.g., utility bill surcharges and energy taxes) and other resources (e.g., low-interest student loans), it should foster the growth of the cybersecurity profession, including training, accreditation and certification programs.
Preserving America’s Future Cybersecurity
You can see and feel the elation. Moving about and greeting others without masks. Exchanging smiles and hugs. Ending our social isolation. Normalcy never felt so exciting.
There is much to admire about our behavior during the pandemic. Our empathy and generosity. Our willingness to make sacrifices for others. Our ability to adapt to change. But, if Covid-19 was some kind of a dress rehearsal for the next pandemic, it is clear that we still have a lot to learn. And we need to learn those lessons before the next pandemic or major cyberattack.
Cybercrime and pandemics share many characteristics. Poor preparation. The sneak attack. Viral growth. The panic and devastation. Wishful thinking. The lack of urgency. The futile search for consensus.
As we face future—more widespread—cyberthreats, we should ask what we’ve learned from the past. Will our digital interconnectedness be our downfall? Will we mount an effective response before it’s too late? How will we organize that response to ensure its success? Can we overcome our allegiances to traditional structures to do what it takes to preserve our future progress?
Cybercrime poses a far more serious threat to our nation—and civilized society—than Covid-19. However, if we learn how to share our public resources and coordinate government initiatives more effectively, we can defeat cybercrime. A new organizational model that promotes regional coordination will improve cyberattack responses, slash the human and financial costs of future cyberattacks, facilitate the segmentation of our public networks and bolster our macro cybersecurity for our governments and communities.
The author, Bob Melville, is the founder of Civic Way, a nonprofit dedicated to good government, and a management consultant with over 45 years of experience working with governmental agencies across the US.