(September 13, 2017) – As I assess progress in improving cyber security resilience over the past forty years, it is pretty clear that we have only made limited progress. In fact, progress that has been made through improved security in products or services has been more than offset by the increasing sophistication of the cyber threat. There are almost daily reports of massive cyber breaches at institutions that have the responsibility for protecting sensitive data about citizens or providing essential services. Equifax is the latest; it will not be the last. Are market forces sufficient to turn around the trend? I think not.
I observe that the technical complexities of cyber security are often not well understood, even by many in the security business. Cyber security is a true system-of-systems engineering problem whose complexity rivals that of other domains. Sure, consumers want security, but they typically don’t know how to ask for it. As a government CIO, I observed that I was spending more money to patch and fix software vulnerabilities than I was spending to purchase the product. I observed that the economics were all wrong. I asked our General Counsel how to solve the problem. Unfortunately, the response was that there were insufficient standards against which I could hold vendors accountable. This situation has not changed. Sure, vendors are spending more energy addressing security. However, every product produced still has major security flaws. So, how do we begin to make progress?
I take issue with those who pronounce that government should have no role or only a limited role in improving the state of cyber security. To support these assertions, many cite the relatively small percentage of spending on cyber products and services by government organizations compared with the spending by the total economy, thus arguing that government purchases on a global scale are too small to influence commercial product and service providers. Others advocate a very limited government role out of concern that government intervention will result in ill-conceived cyber standards that could constrain innovation and add burdensome oversight.
What is an appropriate role for government? As a first step, I believe that government should be establishing mandatory minimum standards for security. While government does not comprise the majority of product and service purchases, they are the single largest procurer of products and services. As the CIO of the Air Force, I found that I had significant influence in getting vendors to modify standard practices to meet Air Force needs, including security needs. A government-defined minimum standard for cyber security that is required to be demonstrated by the vendor prior to purchase can have a significant impact on ensuring that these products are available to everyone. This initial standard should truly be minimal, but it will establish the basis for further enhancement in the future. Today, we all “click through” the liability waivers that vendors provide with their products. We need a standard against which we can hold vendors liable for delivering insecure products.
Second, I believe that government should lead by example in the area of cyber security. Government systems that are funded by taxpayer monies should be examples of excellence. Unfortunately, the OPM breach and every other government security breach highlights the failure of government organizations to provide basic cyber security hygiene. Government should and must do better.
The Center for Internet Security, with which I am affiliated, has worked with hundreds of collaborators to develop the CIS Controls—a consensus-based roadmap for implementing basic cyber hygiene. The CIS Controls were developed to address 80+% of cyber-attack threats based on information provided to the project by the National Security Agency. Many of the CIS Controls address technical and management practices and related tools that are fundamental to any well-managed cyber operation. Yet, many government organizations have not implemented this basic cyber hygiene. In other disciplines like engineering, law and medicine, similar performance by government managers would be the basis for being liable for malpractice. I argue that government should be setting the example and senior officials in government need to hold government managers accountable for providing basic cyber hygiene.
In summary, I believe that if we are to make the kind of rapid progress in improving cyber security, the government is the only organization that has the authority and clout with product providers to affect this progress. It is time to stop listening to those who want to protect the status quo. Our citizens deserve better!