Cyber-Insecurity: How to Improve America's Digital Defenses
Refresh your browser window if stream does not start automatically.
America isn’t optimizing its digital defenses. Today, U.S. government efforts to defend information systems, protect critical infrastructure, and respond to incidents are based on a combination of Department-by-Department actions, frequently isolated regulations, and an uneven culture of information-sharing between industry, government, and the security research community. Although there are many positive initiatives underway, the current environment can be characterized more as independent actions with brittle boundaries than a sufficiently empowered government organization.
At the heart of this challenge are several shortcomings: insufficient numbers of cyber professionals, lack of fully automated systems (in part due to legacy systems that cannot be automated), and an absence of significant penalties for making timely change to key networks.
Looking forward, government, industry, and the security research community must work better collectively to defend systems, share threat information in real time, and respond sufficiently to incidents, as the numbers and capabilities of cyber-threat actors increase.
What policy options are available for addressing the challenges identified?
General (ret.) David Petraeus
“Another huge challenge that CISA (the Cybersecurity and Infrastructure Security Agency) will be measured against will be that of attracting the quantity and the quality of people needed for this new organization. Harvard’s Belfer Center estimates that the overall federal government alone has a deficit of 10,000 cyber security professionals. Can this new CISA attract the kind of talent that is necessary and in the amount that is also necessary?”
“Developments in cyber space are outstripping our very ability just to comprehend them, much less develop concepts.”
“I think there are real limits on the ability of one department or agency to provide oversight, to direct, even really to effectively coordinate other departments and agencies, activities without strong, daily engagement and pushing and help from the White House.”
“Cyber security is all about risk management. Risk management is about understanding threats, vulnerabilities and consequences and then mitigating against all three.”
“We all know that there are significant cyber-attacks every single day, and we have had some fairly spectacular ones over the last couple of years particularly. But I do think it hasn’t penetrated into the American public, so it doesn’t have the political saliency yet—they know they should be vaguely worried, but they’re not scared.”
“We really have to come with as a nation a scalable approach. One that deals with both threats but also how we do with the response. We do this in other areas of crime.”
“We really need to not regulate our way to death with where we are going right now, and I think taking each sector-- even though I agree that the greatest similarity with our critical infrastructures are their differences--- we also have to understand where they have common infrastructure and we can think about what are the common threats and common risks they approach.”
“Because the tech industry is so based in the U.S., if we create too many regulations we’re going to be preventing the very sort of inspiration that created the internet and created the tech industry.”
General (ret.) David Petraeus
Partner, Crowell & Moring
Science and Technology Innovation Program
The Science and Technology Innovation Program (STIP) brings foresight to the frontier. Our experts explore emerging technologies through vital conversations, making science policy accessible to everyone. Read more