6th Floor, Woodrow Wilson Center

Cyber-Insecurity: How to Improve America's Digital Defenses

Webcast available

Webcast Recap

America isn’t optimizing its digital defenses. Today, U.S. government efforts to defend information systems, protect critical infrastructure, and respond to incidents are based on a combination of Department-by-Department actions, frequently isolated regulations, and an uneven culture of information-sharing between industry, government, and the security research community.  Although there are many positive initiatives underway, the current environment can be characterized more as independent actions with brittle boundaries than a sufficiently empowered government organization.  

At the heart of this challenge are several shortcomings: insufficient numbers of cyber professionals, lack of fully automated systems (in part due to legacy systems that cannot be automated), and an absence of significant penalties for making timely change to key networks.

Looking forward, government, industry, and the security research community must work better collectively to defend systems, share threat information in real time, and respond sufficiently to incidents, as the numbers and capabilities of cyber-threat actors increase. 

What policy options are available for addressing the challenges identified? 

Selected Quotes

 

General (ret.) David Petraeus

“Another huge challenge that CISA (the Cybersecurity and Infrastructure Security Agency) will be measured against will be that of attracting the quantity and the quality of people needed for this new organization. Harvard’s Belfer Center estimates that the overall federal government alone has a deficit of 10,000 cyber security professionals. Can this new CISA attract the kind of talent that is necessary and in the amount that is also necessary?” 

“Developments in cyber space are outstripping our very ability just to comprehend them, much less develop concepts.” 

Suzanne Spaulding

“I think there are real limits on the ability of one department or agency to provide oversight, to direct, even really to effectively coordinate other departments and agencies, activities without strong, daily engagement and pushing and help from the White House.” 

“Cyber security is all about risk management. Risk management is about understanding threats, vulnerabilities and consequences and then mitigating against all three.”

“We all know that there are significant cyber-attacks every single day, and we have had some fairly spectacular ones over the last couple of years particularly. But I do think it hasn’t penetrated into the American public, so it doesn’t have the political saliency yet—they know they should be vaguely worried, but they’re not scared.”

Evan Wolff

“We really have to come with as a nation a scalable approach. One that deals with both threats but also how we do with the response. We do this in other areas of crime.”

“We really need to not regulate our way to death with where we are going right now, and I think taking each sector-- even though I agree that the greatest similarity with our critical infrastructures are their differences--- we also have to understand where they have common infrastructure and we can think about what are the common threats and common risks they approach.”

“Because the tech industry is so based in the U.S., if we create too many regulations we’re going to be preventing the very sort of inspiration that created the internet and created the tech industry.”

 

 

02-28-2019 Cyber-Insecurity: How to Improve America's Digital Defenses with David Patreus

Speakers

Moderator

Speakers

  • General (ret.) David Petraeus

    Chairman, KKR Global Institute; former CIA Director
  • Suzanne Spaulding

    Senior Adviser, Homeland Security, CSIS; former Under Secretary for the National Protection and Programs Directorate, U.S. Department of Homeland Security
  • Evan Wolff

    Global Fellow
    Partner, Crowell & Moring