To safeguard against emerging cyber threats, the United States need to consider how the rest of the world views the evolving cybersecurity landscape.
As technology advances at an unprecedented rate, it’s become clear that IT infrastructure in the U.S. is in need of a serious overhaul—but what about the rest of the globe?
In the U.S., we tend to think about cyberspace the same way we think of international waters: as a global commons rather than an area governed by a single nation or codified set of laws.
According to Samuel Visner, former ICF Senior Vice President and General Manager for Cybersecurity and Resilience, other nations approach the concept of cyberspace in a very different way.
“We may fight in cyberspace, we may try to preserve an electoral system in cyberspace, but we don’t draw borders around cyberspace,” Visner observed at the 2017 International Affairs Forum in Traverse City, Michigan. “According to Russia, China, and others, cybersecurity is about preserving the sovereign prerogatives of a government against illegitimate social, political, religious, and cultural movements. It is about preserving sovereignty. And for them, cyberspace is a place where security means governance and governance means control.”
That disparity of perspective, he says, is precisely why we’re not prepared to navigate the evolving cybersecurity landscape. It’s also a central theme of ICF’s 2018 CyberSci Symposium this September. As the Symposium approaches, we’ll continue to cover what attendees can expect to learn, and other issues driving the discussion around cybersecurity. In the meantime, though, let’s take a look back at some of the recommendations our experts made at CyberSci 2016 for the incoming President of the United States (POTUS)—and what progress has been made to fortify our critical infrastructures in the battle for cyberspace.
Connect Cybersecurity R&D to National Technology Development
IT advancement is a double-edged sword — both a hallmark of national progress and a potential liability. More than ever, IT is being used to manage transportation, energy, communication, manufacturing, and other infrastructures. As these technologies become more widely-used, however, it becomes increasingly difficult to account for gaps in security at federal agencies. That means that the development of cybersecurity technology must be in lockstep with IT advances.
“Progress has been uneven,” says Visner of this recommendation. “Good work is being done at the Department of Energy National Laboratories, but more work needs to be done to understand the cybersecurity features of new critical infrastructures that depend on information technology.”
Define a National Cybersecurity R&D Community
The cybersecurity challenges facing the United States are vast and complex. Addressing them will require a whole-of-nation approach to the development and application of requisite cybersecurity capabilities. As such, the next President should define the national cybersecurity R&D community, not unlike those established for nuclear energy and aerospace technology in the decades following WWII.
Fortunately, says Visner, the Federal Government took strong steps in 2015 and 2016 with the release of the Federal Government Cybersecurity R&D Strategic Plan — but challenges persist. The Plan, he says, “limits itself to the Federal Government, and does not take into sufficient account the R&D resources of industry and academia. We must do better.”
Define National Cybersecurity R&D Challenges
Once a national cybersecurity R&D community is established, it should be followed swiftly by an enumeration of national cybersecurity R&D challenges for the community to address. Though some challenges can be drawn from the 2016 Federal Government Cybersecurity Research and Development Strategic Plan, others should include:
- Identifying challenges associated with smart infrastructures.
- Outlining needs of cybersecurity operators within the Department of Defense (DoD) and the intelligence community.
- Securing our financial system, as crypto-currencies and global trading become increasingly common.
According to Visner, we still need to do a better job defining the challenges, though.
“A national cybersecurity R&D community needs challenges defined beyond those currently described in the Federal Government’s own plan,” he continues. “Emphasis on a $1 trillion investment in national infrastructure could accelerate the deployment of resources that need to be secure — smart roads, smart railroads, new municipal water systems, and a smart grid.”
Visner also says that we may need to do more to guard our electoral systems against foreign interference.
Enable Cybersecurity R&D Information Sharing
Development of an effective national cybersecurity R&D community will pose the significant challenge of sharing important information quickly and securely. Although an existing EO calls for stronger information sharing, efforts to build a national cybersecurity R&D information-sharing architecture should be formalized and accelerated.
Visner says that although more information sharing organizations (ISAOs) are being established, a national architecture — with effective governance — for information sharing has yet to come to fruition.
“For R&D, the development of a national cyber R&D community will require effective information sharing, including peer-review and the provisions for sharing classified information relating to threats and new technologies.”
Use IT to Understand and Address Cybersecurity Technology Challenges Posed by Privacy
National concerns endure about the privacy of information used to safeguard the nation. Cybersecurity R&D activities should adhere to the protections afforded by the 4th Amendment to the U.S. Constitution, which protects people against unlawful searches and seizures. We need to ensure that the search for vital intelligence doesn’t become fixed surveillance of U.S. citizens.
In 2017, says Visner, the need for privacy is still at odds with the need for transparency.
“New infrastructures will require companies, municipalities, and individuals to share responsibility for cybersecurity,” he continues. “Smart roads connected to smart grids, houses, factories, and service providers will require the ability to detect and report cyber exploits and attacks in networks that we all share. Building mechanisms that allow for such sharing, while respecting our Constitutional protections, requires an R&D effort that is not yet truly underway.”