Ask not how your country can protect your tech. Ask what you can do to protect your country’s tech.
If President John F. Kennedy had given his inaugural address in the wake of the SolarWinds attack, he may have issued this plea for assistance from the tech sector. Instead of forming the Peace Corps, he might have started the Cyber Corps — a volunteer force of private sector cybersecurity experts dedicated to shoring up the nation’s technology systems and critical infrastructure.
The SolarWinds attack revealed the federal government’s cyber vulnerabilities, but the Colonial Pipeline attack showed the private sector is not immune. President Kennedy’s fictional plea would have been appropriate given the reality that iterations of SolarWinds and Colonial Pipeline are inevitable. A Cyber Corps is necessary to ensure the government can serve its public mission and that the private sector can continue to rely on the government’s critical infrastructure. In other words, the private sector can help secure the electrical grid, physical infrastructure, and other government platforms that serve both public and private goals.
An unprecedented improvement of the nation’s cybersecurity is long overdue. Since the 1990s, the Government Accountability Office (GAO) has placed cybersecurity on its High Risk List, which the GAO defines as its “list, updated at the start of each new Congress, of programs and operations that are vulnerable to waste, fraud, abuse, or mismanagement, or in need of transformation.” The SolarWinds attack proved the GAO’s point as the most recent hack that exploited a backdoor to infiltrate government agencies, critical infrastructure entities, and private companies that had used the compromised software. This attack might have been prevented if the government had heeded the GAO’s warnings and if it had better access to the expertise and personnel of private cybersecurity firms.
Private sector cybersecurity expertise has expanded in recent decades. It is often private sector actors that first attribute a cyberattack to a specific state or non-state adversary. Some companies have developed unique training and systems to protect their assets from increasingly sophisticated attacks. The private sector has accumulated tremendous amounts of data essential to understanding future attacks. Of course, the U.S. national security apparatus is not exactly lacking in cybersecurity knowledge, but that knowledge is not being spread sufficiently across the federal government. That is why the private sector needs to get involved in shoring up our nation’s cybersecurity infrastructure.
Whether the private sector acts on patriotism or their business interest in keeping the government and its critical infrastructure running, the time is now to jointly patch the nation’s cybersecurity vulnerabilities. Thankfully, the GAO has already identified some critical steps to take to begin to protect our nation, its agencies, and its critical infrastructure, upon which the private sector so heavily depends.
First, the U.S. needs to establish a comprehensive cybersecurity strategy. Given that private sector actors do this for companies operating on a global scale, they can play an important role in doing the same for the government.
Second, the U.S. needs to improve the adoption and implementation of government-wide cybersecurity initiatives. A recent GAO study found that of 16 agencies it sampled, most had weaknesses in most security control areas. What’s more, out of 24 major agencies surveyed, 18 were identified as having ineffective information security programs by their own inspectors general. These are the sorts of programs implemented by the private sector on a regular basis. A short term “loan” of cybersecurity experts to government agencies via a new Cyber Corps could help these 18 agencies (and many more) implement robust information security programs.
Third, intensive efforts must be made to protect critical infrastructure such as the electricity grid. Threats to the nation’s electricity grid will only grow as the Internet of Things expands and more devices come online. These high-wattage devices commonly rely on the global positioning system to align their grid operations, increasing vulnerabilities. Though cybersecurity incidents have yet to result in widespread power outages in the U.S., attacks on industrial control systems abroad have already taken place, like in Ukraine.
A new Cyber Corps could resolve these kinds of cases better than the patchwork system that exists today. To get the Cyber Corps started, the Biden Administration should issue a “call-to-keyboards” that includes three key steps. First, scholarships for students that pursue cybersecurity-related degrees and pledge to serve in government. Second, investment in continued GAO auditing to identify weak spots in the cybersecurity of various agencies. Third, recruiting and announcing major companies that plan to pay for their employees to participate in the Cyber Corps. Imagine if the biggest players in “Big Tech” made it possible for their savviest workers to spend time doing a true public service — other tech companies would soon follow as employees demanded the opportunity to join this timely and important cause.
President Kennedy dared to give Americans an opportunity to apply their skills in meaningful ways in order to solve big challenges via the Peace Corps. President Biden should do the same with the Cyber Corps.
Kevin Frazier is a born and raised Oregonian. He is pursuing an MPA at HKS and a JD at the UC Berkeley School of Law. In his spare time, he runs The Oregon Way blog and covers the nexus of technology and good governance. You can follow him on Twitter @KevinTFrazier
Photo credits: Pixabay.