In my last blog, I talked about the importance of a company having the right cyber strategic plan. I now want to kick it up a couple of levels and make the case for the right strategic planning (and leadership) within governments to address the criminal elements that are becoming an increasing threat to our economy. While the private sector will always play a key leadership role in fighting cybercrime, it’s time that governments do more to support and enhance private sector capabilities in this fight.
After retiring from the NSA, I spoke frequently at various conferences and events, focusing my comments on the nation-state cyber threat, primarily given that this was our collective focus while I was the Director of the NSA Threat Operations Center. To my mind, the US Government was properly aligned (face pressed to the glass) on those sophisticated nation-state cyber threats that posed the most risk to our national security. And now such actors are only made more relevant by the threat posed by information operations campaigns. Even as I write this our adversaries are actively engaged in disinformation related to the ongoing COVID-19 pandemic. Thus, while I believe government-focused threats remain a critical priority, the problem is that such an exclusive focus is no longer enough, especially as the cyber threat posed by criminal enterprises continues to critically impact one of our biggest strategic capabilities, our interconnected worldwide economy. The amount of theft in dollars is growing exponentially and can no longer be assumed as just a cost of doing business.
We need to fundamentally rethink how our governments prioritize (or reprioritize) their focus on the criminal cyber problem. Even the idea of a distinction between government and criminal cyber threats needs to be revisited as we observe nation-states who partner with, enable, or, at a minimum, turn a blind eye to criminal elements that do business within their borders. This challenge quickly becomes a strategic resource issue, and one we may not be currently structured to address.
In the UK it’s fairly obvious given the establishment of the National Center for Cybersecurity, but in the United States and most other countries, I would suggest that it’s not all that clear. If the answer is as confusing as I believe it is, then let’s start by recommending the identification of one individual in each country with that mandate.
As for the U.S., I am not suggesting the creation of a new agency (we can’t afford it) and absolutely not recommending yet another reorganization (it would take too long to be effective). What I am saying is we need one official charged with coordinating across existing government agencies; of developing relationships with the private sector to achieve the right strategies to combat cybercrime (in addition to the ever-morphing nation-state concerns). In the United States, perhaps an executive who sits in the President’s cabinet is charged with cajoling the disparate elements across government (and the private sector) to the right collective effort, expanding that coordination and focus to criminal elements as appropriate given their growing importance as a critical threat.
Bottom line, the criminal cyber threat, whether sustained by nation-states or enabled by our own ineffectiveness in defense, has risen to the level of being a national threat…in particular as it truly threatens our economy. While I would prefer that every country establish such a position, I will settle for the U.S. first. Then we can focus on how the collective cyber defense effort in this country can:
- Enhance international partnerships and alliances to deter, investigate and prosecute criminal elements that use cyber as a means to undermine our institutions.
- Support diplomatic and law enforcement initiatives across the world to undermine government-supported safe-havens.
- Develop a process to enable greater and more effective cooperation between academia, the private sector, and the government on the components of cybercrime.
- Enable alliances to develop effective defensive strategies, supporting the bundling of cyber services and capabilities in a manner that supports small and medium businesses that cannot defend themselves.
- Support the development of national and international strategic planning to facilitate prioritization and resource allocation.
To continue down the path we are on fails to address the reality of the current cyber environment. We desperately need a more strategic approach to cyber across a group of like-minded countries…one that enjoins our governments more fully to the defense of the threat posed by criminal elements… and one that clearly identifies who in each country has the mandate to create success across the spectrum of cyber issues.