Would You Buy a Car with No Brakes? Me, neither. Yet, if we take a hard look at the many types and layers of digital technology that affect our lives, we might see how out of control we truly are. Take your average smart phone. It’s likely to be manufactured in a country the US considers a global strategic adversary. Its circuitry and software contain hidden code, installed at the behest of their intelligence service, that spies on us. In a cyberattack, this code can render the device useless. When it works, the phone connects to networks that are built using equipment made in this same adversarial country. They’re easily hacked. The phone can access corporate and government systems that, as most security managers know, have already been infiltrated by malicious actors.
This is just one example. Our lives are so dependent on digital technology we have stopped even thinking about it. Perhaps we never thought about. We should. Digital technology either runs or has decisive influence over our electrical power supply, food supply, healthcare, financial systems, government, businesses, transportation systems, law enforcement agencies, military and intelligence services. Digital software and hardware are embedded in cars, medical equipment, tools, planes and on and on.
It’s all very slick. It makes our lives easier. It’s also extremely vulnerable to disruption. Our entire reality can easily be thrown into unimaginable, fatal chaos. The risks are far more serious than a simple data breach or loss of service. It may sound hyperbolic, but the survival of our entire society and way of life is at stake. Who’s in control? No one. The current, well-intentioned practices known as “Information Security” or “Cyber defense” are inadequate to mitigate the systemic risk we face.
The increasing tempo and severity of cyberattacks reveal the deficiency of current cyber defenses. These deficiencies exist despite the investment of money and expertise by some of our greatest minds. At the same time, newly exposed cyber vulnerabilities, such as the potential for the power grid to be destroyed by hacking, suggest that we have barely begun to confront what are truly existential threats.
To prevent cyber-borne disaster, the time has come to develop a higher level, more holistic set of rules—a Cyber Policy—that unifies the security and use of digital technology by business, consumers, government, military, media and beyond. We need a high-level, holistic set of rules to govern the pervasive computing systems that run virtually every aspect of modern life.
Getting to such a Cyber Policy would be a Herculean task, but one that must be attempted nonetheless. The underlying challenge will be to get key stakeholders to recognize that organizations, leadership and rules are equally, if not more important that technologies in addressing cyber risks. If agreement on this principle can be reached, then the truly hard work begins.
At a high level, forming Cyber Policy requires conversations among thought leaders from across the technology spectrum regarding what Cyber Policy should embody and how it should be developed. There is a need for a governing body to coordinate policy setting, with commitments to operationalize policies across corporate, legislative and public-sector entities. This body must address the technological aspects of cyber policy implementation – how tooling, standards and frameworks can come together to define and enforce Cyber Policy. It must also deal with organizational and Legislative aspects of Cyber Policy. There have to be “teeth” in Cyber Policy. Voluntary frameworks are, by definition, ineffective in the modern world. Cyber Policy must be real and enforceable.
Cyber Policy presents a leadership challenge. Is the United States up to the job? Can it afford not to be?