New executive order on cybersecurity highlights need for deterrence, protection of key industries
Deterrence must, by nature, be multi-dimensional: It has to include a variety of obstacles to incoming attacks, as well as potential consequences for attackers. Coordinating diplomacy, military and economic efforts will be crucial to presenting a unified front to would-be adversaries.
This is not to say that a one-size strategy will fit all. To the contrary, besides a robust general posture, the U.S. must also tailor its specific deterrence efforts to make sure they are effective against individual potential adversaries.
Protecting the grid and the military’s warfighting capabilities
The executive order also calls for additional protection of the electricity grid against cyberattacks. The potential is not hypothetical: Ukraine’s grid was attacked twice, in December 2015 and December 2016.
And it calls attention to the military’s industrial base, including its supply chain – which collectively produces, delivers and maintains weapons systems and component parts that are necessities for the Department of Defense. A successful cyber-attack on key suppliers could hamstring America’s armed forces as much as a physical incursion against them on the battlefield.
Yet, as important as it is to identify and remedy existing vulnerabilities, the better course is always to design computer systems securely in the first place. The executive order focuses more on the former than the latter, since we must work with the capabilities and equipment we have, rather than just those we would wish to have.
Basic guidance
More generally, the executive order discusses and reinforces the basic principles of good cyber-hygiene. For instance, it emphasizes the significant risks to departments and agencies, and the citizens they serve, if known vulnerabilities remain unrepaired. For instance, without proper protections, taxpayer records, Social Security data and medical records could be stolen or fraudulently altered.
Sadly, this is a vital issue. Recent testimony from the Government Accountability Office documents the widespread problems government agencies have failing to install routine security upgrades and even using software so outdated the company that created it no longer supports it.
But the executive order also looks to a future federal government that takes advantage of cloud computing and the Internet of Things. The document not only calls for safeguarding existing networks and data; it declares the importance of systematic planning for future technological upgrades and advances, to manage risk effectively. Maintenance and modernization both matter, and both must be done securely.
Overall, the order is a solid document, with guidance that is both measured and clear. Key to its success – and ultimately to the country’s security in cyberspace – will be the relationship the government builds with private industry. Protecting the country won’t be possible without both groups working in tandem.
Frank J. Cilluffo is is Director, Center for Cyber and Homeland Security, George Washington University. Sharon L. Cardash is Associate Director, Center for Cyber and Homeland Security, George Washington University. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).
