By: Brandon Borino
April 22, 2022
On March 21, 2022, President Biden released a statement emphasizing the importance of the nation’s cybersecurity due to the increasingly possible threat of Russian cyberattacks in response to the economic costs imposed by the United States on the Russian economy. While the Biden administration has attempted to take steps to strengthen our nation’s cyber defenses through cybersecurity mandates for the Federal Government and those “critical infrastructure sectors” where the administration has the authority to do so, most of America’s critical infrastructure is owned and operated by the private sector. This means that private action is necessary if the nation’s cyberspace is ever going to be a completely safe one.
The United States relies heavily on the private sector for national security more than most countries. Corporations manufacture most of the nation’s arms, produce most of the software and hardware for government computers, and carry out the collection and processing of intelligence and the conduct of covert operations. Historically, the private sector has been hesitant to commit to heightened cybersecurity measures. Arguments for this hesitancy include businesses viewing private sector security requirements as unfunded mandates or a form of taking, but the most likely reason is that businesses are largely motivated by cost-savings and are not as concerned with the protection of information. However, with the recent SolarWinds and Kaseya cyberattacks, the private sector is starting to take the necessary steps to create a safer cyber environment. For example, Microsoft has pledged a $20 billion investment in cybersecurity over the next five years and Google has committed to investing $10 billion over five years to strengthen cybersecurity and to train 100,000 Americans in technical fields. In addition, IBM has stated that it would train more than 150,000 people in cybersecurity skills in three years and also announced a new data storage solution for critical infrastructure companies.
This shift in the tide of cybersecurity is the perfect opportunity for the Biden administration to ensure that the private sector is protected by offering guidance within the field. President Biden could do this by looking at how our allies have responded to the threat of cyberattacks. For example, in the UK, as in the United States, much of the nation’s critical infrastructure is owned by the private sector. In 2021, the British government launched a new National Cybersecurity Strategy which aims to act as the blueprint for protecting the UK from cyber threats. The new strategy is supported by a £2.6 billion investment in cybersecurity by the British government. Some of the specific actions the strategy plans to implement include the following:
- “Bolstering law enforcement with ‘significant funding’ so that they can ramp up their targeting of criminals;
- Increasing investment in the National Cyber Force which represents the UK’s offensive capability to counter, disrupt, degrade and contest those who would do harm to the UK and its allies;
- Expanding GCHQ’s National Cyber Security Center’s research capabilities, including the new applied research hub in Manchester;
- Implementing the Product Security and Telecommunications Infrastructure Bill to enforce minimum security standards in all new consumer smart products; and
- Investing in public sector cyber security to ensure that key public services remain resilient to evolving threats and can continue to deliver for citizens who need them.”
One reason that the UK has been able to be so proactive in the cyber field is that it has adopted a centralized approach to regulating cybersecurity requirements whereas government agencies in the United States “handle cyberregulation and threats in the sectors they oversee.” While Americans are typically more wary of regulation than other countries, cybersecurity may be field in which centralized regulation is needed. According to Fred H. Cate, the director for Applied Cybersecurity Research at Indiana University, “[a]lthough it’s often preferable to let markets create appropriate incentives for desired behaviors, in some instances, government intervention is necessary. Information security is one of those instances. The threats are too broad, the actors too numerous, the knowledge levels too unequal, the risks too easy to avoid internalizing, the free-rider problem too prevalent, and the stakes too great to believe that markets alone will be adequate to create the right incentives or outcomes.” Further, a centralized system makes sense from a private-sector perspective. “Almost every industry runs its computers on one of three operating systems: Windows, macOS and Linux. In many cases, they also use the same business software — a defense contractor’s payroll system isn’t much different from a pharmacy’s.” A centralized government system would allow for a more efficient and effective sharing of information between the private sector and the government, which would make cross-industry vulnerabilities easier to identify and solve.
If the United States plans to stay competitive on a global scale, the threat of cyber security needs to be taken seriously and substantial changes need to be made to the government’s approach to dealing with that threat. The opportunity to do so has never been more prevalent than it currently is with the private sector displaying a willingness to set aside its typical cost-saving view regarding cybersecurity and begin taking the necessary steps to create a safe cyber environment. In response, President Biden’s administration should find guidance in the strategies implemented by our allies to strengthen their cybersecurity and begin working on an effective overhaul of our current system to ensure that the United States is in the position to take on and deter any foreign cyberattacks.