As the administration of U.S. President Barack Obama begins to wind down, much of Washington’s national security community is working to deliver the next president with fresh ideas on cybersecurity. No matter what these groups recommend, the next president would do well to recognize that the Obama administration has found what is likely the only workable strategy: making it a private sector responsibility.
A recent poll found that cybersecurity ranks second only to terrorist attacks on a list of U.S. security fears. This anxiety, and the frequency of data breaches, has made it easy to forget that the benefits of Internet connectivity far outweigh the risks that businesses and governments face from cyberattacks. The Obama administration’s approach to cybersecurity has focused on preserving and extending the Internet as a platform for increased efficiency, economic transactions, and the exchange of ideas. Although cyberthreats pose real risks, any workable approach to cybersecurity must address these problems in ways that increase the value of the open and innovative Internet. Solutions that focus on putting the military in charge of cyber security or the creation of borders in cyberspace would harm the digital economy more than they would help. Realizing this, the White House has focused on helping the private sector protect itself, instead rather than trying to make cybersecurity a government responsibility.
DO NO HARM
As appealing as it seemed for Washington to take cybersecurity responsibilities out of the hands of private enterprise, the costs and consequences of an expanded government role would do more harm than good. Few private sector executives like the idea that they are responsible for securing their own networks and data, especially against foreign militaries and intelligence agencies. Effective cybersecurity is costly, and defense against foreign agents appears to be a government task on the surface. But making cybersecurity a government responsibility would come with a set of costs that far outweigh the benefits.
When U.S. banks were attacked by Iran in 2013, they pressed U.S. Cyber Command to carry out a counteroffensive that would shut down the attacking computers. For both technical and legal reasons, the U.S. government did neither; instead, the White House opted for a more limited approach. The Department of Homeland Security coordinated remediation, collecting information from the banks on which computers were attacking them and passing this information on to Internet service providers in the United States so they could notify any of their customers whose computers had been unwittingly used in the attack. Meanwhile, the Department of State asked foreign governments to do the same thing overseas.
Loading, please wait...