Can government alone protect cyberspace?

A former White House cyber specialist argues that government will be overwhelmed if it has to tackle threats alone.

 

Will the federal government be overwhelmed as the sole entity responsible for identifying, protecting and responding to threats in cyberspace?

At least one cybersecurity expert thinks the answer is a resounding "yes".

Jason Healey, a senior fellow at the Atlantic Council and the former director of cyber infrastructure protection at the White House, argues that the current cybersecurity strategy must be reimagined, starting with articulating the goal of the strategy itself and focusing on what has – and has not – worked in the past.

In his paper titled "A Nonstate Strategy for Saving Cybersecurity," Healey wrote that thinking about cybersecurity suffers from fundamental misunderstandings of the dynamics of cyber conflict. As our dependence on cyberspace continues to grow, he posits, "the only way to ensure cyberspace remains as free, resilient, secure, and awesome for future generations is to flip the historic relationship between attackers and defenders of the Internet," in which attackers have had the advantage.

At a Jan. 11 event devoted to a discussion of the paper, Healey said that, "Even if that turns out to be ultimately impossible, it needs to be our goal, because if that's our goal, now we can develop metrics to measure which protectionary tactics are more effective than others."

He also contended that government overestimates "the effectiveness of public-sector action to solve cyber problems."

The Obama administration "overall has done a solid job" of prioritizing cybersecurity, Healey said at the event, noting that some of the fiercest challenges likely lie in the future, and that government will need to look to nonstate actors for strategic help as threats continue to evolve.

The "most important recommendation" for the Trump White House, Healey said, is the issuance of a "single, overarching national cyber strategy to balance competing priorities, built around making defense easier than offense through a nonstate-centric approach."

Healey also lamented the increasing militarization and offense-dominant focus on cyber, and suggested civilian agencies would be better served by federal cyber hubs.

To successfully enact and achieve this defense-first strategy, Healey stipulates that nonstate participants must include independent security researchers, cybersecurity companies, major technology companies, and volunteer response groups that extend beyond industry.

"Few, if any, major internet crises have ever been decisively resolved by any government," he wrote. "Wherever possible, solutions to governance, regulation, protection and response must stem from this core" of nonstate actors.

Healey made clear that government will stay play a critical role in protecting cyberspace, and that including nonstate actors does not mean government is "relinquishing authority, but recognizing that there are nine players on the baseball field, and a nonstate actor is usually closest to the ball and able to make the play."

However, making sure these voices are brought to the discussion table and heard by the next administration could be a challenge, Healey told FCW.

While Trump has surrounded himself with generals who will likely have his ear on cybersecurity matters, appealing to the president-elect's business instincts by pointing out the commercial -- as well as national security -- impacts cyber threats pose could get his attention, Healey said. He added that recent reports produced by the Commission on Enhancing National Cybersecurity and the Center for Strategic and International Studies could serve as a helpful framework.

Healey also said he has met with Tom Bossert, Trump's homeland security adviser, and is optimistic about Bossert's reception of the report.

"He likes the strategy," Healey said.

NEXT STORY: OPM Debuts Cyber Careers Site