Entrepreneur Jim Rohn once said, “Success is neither magical nor mysterious. Success is the natural consequence of consistently applying the basic fundamentals.” This business truth applies to cyberspace as well.
On March 11, the Cyberspace Solarium Commission released its long-awaited report, which provides more than 80 policy recommendations for “defending the United States in cyberspace against cyberattacks of significant consequences.” While the report is over 180 pages, Senator Angus King (I-Maine) said the report can be summed up in four words — define, develop, defend and deter. I would simplify this further, as these four words can be condensed into one concept: digital resilience.
Digital resilience is an organization’s ability to effectively function through an impairment, to stay operational while minimizing harm, reputational damage, and financial loss, and to recover quickly. Resiliency involves understanding risks, knowing where you fall short, addressing those gaps and reducing your risk potential.
However digital resiliency is not the result of more laws or increased regulation. It happens when organizations master the cybersecurity fundamentals: knowing what’s on their network, how it’s connected and what’s at risk.
The challenge is that adhering to basic practices – such as monitoring network changes, evaluating devices to see if they are securely configured, and ensuring software is up to date – is mundane compared to other areas of cybersecurity. Under the mounting pressure of keeping up with the barrage of information, these time-consuming basics often appear to be the easiest corners to cut.
However, most data breaches are the result of inconsistency in the above disciplines. Bad actors find opportunity when the fundamentals are neglected. To be effective, government agencies and the organizations that support them need to up-level expectations and insist that the cyber fundamentals are diligently and consistently deployed. This will create and maintain a strong foundation for further cybersecurity efforts.
Adhering to cybersecurity fundamentals would make a noticeable change in the context of ransomware attacks, which are wreaking havoc on state and local governments. Take, for example, the March 2018 cyberattack in Atlanta. Just two months earlier, an audit found 1,500 to 2,000 vulnerabilities in the city’s systems, and it is still unclear which one attackers used to access the city’s network. However, if the security team had been able to automate fundamental tasks to understand what was on the network, how it was connected and what could be at risk, in all likelihood they could have prioritized and addressed the issues that compromised their most reachable, valuable assets. What’s more, when the attack started, they could have quickly investigated and contained the incident to minimize (or prevent) loss.
Resiliency is a core component of deterrence requiring planning and infrastructure in place in order to effectively function through an attack and to stay operational when one occurs. Currently, any affected part of our government must pay for its own recovery. These events are impossible to anticipate, and strain budgets in unpredictable ways. For example, to recover from its 2018 attack, Baltimore had to pull money from a fund for parks and public facilities.
With this in mind, I support the recommendation to allow state, local, territorial and tribal governments to declare a “cyber state of distress,” tied to a “Cyber Response and Recovery Fund.” This is similar to how we respond to natural disasters, where affected communities can use federal relief aid and assistance in their recovery process. While this is a reactive measure, a central, designated fund would both help affected governments recover quickly, and send a strong message to bad actors that such attacks do not have the crippling effect they are hoping for. As the report notes, “Resilience … is key to denying adversaries the benefits of their operations and reducing confidence in their ability to achieve their strategic ends.”
Moving on, free and fair elections are fundamental to our democracy and protecting them should be one of our top priorities. To this end, I strongly support the recommendation to “amend the Help America Vote Act to create a fifth nonpartisan commissioner with an established cybersecurity background in order to vote exclusively on issues of or relating to cybersecurity.” The Election Assistance Commission serves an important role in administering grants and providing guidelines and recommendations for elections officials to follow. I think this new commissioner should be tasked with implementing a strategy of digital resilience, which would in turn enhance the EAC’s ability to provide training, resources and capabilities to election vendors and state and local governments. As a result, greater attention will be paid to the cyber fundamentals and our national resilience will improve.
As designed by the Founding Fathers, Congress is extraordinarily thoughtful. However, we must not equate its resulting slow action to inaction. The commission’s momentous effort to produce this report shows that cybersecurity is a priority. To be truly resilient to cyberattacks, our government must support efforts to construct and constantly fortify cybersecurity fundamentals. I am hopeful that this report, and its actionable recommendations, will bolster our resilience and in turn, our democracy.
Ray Rothrock is a member of the executive advisory board for the U.S. Department of Energy’s Gateway for Accelerated Innovation in Nuclear, author of “Digital Resilience: Is Your Company Ready for the Next Cyber Threat,” CEO of RedSeal and Forbes Midas List venture capitalist.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.