The U.S. Needs Cybersecurity Now: Public-Private Partnerships, Not Top-Down Rules

As America reels from the devastating consequences of the coronavirus outbreak, it’s hard to imagine a more serious national challenge than COVID-19. But another national threat is steadily building in the background: the threat of a cyberattack on America’s critical infrastructure. And the cost for being unprepared to meet this threat would be enormous.

That’s the warning issued from the recent U.S. Cyberspace Solarium Commission report. Sen. Angus King (I-Maine), co-chair of the commission, said in an interview, “We want this to be the 9/11 Commission Report without the 9/11.” America needs to step up its cybersecurity strategy, and it needs to do so now before it’s too late.

There’s no argument that the commission’s report speaks to real issues in a timely way. The commission absolutely must be commended for thinking strategically and creatively about America’s very pressing cybersecurity challenges. While the report includes recommendations to enhance America’s cyber strategy, it also includes several controversial proposals that are more aspirational than practical. The decision to address risks head-on is admirable, but the report is hamstrung by a fundamental flaw.

It fails to recognize that the future of cybersecurity rests on innovation – through a joint effort between the private and public sectors. The commission’s mistaken approach may be a feature of its composition.

The commission was established as part of the National Defense Authorization Act of 2019, and is led by 14 commissioners with a vast array of expertise in national defense and security. What is overwhelmingly excluded, however, are leadership voices from the very sectors most impacted by these proposals. This exclusion has had consequences for how the commission’s report construes the state of cybersecurity today, and how best to improve it.

Approximately 85 percent of critical infrastructure in the United States, from telecommunications to financial services to transportation, is owned by the private sector. The United States government, however, has a long history of public-private cooperation with the owners of these valuable infrastructure services, a history the commission’s report mostly ignores.

The Automotive ISAC, for example, joined a Cooperative Research and Development Agreement with the Department of Homeland Security in a shared effort to combat cyber threats that target vehicles. In the tech sector, the Consumer Technology Association and USTelecom developed the Council to Secure the Digital Economy. This project works closely with the National Institute of Standards in Technology, the National Telecommunications and Information Administration and the Department of Homeland Security to craft cybersecurity standards, including for connected internet of things devices such as drones and smart home products.

The commission’s report excludes this private sector work and doesn’t prioritize public-private partnerships and collaboration; rather, the commission’s report encourages a “big government” approach to cybersecurity that largely cuts out private sector contributions.

One of the report’s flagship recommendations is for Congress to create a National Cybersecurity Certification and Labeling Authority – a government-led effort to establish and manage a program for voluntary security certifications and the labeling of tech products. However, this recommendation would empower NCCLA to impose one-size-fits-all rules on tech companies without any real input or participation from the industries it would regulate. And this input matters, given the scope of the challenges in certifying and labeling diverse consumer products. If executed incorrectly, the NCCLA would devise costly, cumbersome and vague rules that stifle innovation where the U.S. should be encouraging it.

What’s more, the report recommends that Congress create a “duty of care in law,” meaning that consumers could sue manufacturers for security flaws – even in devices that are 10 or 15 years old, or based on vulnerabilities that emerge well after a device’s manufacture or sale.

This proposal would be detrimental to innovators, resulting in crippling uncertainty for small and large businesses alike.

To be fair, several of the report’s more than 75 recommendations are sound and well-advised. I applaud the commission’s insistence that Congress pass a national privacy law for data protection, and I agree we could benefit from new policies from the executive branch and from Congress that bolster the cyber workforce.

Overall, the main emphasis of the report is on “big government,” but our collective cyber challenges will be better solved by cooperation between the public and private sectors. The big government approach of top-down rules assumes that tech companies don’t have a strong incentive to implement cybersecurity best practices. They do! CTA member companies take cybersecurity very seriously – as part of a business model that generates successful, valuable and forward-thinking tech innovation.

At CTA, we look forward to working with all parties, public and private, to produce secure products that protect consumers, defend American infrastructure and improve lives. There needs to be a government partner, and CTA member companies are ready to work with the government to ensure cybersecurity challenges are addressed. Together, the private and public sectors can get America’s cybersecurity on the proper footing before it’s too late.

Gary Shapiro is president and CEO of the Consumer Technology Association, the U.S. trade association representing more than 2,000 consumer technology companies, and a New York Times best-selling author. His views are his own.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.