Introducing a three-part blog series by Illumio Head of Cybersecurity Strategy, Jonathan Reiber, on signs of progress in cybersecurity: his views, analysis, and advice.
Prior to joining Illumio, I spent two years on a writing fellowship at Berkeley’s Center for Long-Term cybersecurity and before that seven years at the Pentagon focused in large part on cybersecurity and cyber policy. For most of that time it felt like cyber folks were in a world of our own. Policy people assumed we were coders or engineers. The general public often assumed we were overreacting or, if not, hoped we knew what we were doing. In those early years we celebrated victories – the launch of U.S. Cyber Command in 2009, the President’s first international cyber strategy in 2011 – but the public didn’t pay all that much attention to the issues at stake. Like how some people erroneously see climate change, perhaps they saw cybersecurity as a future problem that was too complicated to address easily.
Then things changed.
Breaches increased in severity. In 2013, the U.S. Director of National Intelligence moved the cyber threat ahead of terrorism as the number one strategic threat to the United States for the first time. Then came the Russia interference in the 2016 U.S. presidential election and a flurry of activity across every branch of government, in board rooms, and the media. What was once a niche domain for nerds has become a mature and complex field.
Here's why I think we should be hopeful for progress in the coming years.
Public attention on cybersecurity is higher than ever. As our society has grown more digitally-focused and dependent, cybersecurity risks from IP theft to destructive attacks have increased. There is a palpable concern over foreign interference in future elections and other elements of daily life.
We've passed a tipping point.
The cybersecurity community’s long-held and deep-rooted fears about destructive attacks on critical infrastructure, such as the electric grid, have morphed to include a real, present threat of data manipulative attacks on political information, health data, legal data, or physical objects in motion, like yachts or ships. The world is scared and paying more attention.
Institutions are getting stronger. In 2010, when I began working on the Defense Department’s first cyber strategy, there were no major public government strategies on the issue. Today we have a slew of strategies for every agency and company, including the Department of Justice’s excellent new approach, published this July. DoD is now on its third edition. Despite what some reports may say, the Defense Department, the Federal Bureau of Investigation, the intelligence community, and the private sector are all increasing their cybersecurity capabilities. Talented leaders that got their start in the field are now taking major positions at agencies and organizations.
The media has matured, too. Back in 2010, only a few reporters covered the story well, Ellen Nakashima of The Washington Post among them; now, the Wall Street Journal and New York Times each have multiple cybersecurity reporters and POLITICO’s Morning Cybersecurity is required daily reading for the field. With a new and dynamic editor at the helm, WIRED magazine is having a heyday and subscriptions are up. There is an increasing level of maturity about how the world writes and thinks about cybersecurity. All of this is to the good.
So, what were the big, real data points from this spring and summer that show progress?
First came the U.S. government's March attribution of Russia's intrusions into elements of U.S. critical infrastructure and the energy grid, and the concurrent announcement by the U.S. Treasury Department that it would sanction Russian entities.
Second came Mark Zuckerberg's testimony to Congress about the steps that Facebook is taking to protect user data and privacy, and the additional social media company hearings and briefings that have followed since.
Third came the spring entry into force of the European Union's General Data Protection Regulation, and then, this fall, Colorado and California’s passage of state legislation increasing data protection and privacy in those states.
Each of these events shows agencies and branches of government working to address hard problems. Let’s take each in turn.
The March attribution was one of the most significant admissions of Russia’s activities by the U.S. government to date. It showed the world not only that Russia meddled in the 2016 U.S. presidential election, but that they carried out the terrifying infrastructure intrusion that many long feared: they broke into aspects of the U.S. electric grid, potentially to shut it off at some point like they did in Ukraine. Regardless of Russia’s intentions, the presence of Russian malware on the electric grid is escalatory. Attribution and sanctions can help deter future bad behavior by imposing costs and clarifying norms – and the more the government imposes costs on bad actors, the more states may think twice before they click enter.
Then came the Zuckerberg testimony in April. This testimony was about how Facebook would protect user data going forward. Zuckerberg’s testimony is worth listening to in full to gain sense of the role social media plays in shaping perceptions; to understand the differing (and sometimes similar) views of those working in Silicon Valley and Washington, D.C.; and, most importantly, to understand the ways technology companies and the government need to work together to solve complex problems in the digital age. Social media and IT companies are working to modify their terms of service agreements and algorithms and security – and that’s all to the good. But comprehensive solutions will require close collaboration.
Which brings us to our third point, the passage of GDPR and the California and Colorado data privacy laws. GDPR reflects a strong focus on securing individual data with its "right to be forgotten," breach notification requirements, and heavy fines for non-compliance. Companies may quibble with parts of each law, but these laws will help improve our collective cybersecurity.
Today the United States does not have a national data privacy and protection law. State laws exist because of a lack of federal guidance for protecting their constituents' interests. And the passage of GDPR has certainly influenced U.S. states and the U.S. Congress. Federal data security and privacy legislation seems increasingly plausible. Some leading Silicon Valley executives are advocating for it; Senator Mark Warner (D-VA) recently released a set of propositions to shape the debate. We might even expect progress on this issue over the coming year.
It's easy to look at the world on any given day and say that things look grim, to be an Eeyore.
There will always be setbacks, but the net trendline points towards growth.
For those of us who weren’t focused on cybersecurity prior to 2016, and for those of us that have never worked inside the federal government, it's also easy to wonder whether anything useful has been done by the government in this space. But the facts of recent months indicate that institutions are growing stronger.
Our national level of awareness about the issue is up, and that helps companies make smart cybersecurity choices. Getting companies to spend on cybersecurity is a bit like life insurance. Sometimes it takes an outside force, like the birth of a child, to nudge a person forward. The exponential increase in breaches and public attention now helps to perform that function. Cybersecurity spending is up, as it should be. Organizations are coming to grips with risks. Nothing is perfect, but the signs should leave us a bit more optimistic for progress.