Earlier this year, the Center for Strategic and International Studies (CSIS) Cyber Policy Task Force published a report that made a number of cybersecurity policy recommendations for the 45th Presidency of the United States. As co-chair of the taskforce, I answered questions from The Hewlett Foundation about our recommendations.*
Which of the task force’s recommendations do you think are most critical for the President and his team to focus on in the near term?
Our nation’s security depends on our ability to tackle difficult cybersecurity problems. But the shortage of skilled cybersecurity professionals puts us all at risk. To address this, we are calling for increased funding to support cybersecurity education, training and public awareness. This includes continuing support for existing programs such as the National Initiative for Cybersecurity Education, National Cyber Security Alliance, Scholarship for Service, as well as ambitious new programs funded through the U.S. government.
We recommend mandatory, basic cybersecurity awareness curricula for all students. The goal is to help cybersecurity education become as widespread as traditional civics classes. At the college level, adding security to computer science curricula would help. We’d also like to see higher education institutions, including universities, U.S. military academies, and ROTC programs, offering security research as a separate major, with support and funding for internships and vocational training.
The task force brings together individuals from industry, academia and civil society working in two distinct groups—one on the East Coast and the other on the West Coast. How does such a diverse cohort coalesce around policy ideas?
What brings us together is the commitment to our national and economic security. Our group is eager to advance the cybersecurity industry, and we’re very open-minded about breaking down traditional barriers to succeed.
For example, we have the shared experience of facing the talent shortage. It is frustrating to have to hire inexperienced candidates, delay cybersecurity programs due to unfilled positions, or lose employees after training them because other companies can pay huge sums.
We realized that it is imperative for diverse groups to come together to make these recommendations because the adversaries we face are doing the same in order to profit and/or steal our information. All of us – individuals, corporations and the government – have digitized everything from money and payments, to sensitive records and information, and we will be at even higher risk in the future, as the Internet of Things continues to massively expand the number of connected devices. This leaves us too vulnerable to those who can break into our systems. These adversaries are able to work together across traditional boundaries to achieve their goals, and we need to come together to protect ourselves.
Your own career path has bridged a number of key divides among the cybersecurity community, and you’re seen as a translator between different groups. What would you tell people starting out in cybersecurity about how to bridge the divides in the field?
There is tremendous opportunity for innovative approaches in the cybersecurity communities. I worked in the government for many years, with my last two jobs in the U.S. Senate and the White House, and I was fortunate to be in a position of leadership and look at strategies. After working on policy for the National Security Agency, rethinking federal spending for cybersecurity research and development, promoting new programs to defend our power grid and the military, and debating responses to attacks on our critical infrastructure, it’s easy to see the big picture of the growing importance of the cybersecurity field.
However, when sitting on the National Security Council staff, I’d see other more established fields like nuclear treaty negotiation and natural disaster management, and realize that they are much more mature than my field. In comparison, cybersecurity is much newer and undefined. There is a lot to do: We need to popularize basic security practices, develop solid technical standards, set minimum standards of care for businesses, quantify cybersecurity risk and the value of defensive solutions, craft new policies to prepare us for the future, and debate a range of new laws to advance the field.
We also need new security products and solutions to keep up with the rapid pace of change. People and companies have moved their data from their computers or data centers to the cloud. Older security products aren’t as effective because the older model – too focused on perimeter defense – is no longer effective.
Given that the resources government and industry can bring to bear on cybersecurity challenges will always dwarf that of philanthropy, what can the sector do?
It’s true that government and industry are applying massive resources to the cyber field. In fact, our task force is recommending that industry match government spending for cybersecurity awareness, training and education, as part of a major acceleration of U.S. investments in our cybersecurity workforce.
However, building trust across the different communities is easier said than done. Philanthropic organizations like the Hewlett Foundation are ideally suited to rise above parochial interests and near-term goals, and convene leaders of various communities to find common interests and work together for long-term benefit. Trust building is an art, and the philanthropic sector provides a safe haven to cooperate.
*This article was originally published as a Hewlett Foundation Q&A.