Remember the federal Cybersecurity Information Sharing Act (CISA)? It was a law passed less than two years ago, charged with improving cybersecurity in the United States through enhanced sharing of information about cybersecurity threats between and among the government and companies.
If this slipped by you, you’re excused.
CISA never attracted much media attention and now gets none. It was a flop. Passed after four years of bickering over privacy protections, the voluntary law turned out to be too little too late. Computer attackers grew so much more sophisticated in the interim that the law seemed almost quaint. Legislative sponsors conceded it would have done nothing, for example, to help Sony Pictures Entertainment—the victim the year before of a destructive attack blamed on North Korea—because the attack wasn’t based on previously seen malware.
We could throw up our hands and give up. Or, conversely, we can consider it a valuable lesson and introduce a new and better cybersecurity solution. I propose the latter, and I call it the National Institute of Digital Security—NIDS for short.
NIDS would be an organization funded by both the U.S. government and the private sector and run by experienced business executives, not bureaucrats. Its purpose would be to work with American corporations and citizens to strengthen their security posture, protect intellectual property, and infuse cutting-edge cybersecurity technology—now mostly housed inside the U.S. intelligence community—into the private sector.
I have been exchanging ideas about this with appropriate Washington officials and other select cybersecurity experts, and there are offers of help to turn NIDS or a reasonable facsimile into reality.
Threats ratchet up
Doing nothing is not an option. The sad fact is that companies are on their own in cyber land, and no single firm has all the answers—or anything close to it. We need to create a real solution. Hackers, including nation-states, are more sophisticated than ever and represent a moving, chronically evolving target. Our society needs all the help it can get. In May and June alone, two global ransomware attacks—WannaCry and Petya—infiltrated hundreds of thousands of computers in scores of countries.
America has invested hundreds of billions of dollars in offensive and defensive cyber capabilities. U.S. corporations, universities and research centers have pioneered many of the world’s technological advancements. What is blocking progress is that the U.S. government—unlike Russia and other governments—is not authorized to pass on its technological know-how to U.S. companies and infrastructure.
Most talented would work together
Best talent would be NIDS would work to attract our nation’s top cyber engineers—including engineers from the National Security Agency—to create an efficient national organization that can substantially improve the security posture of all American businesses, enhance basic code development, and push encryption as a standard for everybody.
Instead of the ongoing exodus of federal government-employed cyber experts in quest of higher-paying commercial jobs, the NIDS could be a preferable landing pad for experienced talent from the intelligence community. Cybersecurity software and standards could be distributed, for example, through GitHub, a Git repository hosting service with a web-based graphical interface and other features.
In addition, cyber experts would provide security assessments on-site for transportation, power, manufacturing, medical and defense companies, among others.
The creation of an effective NIDS is plausible. So let’s find, recruit and commission the right leadership to create an organization that would attract the right talent to enhance our security. If you are an American, what goal is more laudable than that?