Sprinkles from the Left

The Left argues stronger government regulation is needed to address the cybersecurity situation in the U.S., which many commentators characterized as woefully inadequate.

There have been three major cyber catastrophes already disclosed this year: the Solar Winds breach, where a Russian intelligence agency allegedly exploited a software update model to burrow who knows what into thousands of corporate and government servers; an attack originating in China used rented servers inside the United States to invade unpatched Microsoft Exchange servers, affecting, according to estimates, tens of thousands of servers; and an unknown perpetrator hijacked a developer tool called Codecov to sneak spy software into thousands of systems.

Alone, any of these attacks would be a crisis. Together, they’re a catastrophe with no sign of stopping. Bob Gourley, a former chief technology officer of the Defense Intelligence Agency and a voice of sanity in the cyber world, puts it this way: “the point to ponder: will we continue to see one of the most devastating attacks in history every two months? What can we do to slow the rate? What will adversaries do to increase the rate?”…

The only way to deter cyberattacks is to raise the cost would be the attackers must pay for attacking any given system. War metaphors are overwrought and unhelpful here despite their popularity; the physics of the digital world is different enough to make most meaningless. I’ll just say plainly that the threat is one that requires persistent engagement and personal resilience. And that in until those things have improved, America remains very vulnerable to the next ransomware attack.

Marc Ambinder, senior fellow at the USC Annenberg Center for Communication Leadership and Policy (published in MSNBC)

The six-day shutdown of a key 5,550-mile fuel pipeline earlier this month after a malware attack proved a case study of all the things that can go wrong when the private sector, which controls crucial parts of American infrastructure, drops the ball on cybersecurity and the government doesn’t have the ability to adequately prevent cyberattacks or control the fallout…

Holding those in control of American fuel supplies, electrical grid, transportation systems, and other key infrastructure components accountable and responsible for keeping their information systems secure is a tangible first step Congress should take now.

Editorial Board, Boston Globe

Network-based cybersecurity efforts are hard, make no mistake about it. The success of such efforts depends on far more than the application of technology; it also requires the enforceable establishment of behavioral expectations for the networks. Developing such oversight does not mean allowing the companies to do as they please; nor does it need to be an adversarial relationship between the FCC and the network providers.

As the suppressed FCC paper on cyber oversight discussed, there is a tension within network companies about investing in non-revenue enhancing activities such as cybersecurity. This is further intensified by the “weakest link” reality that one company’s investment can be compromised by the failure of another company to make a similar commitment…

Such a decision is simply too important to be left to the individual determination of the companies themselves. The FCC is the agency with the authority and responsibility to establish enforceable cybersecurity expectations for the nation’s commercial networks. One of the reasons companies regulated by the FCC do not want it to exercise its cyber authority is because it is too rigid and bureaucratic. The companies’ complaint has some merit to it, but that does not mean the FCC should abrogate its responsibility…

The long-term cyber goals of the FCC and industry should be in alignment. The FCC should not allow short-term profit considerations to detract from its responsibility to focus on long-term solutions. At the same time, the companies should recognize that secure networks generate consumer and investor confidence, subscriber usage, and economic growth.

Tom Wheeler, visiting fellow in Governance Studies at The Brookings Institution. Wheeler is a businessman, author, and was Chairman of the Federal Communication Commission (FCC) from 2013 to 2017.

Sprinkles from the Right

The Right argues the government should increase and strengthen collaboration with the private sector in order to address the cybersecurity situation in the U.S., which many commentators characterized as woefully inadequate.

This starts with the federal government improving its interactions with private industry—the companies and enterprises that comprise the overwhelming majority of our exposure to cyber threats…

Washington needs to protect Americans by bringing bad actors to justice and striking back against those who would do the U.S. harm, whether at home or abroad. This is why we recommend strengthening the military’s Cyber Mission Force and improving the government’s tools for conducting international law enforcement, imposing sanctions and engaging other states diplomatically. All these measures will help ensure that America has the appropriate military and nonmilitary capabilities.

Angus King, an independent, is a U.S. senator from Maine. Mike Gallagher, a Republican, represents Wisconsin’s Eighth Congressional District (published in the WSJ)

There have been several legislative fights over cyber bills. While some have characterized these as partisan battles that have left America exposed to a growing variety of cyber threats, this is not generally true. Many cyber bills have had bipartisan support as well as bipartisan opposition. The fight is not over a need for appropriate cyber legislation; the fight is over how to define “appropriate.”

One of the main points of contention is the degree to which federal regulatory powers should play a role in cybersecurity. Many seem to think reflexively that this 19th-century solution is the answer. Those with a little more understanding of the dynamic and fast-moving nature of cyber threats see regulation as far too slow and clumsy, and recognize that it might actually hinder security by building a culture of mere compliance with regulations and a false sense of security against enemies who are agile, motivated, and clever…

To address this growing threat, the U.S. should leverage the forces of the market, motivating the private sector to make the sort of continual and dynamic investment needed to secure the country’s diverse cyber networks.

The Heritage Foundation

The CEA [Council of Economic Advisers] documented how the costs of cyberattacks on one firm spill over to economically similar firms or firms linked through supply chains. Cyberattacks on one target also expose other firms to costs as they expose vulnerabilities in cybersecurity and technology that are shared across multiple firms and industries…

The rising costs of cyberattacks, the associated negative externalities, and the particular interest in protecting critical infrastructure present the federal government with an important role in enhancing cybersecurity. In 2018, the Trump administration issued for the first time in 15 years a National Cyber Strategy. The strategy outlined a number of priorities that could help close the private cybersecurity investment gap. These priorities include incentivizing cybersecurity investments, improving cyberattack reporting, and expanding and equipping a highly skilled cybersecurity workforce. Additionally, the CEA identified information sharing and transparency, cybersecurity standards, and investment in cybersecurity research and development as important areas for federal policy to address.

The Biden administration should build on the Trump administration’s strategy to confront the rising security and economic threat of cyberattacks. Although the ransom decision itself might be a “private sector decision,” cybersecurity is a common good that requires prioritization by the federal government.

Cale Clingenpeel, Chief Economist at the AMERICA FIRST POLICY INSTITUTE and served in the Trump Administration as Senior Adviser to the Chairman of the White House Council of Economic Advisers (published in National Review)