He called for a “cyber social contract” that would reimagine and clarify what “the U.S. government, firms, and individuals owe one another in cyberspace” in a recent Foreign Affairsarticle, co-written with Harry Krejsa, acting assistant national cyber director for strategy and research.
“The United States needs a new social contract for the digital age — one that meaningfully alters the relationship between public and private sectors and proposes a new set of obligations for each,” Inglis and Krejsa wrote.
Inglis and Krejsa rejected the idea that small organizations and users can do enough on their own to solve the problem. These smaller players can help avert some attacks by adopting defensive tools and strategies like multifactor authentication, but beating back cyber threats and establishing long-lasting security requires coordinated action from entities with greater resources and reach, they write.
“A durable solution must involve moving away from the tendency to charge isolated individuals, small businesses, and local governments with shouldering absurd levels of risk. Those more capable of carrying the load — such as governments and large firms — must take on some of the burden,” Inglis and Krejsa said.
A new “framework for collaboration” should state how public and private entities should cooperate and their respective responsibilities, they said.
The article also envisioned a new outlook on cyber defense.
Current cybersecurity efforts tend to focus on responding to attacks, but the U.S. needs to shift toward proactively changing the landscape so that fewer opportunities for attacks exist, Inglis and Krejsa said. And successful efforts would mean not only preventing disasters but also creating the safety needed for technologies to flourish, creating an economic boost.
Federal-Private Collaboration
The federal government should partner more closely with private firms and share detailed threat intelligence, Inglis and Krejsa wrote. In turn, companies that develop hardware and software must prioritize the security and resilience of their products and processes as opposed to how quickly they can introduce a product.
Market forces won’t be enough to encourage companies to do their part, and so other methods must push change. Those methods include creating new federal standards and incentives as well as giving companies information to guide changes.
Private- and public-sector defenders must understand their responsibilities and how to work together to respond to attacks, Inglis and Krejsa said. Working together will require communicating across different sectors.
Information sharing and analysis centers (ISACs) are one good model for how to do that, they said. They highlighted the just-launched Cyber Safety Review Board and the 7-month-old Joint Cyber Defense Collaborative as good examples of collaboration.
More is needed, however, so the authors called for, among other things, the Cybersecurity and Infrastructure Security Agency leading whole-of-nation training exercises to prepare for high-scale cyber emergencies.
The Office of the National Cyber Director has a key role to play in evaluating cooperation efforts to fix any issues and helping “translate” the government to the private sector. The office would also oversee federal agencies’ cyber budgeting and action plans.
Big Visions
Rules and policies to make cyber space more secure are more likely to encourage technological development than hold it back, Inglis and Krejsa wrote. They argued that technology developments and adoptions could occur faster if individuals and organizations trusted in the Internet and digital data’s safety and reliability.
For example, autonomous vehicle use currently is held back by the risk of hackers compromising the software systems guiding the vehicles. Such threats need to be conquered for fully autonomous vehicles to become practical, Inglis and Krejsa said.
Better cybersecurity would also lay some of the groundwork for enforcing data privacy, which would unlock both social and economic benefits. Stronger privacy is key for both meeting Americans’ expectations and allowing businesses to work more easily with countries that already have privacy protection requirements.
Improving cybersecurity would also bring greater international security and help the U.S. curb digital attacks, espionage and manipulation campaigns from cyber-savvy adversaries like China and Russia, Inglis and Krejsa said.