By Patrick Gaul, Executive Director, National Technology Security Coalition
2019 offered a mix of good news and bad news related to national cybersecurity policy. State data privacy laws proliferated, prompting significant thinking about a federal standard. The cybersecurity workforce talent gap grew wider as more ideas emerged to address it. Threats to critical infrastructure increased, and the federal government demonstrated it takes these risks more seriously. The cybersecurity partnership between the public and private sector continued to improve as cyber threat intelligence exchange still suffered from lingering issues. And we still lack a federal data breach notification standard despite increasingly severe and frequent data breaches.
In other words, our most important work remains largely ahead of us. Derived from our board of Chief Information Security Officers (CISOs), the National Technology Security Coalition’s (NTSC) policy priorities in 2020 focus on reasonable standards, workforce development, and national security. CISOs, a historically unheard voice in Washington D.C., are an important source of information for lawmakers. When considering the CISO’s perspective, the following policy priorities emerge front and center.
Despite bipartisan support, we still currently do not have a national data breach notification law. After a data breach, CISOs must individually report to 50 states, the Virgin Islands, Guam, Puerto Rico, and the District of Columbia. Consumers are not protected equally in all states, so it’s reasonable to challenge why so many different and varied laws exist rather than a nationally agreed upon set of data breach notification standards.
The steady pace of cyberattacks is compromising both intellectual property and millions of records that include personally identifiable information (PII). The EU’s General Data Protection Regulation (GDPR), which came into effect in May 2018, is the most prominent example of the global rise of regulatory frameworks focused on data protection. Coupled with the January 2020 enactment of the California Consumer Protection Act (CCPA), we are seeing a preview of stringent regulations that other states could adopt.
An effective and meaningful approach toward data privacy is a single comprehensive bill—avoiding the flaws of GDPR or a flurry of state laws such as the CCPA—that addresses how we define and protect data, establishes minimum standards of care, and outlines uniform notification rules. Unitary requirements would ensure that citizens have equal protection wherever they reside or wherever their data is stored.
Research shows that diversity within teams also produces diversity in thought. Because many cybersecurity problems we face are unprecedented and unique, we need critical thinkers from all backgrounds to solve these problems. Our current cybersecurity talent shortage originates mostly from a lack of experienced mid-level cybersecurity professionals. Churning out more cybersecurity graduates will not solve this problem. We need to establish an apprenticeship program assisted through federal funds that gives more quantity to the cybersecurity workforce while providing people the experience needed by the private sector.
With efforts from entities such as US Cyber Command and the Cybersecurity and Infrastructure Security Agency (CISA), the government has taken a more proactive approach to cyber defense. Yet, the majority of the nation’s critical infrastructure is owned by the private sector—which is why CISA and US Cyber Command have focused on protecting it more as part of their evolving missions.
As the lead federal agency responsible for coordinating the protection of our nation’s critical infrastructure from physical and cyber threats, CISA is leading an effort to work with federal and private sector partners to exchange threat intelligence and manage risk. The NTSC supports dialogue and partnerships between federal government entities such as CISA and the private sector cybersecurity community around protecting critical infrastructure.
A strong public-private partnership affects the security of companies, the protection of personal data, critical infrastructure, and national security. We need improved cyber threat intelligence sharing, more dialogue between the public and private sectors, and a positive relationship between law enforcement and the private sector—working together on tasks impossible to solve alone such as deterring nation state attacks or elevating the nation’s investment in quantum computing and AI.
It’s important to create the right cybersecurity foundation now so that we mitigate risks to our national security and economy. Focusing on these five policy priority areas in 2020 will help improve our country’s cybersecurity posture, strengthen national security, and assist private sector CISOs in securing the companies that form the backbone of our economy and critical infrastructure.
Patrick D. Gaul is the Executive Director of the National Technology Security Coalition (NTSC), a non-profit, non-partisan organization that serves as the preeminent advocacy voice for Chief Information Security Officers (CISOs) across the nation.