The current strategy of placing the burden of cyber security on end users, businesses and individuals, is failed instead should rest with the U.S. government, which has the primary responsibility of protecting the nation, a former FBI official told a Senate panel on May 10.
“We recognize the inevitability of targeted cyberattack, and are more likely to consider those who suffer computer breaches to be victims, rather than culprits,” Steven Chabinsky, at one time the FBI’s top cyber lawyer, acting director of the Joint Interagency Cyber Task Force, and senior cyber advisor to the Director of National Intelligence, said in his prepared statement to the Homeland Security Committee. “We believe that the government’s primary role is to protect its citizens (and business interests), rather than to enable citizens and business somehow to protect themselves against foreign aggression, and against all odds.”
Chabinsky, who is global chair of Data, Privacy and Cyber Security with the law firm White & Case, testified for himself. He stated the current strategy of cyber risk management plans, regulations, and information sharing, network monitoring, workforce development and increased spending, is “a failed strategy, and that doing more of the tactics that underlie that failed strategy is an exercise in futility with diminishing and even negative returns.”
Chabinsky cited former President Barack Obama’s White House Cyber Commission Report from December 2016, for which he was one of 12 members on a non-partisan commission that issued the report, which stated that “to the maximum extent possible, the burden for cybersecurity must ultimately be shifted away from the end user—consumers, businesses, critical infrastructure, and others—to higher-level solutions that include greater threat deterrence, more secure products and protocols, and a safer Internet ecosystem.”
The elements of higher-level solutions include increased threat deterrence, more funding for a safer Internet ecosystem, market transparency of security such as security labels on products, focused efforts on threats to wireless capabilities, developing and sharing security metrics that work, and promoting legal certainty and harmonization.
Brandon Valeriano, a professor at the Marine Corps University and an adjunct fellow at the libertarian think tank Niskanen Center, said in his prepared statement that overall, government systems have “remained remarkably resilient in the face of cyber challenges,” adding that, “There has been no death and destruction in the domain.”
Cyber operations aimed at a obtaining a specific response from an entity may work but “are costly and enable further digital malevolence by breaking down norms against cyber harm,” Valeriano said. “Cyber deterrence is non-existent and an empty buzzword devoid of real meaning.”
He called for sticking with the current strategy of focusing on “defensive measures, restoring resiliency in the civilian population, hardening popular targets, and seeking to better understand the process of cyber conflict.”