page image

Foreword

In 1858, a public health crisis gripped the city of London. Successive cholera outbreaks spread by contaminated water were killing thousands. The river Thames was so polluted that Parliament refused to meet. As London’s population exploded, no one had invested in the basic wastewater infrastructure necessary to manage the consequences of cramming millions of people into one of the world’s first metropolises. After decades of failing to safeguard access to clean water, the government finally embarked on an unprecedented civil works project to retrofit the entire city with its first sewer system.

Cyberspace today resembles London in 1858. Just as water provides the foundation for human health, the Internet has become the delivery platform and interface for nearly every aspect of our economy and daily life. And like the cholera that thrived in the polluted waterways of London, malicious actors are exploiting our society’s stubborn reluctance to invest in the security and resilience of our technology. We built our digital society on a shaky foundation, entrusting our most critical data and activities to systems and tools that were not originally designed with security as a core objective. The revolutionary openness of the Internet was world-altering, but today that very same openness increasingly is used as the vector to poison the entire digital ecosystem. And we simply do not have the infrastructure, practices, and institutions to disinfect it.

We consistently underestimate how bad actors might weaponize our technology against us and cause real harm. During the COVID-19 pandemic, we have seen nation-states target the intellectual property of drug developers and criminal groups disrupt already-stressed hospitals with ransomware. A denial-of-service attack shut down the New Zealand stock exchange. All manner of actors are spreading mis- and disinformation about the sources of coronavirus, dangerous and unconfirmed treatments, stay-at-home orders, the efficacy of vaccines, and more.

Yet despite more than a decade of studies, warnings, and high-profile attacks—including incidents that cost companies like Merck, Maersk, and FedEx hundreds of millions of dollars—the government’s investment in cybersecurity prevention and response falls woefully short. After the 9/11 attacks, the U.S. government wholly and totally committed to confronting terrorist organizations. It created a new cabinet department (the Department of Homeland Security) and new federal leadership (the Office of Director of National Intelligence and National Counterterrorism Center). It designated billions of dollars of funding toward state and local preparedness. The entire federal apparatus mounted a herculean effort to reorient budgets, processes and priorities.

We see no similar mobilization toward securing the Internet and our digital lives. Warnings of a “Cyber 9/11” have not supplied the trigger. Neither have the untold billions of dollars in damages already caused by cybercrime, ransomware, intellectual property theft, and espionage.

The cybersecurity community’s tendency to treat cybersecurity as a problem to be solved has not been effective. Instead, we need to convey cybersecurity as an inextricable element of the digital infrastructure on which all society’s priorities depend. Cyberspace is modern life, and we simply cannot use it without cybersecurity. It is critical to the way we work, the way we bank, the way we shop, the way we drive. The unprecedented events of 2020 have underscored that technology and security are now also central to the way we vote, the way we deliver health care—even the way we spend time with our loved ones amid a pandemic. With as many as half of the American workforce operating from home, multinational corporations are running on Zoom and Slack. Digital technology should be treated like water and cybersecurity as the foundation for keeping it clean. As our digital dependencies intensify, our way of life will not be possible without better cybersecurity risk management. Digital resilience must become central to everything we do.

As the White House changes hands and Congress begins a new term, there is ample opportunity to find bipartisan consensus on key cybersecurity priorities. This document outlines achievable action steps for federal policymakers to make rapid progress toward a more resilient digital infrastructure. Some can be accomplished in weeks or months; others will take years. Fortunately, the federal government is not alone. Cyberspace is ultimately the domain of civil society and private enterprise, sectors teeming with experts who can guide the White House and Congress as they grapple with the difficult tradeoffs inherent to any cybersecurity policy decision. In crafting the National Cybersecurity Agenda, the Aspen Cybersecurity Group sought input from a diverse network of partners in academia and industry. Together, we stand ready and willing to assist policymakers in cultivating a secure, reliable, and productive cyberspace.

 
 
Title Goes Here
Close [X]