What Should the 114th Congress Do About Cybersecurity in 2015?

It’s 2015 and the GOP-dominated 114^th congress returns to Washington tomorrow.  After years of maintaining a hands-off approach toward cybersecurity, the new Republican-led Congress is poised to jump all over this issue – mostly because of the December data breach at Sony Pictures and the subsequent brouhaha over the release of the now infamous movie, The Interview.

While no one was voting for anything in late December, there were a few consistent cybersecurity themes coming from Congress:

1. Blame the President.  Senator John McCain (R-AZ) the incoming chair of the Senate Armed Services Committee, blamed the Sony Picture’s data breach on the Obama administration, citing a lack of leadership on national cybersecurity.  Note that this is the same Senator McCain who sided with the Chamber of Commerce in 2012 in blocking the passage of Cybersecurity legislation that had bipartisan support in the Senate Homeland Security and Government Affairs (HSGAC) committee. 
2. Declare a Cyberwar Against North Korea.  Before exiting Washington, retiring Congressman Mike Rogers (R-MI) and others have suggested that the U.S. should declare a cyberwar on North Korea and take out its ability to launch another cyber-attack on the U.S.  I guess no one told the Congressman about North Korea’s minimal attack surface or explained how the IP protocol works to him.
3. Push for public/private security intelligence sharing.  This one has some legitimacy as there is actual bill (Cyber Information Sharing Act aka CISA) that was moving through the last congress.  While it may be a good idea to share intelligence, this is no panacea for curing our nation’s cybersecurity ills.  Furthermore, CISA will never gain popular support without some additional privacy protection. 

I for one am glad that cybersecurity is finally getting more airplay in Washington but it’s clearly still being treated a political hot potato.  Note to the 114^th Congress:   We don’t need reactionary legislation or finger-pointing, we need a national cybersecurity strategy. 

As a concerned citizen who lives in this world, allow me to make a few suggestions.  First, we need someone who actually owns the creation and oversight of this national cybersecurity strategy.  This person should be a civilian working outside of the military and intelligence services.  As far as the strategy goes, it should include:

1. Tax breaks for cybersecurity spending in the private sector.  The feds should lead with a carrot rather than a stick by providing generous tax incentives for organization that invest in cybersecurity technology and personnel.  Tax breaks should come with some type of caveat like committing to the NIST cybersecurity framework and passing future NIST cybersecurity audits.
2. Support for industry.  While there may ultimately be a need for legislation, the feds should focus on supporting industry (especially critical infrastructure industries) with cybersecurity expertise.  Washington might say that this is already in place but the existing support infrastructure is weak and underfunded.  We need to resource this function and make it a successful model of public/private partnership.  Note that this is especially important for the communications industry which also needs Washington to help them balance cybersecurity protection against the threat of litigation. 
3. A national strategy for cybersecurity education.  This is a biggie since we have a profound shortage of skilled cybersecurity professionals.  NIST did a good job laying out the National Initiative for Cybersecurity Education (NICE) but there is little oversight or federal investment so far.  Furthermore, cybersecurity education funding is being spread thin on Pork Barrel projects.  Rather than throw cybersecurity education funding at Congressional districts, we need to invest strategically in centers of excellence like the Massachusetts-based Advanced Cybersecurity Center which brings together private sector, public sector, and leading academic institutions.  Senators should remember that the goal here is to produce cybersecurity thought leaders, not throw money back at voters.
4. Federal cybersecurity program oversight.  We need to manage federal cybersecurity initiatives by appointing a financial watchdog to oversee the whole enchilada.  In lieu of this position, Washington will open its wallet to a multitude of inefficient redundant programs, big dollar projects, and Pork Barrel spending.
5. An International multi-lateral cybersecurity agreement.  This may be the most important item of all.  The Internet is global and virtual.  Hackers know how to attack the U.S. from anywhere in the world and attribution can be exceedingly difficult.  Given this situation, we can’t address our cybersecurity woes with bilateral talks with China.  Rather we need to champion and lead the International community by creating an International agreement like the Geneva Convention.  This may be an opportunity to support, rather than alienate the UN.  It will be difficult to reign in the offensive-minded hawks on this one but the U.S. and the West has more at stake as a real cyberwar would likely cripple our infrastructure and economy.

Congressional support for Cybersecurity can be a good thing if members are truly looking out for national security with a cost-effective national cybersecurity strategy.  Alternatively, we are all in trouble if cybersecurity becomes another political “shoot-from-the-hip” issue.