Two cybersecurity policies, one clear new objective

In the wake of countless cyberattacks, two federal cybersecurity policies are providing much-needed guidance to improve the defense of our nation’s cyber infrastructure, networks and data, setting a clear roadmap on how we can best protect the country. However, the work is not done yet. With a new set of legislators freshly elected, additional steps must be taken to ensure critical cyber policies remain a top priority.

This year, President Trump officially signed the new National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act into law, and the Trump Administration announced the new National Cyber Strategy for United States of America — an effort the Administration said was the first of its kind in 15 years.

The National Cyber Strategy outlines the government’s multi-agency mission to secure critical infrastructure, combat cyber crime, foster a stronger cybersecurity workforce, promote responsible behavior between nation states and prevent malicious “information campaigns,” among a dozen more publicized items. {mosads}

The Administration rightly highlighted that our nation’s energy sector is susceptible to supply disruptions by cyberattack — threats that could cripple the critical infrastructure of our nation — adding further importance to the integration of public and private sector defenses. Such threats affect us all, and merit coordinated responses.

Timely and vitally important, this concerted effort will improve our cybersecurity posture as threats continue to escalate in volume and sophistication.

The NIST Small Business Cybersecurity Act is universally supported across party lines, but similar standards guidance isn’t yet included in the Administration’s national plan. Initiatives required by the NIST policy should be a key part of the larger National Cyber Strategy.  

What we have learned from the numerous breaches in the public and private sectors is that the foundation of the internet is a digital supply chain that must be defended from end to end; the smallest player has proven to be an effective entry point for mischief.

To deliver robust, cost-effective cybersecurity strategies for small- and medium-sized businesses (SMB), enterprises and government agencies, we must align both sets of guidelines to create a single, comprehensive national cybersecurity strategy.

What’s next? Three policy prescriptions 

First, the National Cyber Strategy should deliver comprehensive guidance that includes protections for both enterprises and SMBs. The National Cyber Strategy and the SMB-focused NIST Act are logical and principled efforts. Integrating the two will form the foundation for our country’s most in-depth, end-to-end national cybersecurity strategy to date. That’s a worthwhile outcome.

Next, the Administration should also consider integrating elements of the NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 (H.R.1224). This would complement the Administration’s national strategy to further improve the cyber compliance of federal agencies under current rules.

The idea of the framework is simple yet effective. It would utilize NIST’s expertise in the Inspector General’s evaluations and audits of U.S. federal agencies’ cybersecurity performance recommendations. H.R. 1224 would require more comprehensive implementation of the NIST Cybersecurity Framework across government agencies and thorough verification it’s been applied properly.

Finally, Washington must tackle cyber matters without regard to political gamesmanship or geographic borders; the threats do not target Americans by party, region, citizenship, nor sector, but tend to loom everywhere even if through just one “open door.” This is a truly non-partisan cause, and it is imperative that we maintain that balance moving forward.

This also will require sustained cooperation between U.S. governments and law enforcement and their international counterparts. While the National Cyber Strategy highlights this need at a high level, it must be routinely executed at global, national and local ranks for all countries involved in the protection of networks and data, as well as the persecution of cybercriminals.

The country is at the crossroads of something truly great: a comprehensive and national public-private cybersecurity strategy that has the best interests of our country at heart. If Washington can align cybersecurity law and strategy through one unified plan, the effort will drive consistent cybersecurity requirements across federal agencies, large enterprises, and SMBs to defend the nation from cyberattacks.

Bill Conner is President and CEO of SonicWall, whose next-generation firewalls and network security solutions protect more than 1 million networks worldwide, for more than 500,000 organizations in more than 215 countries and territories, including for agencies of the U.S. government. He co-chaired the Corporate Governance Task Force of the U.S. Department of Homeland Security National Cybersecurity Partnership, helped unveil the INTERPOL Global Smart eID Card, and addressed the United Nations on global challenges in cybercrime in June 2010. Previously, Conner held key positions at AT&T, Nortel, Entrust, and Silent Circle. He is a staunch supporter of public-private partnerships on cybersecurity.