Cybersecurity: What About U.S. Policy?

Abstract

During December 2014, just hours before the holiday recess, the U.S. Congress passed five major legislative proposals designed to enhance U.S. cybersecurity. Following signature by the President, these became the first cybersecurity laws to be enacted in over a decade, since passage of the Federal Information Security Management Act of 2002. My goal is to explore the unusually complex subject of cybersecurity policy in a highly readable manner. An analogy with the recent deadly and global Ebola epidemic is used to illustrate policy challenges, and hopefully will assist in transforming the technological language of cybersecurity into a more easily understandable story. Much like Ebola, cyberthreat has the ability to bring our cities to a standstill. Many cybersecurity policy implications are strikingly similar to those occasioned by Ebola.First, a brief recital of the grave danger and potential consequences of cyberattack is provided. Second, I comment on the policy impact resulting from rapid changes in technological complexity and the relative lack of computer familiarity on the part of many senior business and governmental leaders. Third, the characteristics of selected competing cybersecurity constituency groups are discussed: consumers; investors; law enforcement; business; federal, state and local government; and national security interests. By exploring the perceived needs and sometimes conflicting actions of these various constituencies, I hope to make a worthwhile contribution to the national conversation about cyber policy and make meaningful progress toward dealing with the new pandemic of technological virus. Next, is an examination of recent policy development milestones achieved during the past decade or so, including passage of several major legislative proposals designed to enhance U.S. cybersecurity during the waning hours of 2014: The National Cybersecurity Protection Act of 2014; The Federal Information Security Modernization Act of 2014; The Cybersecurity Workforce Assessment Act; The Homeland Security Workforce Assessment Act; and The Cybersecurity Enhancement Act of 2014. Finally, given the critical need for an immediate and effective coordinated approach to cybersecurity, a few thoughts about crafting policy goals and strategies are offered. Hopefully this essay will assist in the conversation being had today by policy makers on this important topic.