About the author: Glenn S. Gerstell served as the general counsel of the National Security Agency from 2015 to 2020 and is currently a senior adviser at the Center for Strategic & International Studies.
For many of the things we depend on, government regulations keep us safe where market forces alone are insufficient. We feel confident pulling a box of pills off the shelf at the drugstore because we know the government is watching the pharmaceutical industry closely. We don’t even stop to think about it, and that’s true for many other critical products and services. But there is one major exception: the cyber and digital technology we rely on every day.
That’s about to change.
In the coming days, the Biden administration will issue the country’s National Cyber Strategy. It will spell out long-range goals for how individuals, government, and businesses can safely operate in a digital world of omnipresent cyber threats. The policy statement is required by a recent law that also established the position of national cyber director as the country’s top cyber policy official. The forthcoming National Cyber Strategy is the product of extensive industry consultation and collaboration. (I was privileged to be part of that process, along with many other cyber experts and business leaders.) Although the strategy document is in the final stages of review by the White House, administration officials have already started to preview some of the key elements of the plan.
Cyber strategy pronouncements by previous administrations—issued when our vulnerability wasn’t as acute—were too diffuse to provide meaningful guidance. This new strategy document will be much richer, informed by events such as the Solar Winds cyberbreach of federal government agencies in 2019-2020 and the shutdown of Colonial Pipelines due to a ransomware attack in 2020. Most significantly, cyber maliciousness from Russia, China, and other countries (which I saw while at the National Security Agency) has now become pervasive and persistent.
Most of the goals the strategy is expected to set involve noncontroversial, but important, improvements such as enhancing cooperation with the private sector, increasing the U.S. cyber workforce, requiring hardware manufacturers to make devices more secure by design, and strengthening international efforts to combat ransomware.
The more significant, overdue, and groundbreaking strategic goal will be to stop relying only on market solutions to our cyber vulnerabilities. The degree of the proposed shift won’t be spelled out, but the new strategy will have twin objectives: The U.S. should move toward more federal cybersecurity regulation, and responsibility for cybersecurity should be increasingly borne not by consumers and business users, but by computer hardware and software vendors.
Our nation has been hesitant to embrace that goal. We historically prefer market solutions; industry pushes back on more regulation and the imposition of liability. A deeply divided Congress finds it difficult to agree on any new governmental solution. The result is that, absent a disaster triggering an immediate response, it takes decades for those institutional and structural reasons to be overcome by a visible threat to our national wellbeing, especially one that grows by increments rather than a massive leap. But dangerous cyber vulnerabilities are now a fact of everyday life.
The resulting reliance on market forces has yielded buggy software that is exploited by cybercriminals who inject ransomware malware into the networks of schools, hospitals, and businesses at an annual cost in the billions. We have insecure networks open to cyber pillage of trade secrets and patents by China and others. Medical, financial and other personal data of millions of Americans has been repeatedly breached from insurance companies, credit bureaus and local governments. It’s true that cyber technology is complex and doesn’t lend itself to simple regulation. But it’s hard to argue with the proposition that, however well they might have served a nascent cyber world, unregulated market forces—combined with ubiquitous reliance on digital technology—are now posing unacceptable levels of risk to our personal and commercial cyber lives.
We can’t rectify the problem unless we understand its full scope. But deficiencies in federal regulatory authority that predate the digital age, and disputes over how to overcome those deficiencies due to concerns over greater government involvement, have combined to leave us mostly in the dark about the actual extent of cyber hacks and attacks.
Admittedly, we’ve taken some steps to impose order on the market, with various federal departments issuing reporting requirements for the particular industries they oversee. More significantly, Congress in 2022 ordered the Cybersecurity and Infrastructure Security Agency to promulgate rules for the mandatory reporting of cyber incidents by owners and operators of critical infrastructure. It’s not yet clear how those rules will mesh with other existing disclosure requirements or the Securities and Exchange Commission’s proposed cyber-incident reporting rules for public companies.
Not surprisingly, American industry has objected to duplicative and costly reporting requirements. Yet other industrialized democracies, including the United Kingdom, Canada, Japan, India, and Germany, seem to be further along in aligning the public and private sectors in cyber defense. Many of our national peers have far more centralized cyber authorities. This makes sense. The threats we face are the same, from cybercriminals and countries like Russia and China that use cyber maliciousness as a tool of statecraft. And the vulnerabilities are also the same. We’re all using Windows, Apple, or Linux software. So why not a uniform regulatory approach, tailored where needed to specific industries?
Moving in that direction, the new National Cyber Strategy will explicitly call not only for harmonization of reporting requirements, but also and more significantly, for mandatory minimum cybersecurity standards adopted in consultation with industry. It won’t specify how we will achieve reporting uniformity given the dispersed nature of responsibilities, nor the details of these minimum standards. But after all, this is a high-level strategy. Nor, disappointingly, will it argue for a central regulator. That’s because, even though many cybersecurity experts believe we’ll ultimately have one, there still is no consensus within the Executive Branch or Congress on whether such a regulator is needed, let alone what it would look like.
That omission perpetuates our customary reactive and limited approach to regulation. A trial-and-error approach won’t suffice when the harm is pervasive and rapidly getting worse. The Cyberspace Solarium Commission recommended the creation of the national cyber director position. It considered going further, but the commissioners believed more-aggressive solutions were politically impractical. Still, it noted that a future major cyber incident might galvanize public opinion, triggering a fresh approach.
Until then, our nation will have to balance the need for robust private sector innovation and concomitant desires for limited government with the recognition that federal imposition of baseline cybersecurity standards is needed to supplement inadequate market forces. There are blueprints for doing so. The European Union, for example, is well on the way to adopting such standards for a broad swath of its economy. We can learn from that effort and fashion an approach more in line with our political and economic system. Not having suffered a catastrophic national cyber event means we didn’t rush to solutions that might not have proven optimal. The downside is we must suffer more cyber maliciousness before we are sufficiently fortified.
The imposition of mandatory standards will be significant and the subject of much debate, but it’s the other half of the strategic goal—the proposed shift in liability—that will have the more profound and enduring effect.
Broadly speaking, today’s software or hardware manufacturer isn’t going to get sued successfully if its products have a previously unknown defect that allows the user to get hacked. The standard for the manufacturer to discover any such defect is, as a practical matter, low. That’s due to legal constraints as well as the economic reality that until reliance on digital technology became relevant to our national wellbeing, having liability fall on users rather than manufacturers didn’t seem like a serious problem. With the onrush of technological advances, we’ve quickly moved past that point. A standard principle of economics and law is that losses should ideally be borne by the party in the best position to avoid them.
That’s manifestly not the case now. Individual and commercial users have little insight into the relative cybersecurity qualities of products—and even if they did, few have the sophistication to make the right purchasing decisions. Instead, we make do with layers of anti-virus software on computers, specialized cybersecurity vendors to help companies, and armies of tech support personnel to fix and protect our computer networks. It would be a lot smarter if we didn’t have buggy software or hardware in the first place. Of course, it’s not possible to eliminate all defects, but right now there’s little incentive—beyond just general market reputation—to invest in a dramatic reduction of cyber vulnerabilities.
There are many ways we could shift the cybersecurity burden from users to providers and manufacturers. Liability has been reallocated in other sectors, in the most absolute terms in the pharmaceutical sector. In cyber, the SEC’s proposal to have public companies disclose the extent of cyber expertise on their board of directors will start to change the makeup of boards. Similarly, requiring more explanatory cybersecurity labeling on software and hardware will force manufacturers to focus on quality control. Something like a nutrition label on cyber products—a so-called software bill of goods—can make a difference. Reducing the safety net of commercial cyber insurance, while uncomfortable in some respects, might force companies to be more careful about their data practices, so they wouldn’t bear the liability costs of a breach. (Perhaps that could be offset by federal insurance to cover risks of nation-state cyberattacks, which seems more in keeping with the federal government’s constitutional responsibility to provide for the common defense.) Statutes directly imposing liability in certain egregious cases or mandating certain types of consumer warranties might all be part of the effort. There has to be some balance, since we don’t want to stifle digital innovation. But that’s exactly the light touch that the National Cyber Strategy is expected to seek.
The Biden administration has appointed well-regarded cyber officials who have vigorously used federal powers to advance cybersecurity, and the administration’s willingness to propose a thoughtful, practical new national strategy is a critical and beneficial step. Yet we will need to move even more forcefully to counter cyber threats that are outpacing our defensive efforts. That means industry cooperation, a smart level of regulation, and more action by Congress. Ultimately, we may not be able to have our digital lives as safe from cyber malice or negligence as our personal lives are safe from dangerous or ineffective drugs—but some changes in national strategy can get us a lot closer to that goal.
Guest commentaries like this one are written by authors outside the Barron’s and MarketWatch newsroom. They reflect the perspective and opinions of the authors. Submit commentary proposals and other feedback to ideas@barrons.com.
Credit: marketwatch.com