The views expressed by contributors are their own and not the view of The Hill

To make US more cyber-resilient, government and business need far greater collaboration

by Peter Altabef and Reece Kurtenbach, opinion contributors - 08/04/22 11:00 AM ET

Cybercrime is now so ubiquitous that the question is not when an attack will occur on a business, individual, or government — It’s whetherthe victim is resilient enough to deal with the consequences.

Recent events have only intensified the cyber threats. Since Russia invaded Ukraine in February, the world has monitored global digital networks’ security with heightened awareness. To date, the most disruptive Russian attacks, centered on Ukrainian communications networks, have had spillover effects only into Europe. But the war continues to escalate, and the threat of malicious Russian cyber activity toward Ukraine, Europe, and the rest of the world remains high. With election security top of mind as the U.S. midterms approach, government officials are acutely aware of the threats that exist from cyber actors, including Russia.

Even before the recent events in Ukraine, malicious cyber activity had been on the rise: The global COVID-19 pandemic accelerated business, government, and personal activity moving to digital networks, growing the potential attack surface and possible points of entry for cybercriminals. Ransomware poses a particular threat; 66 percent of organizations were hit with a ransomware attack in 2021 — a 78 percent increase from 2020.

Bolstering cyber resilience and protection will require a multi-pronged strategy that involves a much deeper level of coordination and partnership between government and the private sector. As part of this joint effort, the federal government should enhance collaboration and information-sharing with other levels of domestic government and the private sector. A top priority must be protecting and ensuring our critical infrastructure — nearly 90 percent of which is run by the private sector. For their part, businesses should document cyber incidents and threats, share that information with their government partners, and proactively communicate with their supply chains, customers, and other stakeholders in a timely manner to maintain their reputations and to protect all parties involved.

The National Cyber Director and the Cybersecurity and Infrastructure Security Agency (CISA) are both critical to these efforts. The Information Sharing and Analysis Organizations, the Cyber Information Sharing and Collaboration Program, and the Enhanced Cybersecurity Services program are all important and should be expanded.

While large organizations and government agencies often have resources to devote to cybersecurity, many small- and medium-sized organizations do not. Protecting small- and medium-sized organizations is vital, not only for those organizations, but also to protect critical infrastructure supply chains that include both larger organizations and governments. There are current gaps in access to federal resources for some small and medium organizations that should be filled.

While good “cyber hygiene” seems obvious, the reality is quite different. We need better cybersecurity standards and means of monitoring compliance. Employee training should be frequent, and content should be updated regularly to reflect changing conditions and threats. Working toward a Zero-Trust Architecture security model and implementing recommended software patches and updates should be ordinary course.

Building a more robust cybersecurity workforce and pipeline of talent will be important — although the U.S. added 260,000 cybersecurity jobs in 2021, a 30 percent increase, demand for talent still exceeds supply: In May, there were 600,000 vacant cybersecurity jobs.

A component to having a second-to-none cybersecurity workforce that can meet our national security demands would be the creation of a virtual national academy for cybersecurity. The virtual academy would be based on partnerships with colleges and universities. Similar to the U.S. military academies, cybersecurity cadets would receive a free college education in return for government service upon graduation. Graduates would be placed in federal, state, or local government cybersecurity roles to fulfill their obligations.

A cyberattack occurs in the U.S. every 39 seconds — and the severity and cost of these attacks is only growing. Resilience to an attack is key. The time for both government and business to ensure resilience is now.