recommended reading

Op-Ed: It’s Time to Take Action on Cybersecurity

Maksim Kabakou/


By Frank Cilluffo and Sharon Cardash February 4, 2014

recent posts

With each New Year comes the promise of a fresh start, and nowhere is there a more pressing need for that than in Washington, where gridlock has taken hold for too many months. The good news is that the close of 2013 witnessed the beginnings of forward motion, on the part of key actors, on select issues of national importance. In December, Rep. Paul Ryan, R-Wis., and Sen. Patty Murray, D-Wash., jointly took the lead on preventing another government shutdown only three months after the last one by crafting a bipartisan budget deal.  While the deal is nowhere near a grand bargain in scale and scope, it does reflect incremental progress that is still a step in the right direction and as such, is emblematic of what may be the new model of governance in the capital: Getting things done through small steps forward.

Indeed, the new golden rule in Washington may be: Don’t let the perfect be the enemy of the good. In the present partisan atmosphere, holding out for a panacea that addresses all challenges comprehensively may simply be a bridge too far. Cybersecurity is just one important area that could benefit much from this type of approach. Consider the context: Despite an ever-increasing array of cyber threats that continue to morph and evolve in complexity, and despite widespread acknowledgement that more needs to be done, the United States remains underprepared for the ecosystem it faces and the many hostile actors that inhabit cyberspace. While there may be plenty of blame to go around in terms of inaction, Americans rightfully expect some remedies and results.

Despite a range of proposals for addressing gaps in cybersecurity, none have fully materialized.  For instance, the Cyber Intelligence Sharing and Protection Act (CISPA), sponsored by House Intelligence Committee Chairman Mike Rogers, together with Ranking Member Dutch Ruppersberger, passed the House but not the Senate. Designed “to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes,” the House bill would have facilitated the exchange of threat and vulnerability information needed to prevent, mitigate, and respond to cyberattacks. It also addressed liability issues that may arise in connection with such exchange. The importance of information sharing is widely acknowledged, but prevailing sensitivities attached to the matter are acute, due largely to the Snowden case, which continues to unfold. Prospects for the bill are dubious, even though the latest version addresses many of the privacy concerns that critics raised with an earlier iteration. 

In December, House Homeland Security Committee Chairman Michael McCaul also introduced the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (NCCIP). This bipartisan bill, submitted together with Ranking Member Bennie Thompson, and counterparts on the House Homeland Security Committee’s panel on cybersecurity, infrastructure protection and security technologies (Reps. Patrick Meehan and Yvette Clarke, respectively), aims to “strengthen…the cybersecurity of the nation’s 16 critical infrastructure sectors as well as the federal government by codifying, strengthening and providing oversight of the cybersecurity mission of the Department of Homeland Security (DHS)—the agency responsible for ensuring the security of our critical infrastructure.” 

On the Senate side, the Armed Services Committee, the Homeland Security Committee, and the Intelligence Committee are contemplating measures within their defined areas of jurisdiction. In the Senate Commerce Committee, moreover, Chairman Jay Rockefeller and Ranking Member John Thune introduced last July the Cybersecurity Act of 2013, which “would give the National Institute of Standards and Technology (NIST) authority to facilitate and support the development of voluntary, industry-led cyber standards and best practices for critical infrastructure”; and “make sure the federal government supports cutting edge research, raises public awareness of cyber risks, and improves the nation’s workforce to better address cyber threats.”  

In effect, the Senate Commerce Committee bill largely codifies President Obama’s February 2013 executive order on improving critical infrastructure cybersecurity, which allocates to NIST a central role in facilitating the   development of a private sector-led, market-oriented framework. The final version of that cybersecurity framework is expected to be published later this month and "shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," according to the executive order.

These are just some of the cybersecurity measures that have been initiated. For the private sector, a prominent concern is to know and understand the rules of the road regarding active defense. Industry leaders understandably want clarity on these rules, that they will help define, and which will allow companies to protect themselves.  Such an approach, wherein guidelines and guidance are relayed to the private sector to then determine the best way forward, is emblematic of the direction in which we need to go if tailored and effective countermeasures are to be formulated and enacted in real-time and/or as required. Companies cannot be expected to simply wait until Congress and the executive branch get their own houses in order.

From optimizing interagency cooperation to pursuing research and development strategically and beyond, there are various steps left to take in the area of cybersecurity. Our adversaries are not standing idly by and the risks continue to multiply. How many more incidents like the recent and massive breach of Target’s data, involving millions of Americans, are needed to spur the country into taking the actions needed?  If it takes baby steps to push the country further down the path to a more robust posture, so be it. Just as Congressional committees have put their minds to crafting an omnibus bill that converts the Ryan-Murray framework into details and constructive action, so too must we get on with it in the cyber realm. 2013 was a very good year for our adversaries. Let's not make it two in a row by our own hand.

Frank J. Cilluffo is director of the George Washington University Homeland Security Policy Institute and GW’s Cybersecurity Initiative.  Sharon L. Cardash is HSPI’s associate director and a founding member of GW’s Cyber Center for National and Economic Security.

(Image via Maksim Kabakou/


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.