Steve Goodrich is the CEO of the Center for Organizational Excellence, Inc., Vice Chair of the Government Transformation Initiative, and the Chairman of the Board of the Association of Management Consulting Firms.
We are dealing with a systemic crisis – critical government information is being hacked and falling into the hand of "evil doers," and there appears to be no end in sight.
Hardly a week goes by when we don't hear of some attack.
Cyberattacks have the potential to wreak havoc with our health, economy, safety, and way of life. President Reagan weakened Russia by causing that nation to overspend; damaging their economy and limiting their ability to support their defense. A successful cyber-attack can be much quicker and more damaging.
It goes without saying that we need strong,
There is much activity going on now with DHS and OPM investigating the attacks and providing support to those hacked. NIST is updating FISMA requirements and offering guidance. Congress is holding hearings, OMB just called for a "30-day Cybersecurity Sprint", and GSA is developing its cybersecurity risk profile for government systems. All of this is appropriate and good, but much more needs to be done. There is a need for an overarching government cyber security strategy and actionable program. We may not stop all intrusions, but we can become much better at proactively preparing ourselves and reducing the number and impact of such breaches.
To prepare, I call on our government leaders to immediately:
Make it a governmentwide issue of critical importance. While agencies each have their own unique requirements policy, direction and guidance must be enacted for the government as a whole to protect all our systems.
Act with haste. Congress and agency leaders must become knowledgeable and quickly provide direction and investments. A public-private partnership must be established to allow best-in-class experts to address the problem, and to develop and implement an actionable plan. Congress must also conduct an immediate review and ensure our laws direct the appropriate action and allow agencies and people to do their job effectively.
Prepare the profession. Academic and training institutions must move quickly to further grow and prepare robust cyber defense professionals that are adaptive to the demand. We need to produce a workforce that does not just react to issues but proactively prevents attacks and develops strategy and technology tools. We need a workforce of strategists, leaders, problem solvers, developers, innovators, ethical hackers, forensic investigators, and operators who can thwart the enemy. These professionals must continually evolve and develop to address new and increasingly complex threats. Training and continual retraining
Establish the role of chief data officer. While I never thought I would be advocating another "C" level role, this is critical. It must expand beyond the traditional role of data capture and analytics, and include detection and protection of our information assets, in collaboration with others. This should be done at the agency level with oversight from OMB.
NIST must support, if not lead, this effort. NIST is reviewing and redesigning FISMA standards to be contemporary and up the ante on cross-government standards. They should also reconsider minimum standards with agencies having less leeway to add their own. They should also design and convene the public-private partnerships, and promulgate and continually revise standards.
Consider this a threat of national significance. The president must deal with cyber-attacks as if they are an act of war or an attack on our security, economy, and people. Congress must quickly ensure the president has the tools and authority to do so. The American people are scared and recognize the significant threat that prevails and wants their government to respond accordingly.
Industry must play a big part. Industry must support our country with
Have an effective communication plan at the ready. Tell us immediately what is going on, and its impact on us--but stop telling us everything. If we were physically attacked we would all know immediately. When we are hacked, tell us immediately--don't wait three months. At the same time when a breach happens, don't bend to media pressure. Decide what is in the best interest of the public and tell us. Be honest, direct, and transparent. But don't tell us things that are necessarily secret. Allow experts to do their job to prevent or react to attacks. Don't compromise our rights, but don't give away our secrets to the bad guys.
Teach us. Develop a national campaign for cyber security and enlist people in the war on information security. Train us all so we have the specific knowledge and skills to act and work together to stop or curtail this threat. Tell us the things to look for and how to react to them. Invite us in on the war on cyber-attacks.
I realize experts are working hard to address many of the issues related to the current attacks as well as developing approaches for future attacks while others are identifying and punishing the guilty. I urge Congress, the president, the Judiciary, as well as industry, and academia to come together to create an actionable strategy in a public private partnership that will address many of the issues identified above and more. The solutions won't be realized overnight but they must be done with urgency, immediacy, deliberation, collaboration, and evolution.