Editor’s Note: Andrew Grotto directs the program on Geopolitics, Technology and Governance at Stanford University, and is a visiting fellow at the Hoover Institution. He served as the Senior Director for Cyber Policy on the National Security Council in the Obama and Trump White Houses. The opinions expressed in this commentary are his own.
Our national discussions about cybersecurity and privacy follow a frustrating pattern: a headline-grabbing incident like the recent Capital One breach occurs, Congress wrings its hands and policymakers more or less move on. So it is no surprise cybersecurity hasn’t been much of a focus as the race to the 2020 presidential election heats up.
The issue is here to stay, and it should be debated by the candidates. Here are some concrete ideas that would significantly improve the safety and security of the nation — but require presidential leadership if they are to come to fruition.
Beef up election security
The candidates have been justifiably outraged over Senate Majority Leader Mitch McConnell’s stonewalling on election security legislation that would direct resources and expertise to state and local governments to help modernize election systems and implement paper-based backups for electronic voting, among other improvements.
As Special Counsel Robert Mueller warned in Congressional hearings last week, the Russians and other bad actors will undoubtedly attempt to threaten the integrity of the 2020 election. This is no time to stand pat – Congress should pass – and the President should sign – legislation on election security before the 2020 election, not after.
Pass federal data protection legislation
The American approach to privacy regulation involves individual laws that apply to one or more specific sectors – health care data is covered by the Health Insurance Portability and Accountability Act, for example. These laws combine with after-the-fact enforcement actions against companies that violate the privacy promises they make to their customers. Americans no longer believe this framework gives them adequate protection.
What is needed is a comprehensive framework for how all companies collect, store, protect, share and use personal data. Last year, California passed a tough state law to this effect, and other states are following its lead. It would be far better, however, to have a federal-level approach that creates a national baseline standard that businesses and consumers everywhere in the country could rely upon. And voters agree: According to one recent survey, nearly three-quarters of respondents support federal privacy legislation. Such a law would establish baseline, enforceable requirements for data protection that apply to any company that controls or processes Americans’ personal data.
Expand SOX for cybersecurity and privacy
SOX is shorthand for Sarbanes-Oxley, a law passed in 2002 in the aftermath of scandals involving Enron, WorldCom and others that rocked the American economy. Its principal objective is to improve corporate governance by establishing transparency, disclosure, ethical and accountability requirements for executives, boards and auditing firms relating to financial and accounting practices and risks. Among other things, SOX created powerful incentives for senior executives and board members to improve their financial and accounting literacy and to exercise vigilant oversight of these functions because the law includes criminal and other penalties for certain lapses.
Executives and boards should be incentivized to do the same for cybersecurity and privacy. Recently updated cybersecurity guidance from Securities and Exchange Commission is a welcome step, but it only protects shareholder interests and does not go far enough to hold senior managers and board members accountable for lapses. The goal would be to not only protect shareholders, but also consumers and other stakeholders whose privacy, safety and security may be at risk in the event of a cybersecurity or privacy lapse. Including SOX-like accountability requirements in a federal data protection law would accomplish this.
Make cybersecurity a requirement for federal infrastructure funding
Infrastructure investment is a hot topic among the Democratic candidates, and for good reason: America’s transportation, electricity distribution and other infrastructure are crumbling due to a $1.5 trillion investment deficit. At risk, according to the American Society of Civil Engineers, are nearly 2.5 million jobs and $7 trillion in lost business by 2025. The nation clearly needs major investments in modern infrastructure — and soon.
Modern infrastructure is increasingly smart and connected. What makes smart grid technology “smart,” for example, are the sensors, processors and connectivity embedded within it that improve the safety and efficiency of the electric grid. On the other hand, this means that smart grid technology is potentially vulnerable to cyber attacks.
More Tech & Innovation Perspectives
Since cybersecurity almost always adds to the cost of any good or service, vendors are unlikely to commit adequate resources to addressing it unless the customer demands it. Unfortunately, it is not standard practice for the government agencies that procure infrastructure to insist prospective vendors design cybersecurity into their offerings.
Cybersecurity should be core to any infrastructure investment plan — and the federal government has the leverage to make this happen. The federal government bankrolls around one-quarter of all infrastructure investment in the United States, to the tune of $100 billion per year. The federal government also provides tax breaks and other indirect support. The magnitude of federal support for infrastructure would balloon if the country pursued an ambitious infrastructure investment initiative. Making cybersecurity a precondition for federal support would add some cost, but designing cybersecurity into infrastructure from the start is almost always more cost effective than addressing it after the fact with the proverbial bubble gum and duct tape.
Require IT modernization for state and local governments
Many federal, state and local government agencies are burdened under the same IT albatross: legacy systems, sometimes decades old, that are costly to maintain, virtually impossible to adequately defend against cybersecurity threats and often don’t perform well. These systems make it harder for agencies to deliver services to citizens and businesses.
Replacing these legacy systems with modern IT would not only save money and make government more effective, it would result in more cybersecure IT across the country. One approach to addressing this problem that has already shown promise at the federal level is an IT modernization fund. First proposed by President Obama as part of his Cybersecurity National Action Plan and championed on Capitol Hill by Texas Congressman Will Hurd, an IT modernization fund would enable state and local governments to submit proposals for financing with the expectation that the state and local governments pay the fund back using the savings that resulted from the investment.
Keeping our technology and data secure is hard. It is less hard, however, when the president is engaged. Let’s hope someone steps up.
