Link Search Menu Expand Document
Cybersecurity Agenda

Foreword

In 1858, a public health crisis gripped the city of London. Successive cholera outbreaks spread by contaminated water were killing thousands. The river Thames was so polluted that Parliament refused to meet. As London’s population exploded, no one had invested in the basic wastewater infrastructure necessary to manage the consequences of cramming millions of people into one of the world’s first metropolises. After years of failing to safeguard access to clean water, the government finally embarked on an unprecedented civil works project to retrofit the entire city with its first sewer system.

Cyberspace today resembles London in 1858. Just as water provides the foundation for human health, the Internet has become the delivery platform and interface for nearly every aspect of our economy and daily life. And like the cholera that thrived in the polluted waterways of London, malicious actors are exploiting our society’s stubborn reluctance to invest in the security and resilience of our technology. We built our digital society on a shaky foundation, entrusting our most critical data and activities to systems and tools that were not originally designed with security as a core objective. The revolutionary openness of the Internet was world-altering, but today that very same openness increasingly is used as the vector to undermine its success. And we have yet to invest in the infrastructure, practices, and institutions necessary to protect digital technology.

We consistently underestimate how bad actors might weaponize our technology against us and cause real harm. During the COVID-19 pandemic, we have seen nation-states target the intellectual property of drug developers and criminal groups disrupt already-hospitals with ransomware. All manner of actors are spreading mis- and disinformation about the sources of coronavirus, dangerous and unconfirmed treatments, stay-at-home orders, the efficacy of vaccines, and more.

Yet despite more than a decade of studies, warnings, and high-profile incidents—including those that have already cost companies like Merck, Maersk, and FedEx hundreds of millions of dollars—the government’s investment in cybersecurity prevention and response remains woefully inadequate. After the 9/11 attacks, there was no mistaking that the U.S. government was wholly and totally committed to confronting terrorist organizations. It created a new cabinet department (the Department of Homeland Security), and new federal leadership (the Office of Director of National Intelligence and National Counterterrorism Center). It designated billions of dollars of funding toward state and local preparedness. The entire federal apparatus mounted a herculean effort to reorient budgets, processes and priorities.

We see no similar mobilization toward securing the Internet and our digital lives. Warnings of a “Cyber 9/11” have not supplied the trigger. Neither have the untold billions of dollars in damages already caused by cybercrime, ransomware, intellectual property theft, and espionage.

The cybersecurity community’s tendency to treat cybersecurity as a problem to be solved has not been effective. Instead, we need to convey cybersecurity as an inextricable element of the digital infrastructure on which all society’s priorities depend. Cybersecurity is modern life, and we cannot use cyberspace without it. It is critical to the way we work, the way we bank, the way we shop, the way we drive. The unprecedented events of 2020 have underscored that technology and security are now also central to the way we vote, the way we deliver health care—even the way we spend time with our loved ones amid a pandemic. With half of the American workforce operating from home, billion-dollar corporations are running on Zoom and Slack. Digital technology should be treated like water –the most essential resource—and cybersecurity as the foundation for making it work for every stakeholder community. As our digital dependencies intensify, our way of life will not be possible without better cybersecurity risk management. Digital resilience must become central to everything we do.

This document outlines achievable action steps that we believe will allow federal policymakers to make rapid progress toward a much stronger cybersecurity foundation for our digital infrastructure. Some can be accomplished in weeks or months; others will probably take years. Fortunately, the federal government is not alone. Cyberspace is ultimately the domain of civil society and private enterprise, sectors teeming with experts who can guide the White House and Congress as they grapple with the difficult tradeoffs inherent to any cybersecurity policy decision. In crafting this national cybersecurity agenda, the Aspen Cybersecurity Group sought input from a diverse network of partners in academia and industry. Together, we stand ready and willing to assist policymakers in cultivating a secure, reliable, and resilient cyberspace.