Eliminating Policy Zero Days:
The gap in policy measures continues to be a central problem in the cybersecurity debate. While there are a diverse set of rules put in place to address key cybersecurity issues, there are too many policy areas that we have failed to address. This includes the protection of critical infrastructure such as dams and electricity to government mandated back-doors in consumer hardware and software devices.
Cyberspace is an uncharted frontier. The fine line between privacy and national security is just as blurred as what constitutes cyberwar. Even the concept of when the country should go on the offensive becomes unclear due to the ambiguity of state borders. The United States is still grappling with these key questions, and more importantly, how to react to or prevent catastrophic failure in such fundamental domains.
The asymmetric nature of cyber actors makes it difficult to apply a single policy to all threat categories. Whether it is a rogue individual seeking financial gain or a state actor attempting to steal another country’s secrets, there is no clear set of policy steps to address these numerous threats. Additionally, the ability to shroud one’s identity in cyberspace makes origin-attribution more difficult. Making key decisions is reliant on pinpointing the source of the problem.
The fragmentation of the cybersecurity responsibility within the United States intelligence communities is detrimental to our nation’s national security apparatus. While CYBERCOM is responsible for all threats to military assets, DHS is responsible for all non-military targets. This even includes the private sector, whose economic vulnerability poses a national security threat. The lack of coordination between departments and domains must be resolved. For example, in 2011, President Obama’s Cyber Review failed to address the responsibility of the public sector to safeguard private sector assets. There must be cooperation between the government and private companies to respond to such threats.