The United States Telecom Association, the National Cable & Telecommunications Association and CTIA–The Wireless Association, which collectively represent the nation’s broadband network providers, recently delivered to the White House and Congress a Framework for Cybersecurity Legislation. The intent of the proposal is to encourage a more thorough, orderly, cohesive and cooperative approach to legislation for “deterring, detecting, and responding to” cybersecurity threats.
The three trade associations sent a letter to White House cybersecurity coordinator Howard Schmidt and copied key legislators on Capitol Hill announcing the framework that calls for improvements in the government’s cybersecurity posture, a partnership between government and private sector stakeholders to address national security issues and robust cybersecurity education in the government, consumer and business sectors. The groups also propose developing better data gathering and data analysis concerning cybersecurity and development of new cybersecurity solutions to “support, maintain, and secure our national networks.”
The letter was delivered to Harry Reid, Senate Majority Leader, Mitch McConnell, Senate Minority Leader, John A. Boehner, Speaker of the House and Nancy Pelosi, House Minority Leader.
Ed. Note: Clearly, the nation’s broadband network providers are worried about the Federal government’s current approach to cybersecurity. The 6-page framework is as much a warning and admonition as it is a proposal for collaboration. Repeatedly, the framework uses the words “should” and “must” as it outlines a general plan of action that reads like a series of demands. The document scarcely pulls its punches when it asserts that first and foremost government must get its own cybersecurity house in order and start setting a better example.
The associations call for restructuring policies, operations and risk mitigation efforts. They insist on increased government spending on R&D “into new technologies, protocols, approaches and tools that would otherwise not be developed by the private sector.” The document advises the federal government to develop a career field for cyberspace professionals and to fund increased scholarship opportunities and continuing education for federal cybersecurity professionals.
In a jab at present and pending legislation, the groups warn against taking “shortcuts that step around the framework in order to expedite a government idea or political initiative.” The network operators want “incentives like confidentiality, liability protection, tax incentives and other benefits that lead the private sector to implement desired activities.” In the event of a serious threat, they want “the freedom to take decisive action without regulatory second-guessing, a lengthy approval process, or the threat of legal liability.”
The providers also want the government to avoid duplicative and/or burdensome analytical and reporting requirements. They think the best way to achieve that is by creating a single federal entity responsible for engaging the private sector in collective strategic planning and operational activities.
The framework proposal is a barely disguised preemptive strike that attempts to head off what the ISP industry sees as fragmented, misguided, ill-informed, redundant, burdensome and politically expedient governmental attempts to regulate the national broadband infrastructure. Without directly saying it, the companies imply that governmental cybersecurity efforts are inferior to their own best practices.
While the document calls for collaboration, it also throws down the gauntlet by making it clear the broadband providers will not sit idly by and wait for the Feds to stitch together what the providers are convinced will be an ineffective patchwork of policies and legislation that will fail to keep the nation’s networks secure, and incidentally make it harder for the providers to do business.
From a Literacy 2.0 perspective the framework proposal reveals just how far we have to go before we achieve true cybersecurity literacy in government or the private sector.
The companies’ demands are valid. But even more important is the need for an enlightened view of the problem and the processes for dealing with it. In both the public and private sectors cybersecurity literacies are severely lacking. What is needed is a clear-headed, high-level, big-picture vision of what cybersecurity is and what it implies, today and going forward. Efforts by business and government not only need to be collaborative and coordinated they need a well-defined context from which to operate.
Perhaps without realizing it, the framers of the framework hint at just such a vision and context in the final paragraphs: “An educated customer is the best partner we have in fighting cybercrime and in working together to raise the security of cyberspace.” The broadband companies call for a public relations campaign to raise consumer awareness and to emphasize individual responsibility as critical to defeating cyber attackers. They want K-12 and college programs to prepare young people with cyberspace best practices.
The inclusion of this aspect of dealing with cybersecurity suggests an understanding that cybersecurity is not simply the concern of governments and technology providers. It is a broad social issue. Everyone is at risk, everyone has a stake and everyone is a contributor either to the problem or the solution. What the document doesn’t say is that cybersecurity cannot be achieved by technology, data, analysis or policies alone. It is a novel problem that requires novel approaches that extend from one end of the circuit to the other. The best defense is systemic awareness that is embedded deeply and pervasively in the communication networks and the people who use them.
Society-wide cyber literacy is the best and only solution for long-term cybersecurity.