Governor Hogan’s USA Today op-ed: Washington has been asleep on cyber security. It’s time to wake up.
By Governor Larry Hogan and Admiral Dennis Blair
May 30, 2021
For far too long, Washington has been asleep on cybersecurity. America’s vulnerabilities have been exposed and bemoaned, but not seriously addressed, much less fixed. While hackers grow bolder and more skilled, government policies and public and private funding lag behind the need.
Cybersecurity continues to be a largely technical afterthought rather than a vital and integral part of the design and modernization of major systems on which the well-being and safety of Americans depend. Until the Colonial Pipeline attack, neither major infrastructure proposal from the Biden administration or Republicans in Congress even mentioned the word “cybersecurity” or “hacking.”
On the Republican side, the narrow focus on “traditional infrastructure” has resulted in a 20th century framework that’s insufficient for 21st century infrastructure challenges. Meanwhile, on the Democratic side, the push to define infrastructure to include a wide range of social spending programs has obscured focus on more basic infrastructure requirements.
Keeping the American people safe
Elected officials have no higher responsibility than keeping the American people safe, and there is no greater threat to the safety of Americans than the cyber weaknesses of the systems that support our daily lives.
This isn’t just an issue for policy wonks or wealthy financial institutions. This is a threat to the day-to-day lives of every American. Our drinking water supplies, electric power systems, petroleum and natural gas supplies, hospitals, vehicles, stop lights and road safety signs, air traffic control systems, railroads, and all the businesses selling us goods and services are vulnerable to attacks. If a group of criminals seeking $5 million in ransom could cause massive gas shortages across the East Coast, just imagine the damage an organization that simply wanted to cause destruction could inflict.
The American people – regardless of political affiliation – overwhelmingly recognize the threat. According to a recent Gallup poll, Americans rank cyberterrorism as the top threat facing the country with 98% viewing it as a “critical” or “important” issue.
On the state level, Governors and Mayors have been concerned about the threat and taking action. In Maryland, we’ve established the position of Maryland Chief Information Security Officer to coordinate cyber security efforts, launched an economic development strategy to accelerate growth in the cyber security industry, and created an apprenticeship program to prepare Marylanders to become certified cyber security analyst operators.
But we cannot just address this challenge on the state level. Our National Governors Association’ initiative to rebuild America’s crumbling infrastructure recommended that strengthening “security and resiliency by protecting America’s critical infrastructure from disaster and cyber threats” be one of the four key pillars for any federal infrastructure bill.
It’s time for leaders in both parties to take action. We all have an important role to play, but for a threat this large the federal government must take the lead. We’re glad to see the Biden administration is taking steps to focus on this issue following the Colonial Pipeline hack, but this is the third consecutive federal administration to announce a cybersecurity plan. We can’t afford another thrown together in haste, announced with fanfare, but neither fully resourced nor fully implemented.
To keep the American people safe, we recommend the federal government take the following four steps:
1) Define and enforce minimum cyber security standards for critical infrastructure systems.
2) Assign legal responsibility for meeting those standards and penalties for failure. Establish the legal obligation of private sector organizations to participate in a national cybersecurity network, providing information on attacks on their networks, and taking the actions directed by government emergency response officials.
Need for a comprehensive plan for safety
3) Fund and establish a national cybersecurity network linking the control and response centers for major public and private networks, beginning with internet service providers and critical infrastructure components.
4) Using this national cybersecurity network, conduct regular tests and exercises to improve national cybersecurity readiness, to fix deficiencies, to develop and ensure the implementation of network improvements, and to deal with cyber-attacks as they occur.
Without a comprehensive and strategic plan that measures results and provides adequate resources, the individual initiatives of well-meaning executives and legislators will ultimately fall short of the urgent need. The consequences of that failure will not just be more disruptive attacks, but also the lost confidence of the public.
A large majority of Americans are thoroughly convinced that our political system is fundamentally broken, that we are tragically divided, and that Washington cannot carry out its basic function of protecting the safety of American citizens. Though this vicious cycle of partisan distrust cannot be fixed overnight, let’s start by making the protection of America’s cybersecurity, beginning with critical infrastructure, a national bipartisan achievement.