By Michael Daniel, President & CEO
Most people find it surprising that economics and human nature drive most cybersecurity problems, not technical issues. After all, information technology is, well, technical. Yet, when you analyze the root causes for most cyber incidents, very few cyber problems derive from underlying, unchangeable characteristics of information technology; instead, the exploited weaknesses are either known and fixable but left untouched (software vulnerabilities) or prey on human psychological vulnerabilities. The mismatch between the problem (economic constraints) and the typical mitigations (firewalls) creates many of the cybersecurity gaps we regularly encounter.
Another significant cybersecurity “gap” stems from public risk. Due to the nature of inter-connected IT networks, an organization’s cybersecurity risk has both public and private aspects. The private risk element falls on a specific organization, while the public part is public – it is shared among all elements of society to varying degrees. Private action should be sufficient to address private risk. People may make mistakes or underestimate risk, but broadly speaking, the private sector has the incentive to address its private risk. The problem stems from the public portion of networked risk. No individual or organization has the incentive to address this portion of the cyber threat. Left unattended, this risk can build up to unsustainable levels, and it can have catastrophic results. This situation is quite common across many different policy areas, from public health to land-use to border security.
If our cybersecurity problems are rooted in economics and psychology, then any solutions, including technology-based solutions, must address those economic and psychological features. If our cybersecurity risk has a public aspect, then solutions must also address that public risk. What entity can take cybersecurity actions that can simultaneously address economic incentives, human nature, and public risk? The government. That’s one of the foundational reasons for government to exist – to address these sorts of collective action problems
I am aware that arguing for government action is not necessarily a popular position in 2025. That’s just too bad, because government action is required to address our cybersecurity problems properly. I would submit that at least three propositions flow from this argument:
- The US government should have cybersecurity capability and expertise in many different agencies.
- The US government needs to use all its tools to address cybersecurity problems, including regulation.
- Data and analysis should drive the decisions about which tools to use and how to update them over time, which means CISA should finalize the CIRCIA rule as soon as possible.
Cybersecurity capability and expertise – if government action has role in cybersecurity, then the government needs to have cybersecurity expertise in house. Further, while we should concentrate that cyber talent in as few agencies as possible, given the breadth and depth of expertise required, the government cannot house its cyber talent in just one agency either. In fact, cyber expertise is needed in agencies that may appear to have nothing to do with cybersecurity on the surface, such as health and human services, energy, or environmental protection. However, these agencies have expertise in domains where cybersecurity matters a great deal – health care, energy distribution, and water services. Replicating those agencies’ domain knowledge in the Cybersecurity and Infrastructure Security Agency or the National Security Agency is not possible. With a big, diverse country comes a big, diverse cybersecurity requirement.
Cybersecurity tools – just like you use different tools for different jobs around the house, the government needs to use different tools for different purposes. Moreover, tools that work well in certain circumstances do not work well in others, and sometimes you need a specialized tool to get the job done. The government has a wide variety of tools at its disposal, including persuasion, guidance, incentives, resources, and regulation. The government needs to use all these tools to achieve the level of cybersecurity our society needs. Again, I know regulation is not popular right now, but sometimes it is the right tool for the job. Can the regulatory tool be overused? Yes. Can regulations be written poorly so that they result in the exact opposite of the intended outcome? Sure. Do regulations impose costs that everyone should acknowledge? Definitely. Should regulations be coordinated and deconflicted? Absolutely. (See this piece by Larry Clinton for an excellent argument on this point). Do these factors make all regulations bad all of the time? I would argue no. What these factors mean is that we need to use the tool judiciously, write regulations carefully with an eye towards maximizing benefits and minimizing costs, and to be willing to change when proven wrong.
Data-driven decision – the last statement begs a question. How can we maximize benefits and minimize costs? We can achieve those goals when we base actions and policies on reliable, actionable data. Unfortunately, the US government currently has limited visibility into the cybersecurity problems plaguing the country. In fact, no one entity has a comprehensive view of cybersecurity across the US. That’s why we desperately need more data on cybersecurity incidents from across the US, so that the Federal government can make data-driven decisions about the right tools and actions to improve cybersecurity. The single most important data collection tool available is the Cyber Incident Report for Critical Infrastructure Act (CIRCIA) of 2022. CISA needs to finalize the reporting rule called for in this act as soon as possible, so that we can start getting the data we need to make better, faster decisions.
We cannot expect to make progress against the cyber threats we face with weak federal agencies devoid of expertise. Absent strong Federal involvement, our cyber problems will get worse, no matter how much money the private sector spends or how many technological widgets it invents. As the George Washington character says in Hamilton, “Winning’s easy; governing’s harder.”