America’s top cyber official is proposing to overhaul the government’s relationship with industry to stop hackers capable of holding critical infrastructure hostage.
National Cyber Director John C. Inglis’ vision for a “Cyber Social Contract” involves new government standards, intimate collaboration with businesses and new government bureaucracies modeled on those governing other industries.
Mr. Inglis outlined his aspirations in an essay, co-written with his strategy adviser Harry Krejsa, for Foreign Affairs that said “market forces alone are insufficient” to provide necessary cybersecurity for government and important industries, which handle things such as the flow of fuel.
“The United States needs a new social contract for the digital age — one that meaningfully alters the relationship between public and private sectors and proposes a new set of obligations for each,” Mr. Inglis and Mr. Krejsa wrote in the essay published Monday.
The cyber officials said such changes would follow from those that led to the development of the Food and Drug Administration, the Pure Food and Drug Act of 1906, the formation of the Environmental Protection Agency, the Clean Air Act of 1963 and changes in oversight of the aviation sector by the Federal Aviation Administration in the 1990s.
The Biden administration has already started forming new government boards and cyber industry partnerships. The Cybersecurity and Infrastructure Security Agency took a lead role in the government’s creation last year of a Joint Cyber Defense Collaborative that enlists tech companies to work alongside the law enforcement and national security community to fight cyberattackers.
Mr. Inglis and Mr. Krejsa wrote that President Biden’s new “Cyber Safety Review Board” is modeled on the National Transportation Safety Board, which investigates accidents in the transportation sector and makes recommendations for how the government and private sector should change.
The Biden administration has tasked the Cyber Safety Review Board with studying a hack of the open-source logging platform Apache Log4J and wants a report with recommendations this summer.
To foster the professional and operational intimacy the Biden administration wants, the cyber officials said the government is “easing contractual barriers” that formerly prevented people outside government from sharing threat information with the government.
“Translating this level of mobilization into systemic change across the private sector will be a more difficult proposition,” the cyber officials wrote. “Doing so will require an unprecedented level of collaboration between government and industry.”
The unprecedented level of collaboration represents part of the U.S. answer to stopping future software supply chain hacks in the aftermath of the breach of SolarWinds computer network management software that compromised nine federal agencies. The U.S. government has attributed the SolarWinds fiasco to Russian hackers.
A new American approach to collaboration with the private sector also is noticeably different from China’s policies of military-civil fusion, which force cooperation with academic and corporate institutions.
Under Mr. Inglis and Mr. Krejsa’s vision, the private sector needs to prioritize security and resilience in software development and hardware manufacturing and the government will look for ways to help ease that transition, including by “setting standards, incentivizing norms, and providing information.”
“With a shared and affirmative vision, the public and private sectors can build a new social contract that facilitates that transition without undermining the integrity and vitality essential to an innovative economy,” the cyber officials wrote. “By identifying the digital future the United States wants to create and the social contract that could sustain it, Americans can fortify their resilience and establish rewards for good behavior and costs for bad behavior.”