A friend who is a former Representative and a respected advisor of many senior politicians recently asked me for some thoughts on cyber legislation. In general, people ask my thoughts because of time I’ve spent working strategic cyber issues in the Cyber Conflict Studies Association (CCSA) or because of my history at DoD’s Joint Task Force for Computer Network Defense (JTF-CND) or perhaps because as a techie and a writer I try to track technological contributions to the issues. People generally don’t ask me to comment on legislation since I really don’t track that closely.
But, over time, I have come to a conclusion on the most important cyber legislation the nation needs and I would like to share that with you.
So here is how I replied to the request from my friend the former representative:
I worry so much about the state of cyber. I worry about our tech, our education system, our procedures, our laws, our military, our economy. But the thing I worry the most about is the continual inaction. And I think that is because of a lack of awareness and a general ignorance of the state of cybersecurity.
So, I’ve become convinced that the most important thing we can do is drive for better metrics on the state of cybersecurity in the nation.
Like Abraham Lincoln said, “If we could first know where we are, and whither we are tending, we could better judge what to do, and how to do it.”
So, if there was one thing to put in legislation, it would be coherent breach reporting guidelines. We need this in order to generate data that can drive assessments and awareness and help with fact-based analysis on what to do next.
Everything else is secondary. Get the metrics on breach reporting, and that should hopefully help drive the many other actions required.
I agree completely. As a technical editor/writer (communication.openhill.com) and language expert (Mandarin, some Spanish), I see that this issue of cybersecurity is not a rocket science, difficult-to-understand thing. But it is an important issue and the way to go about addressing it is ‘first things first.’
Knowing the metrics (and defining what they are) and defining the issue at the beginning is the proper approach.