Every aspect of our modern human existence and activity is now supported by a cyber ecosystem — the economy, every industry, every supply chain, our food and water supply, heath care, education, all aspects of communications, critical infrastructure, transportation, the operation of nearly every military system, personal living, and more. The function of the United States and its society are totally dependent on this ecosystem.
This ecosystem weaves together computers, a panoply of digital devices, sensors, and equipment connected into vast networks like a nervous system that detects, sends signals, responds, and transmits information with ever-growing scale and complexity, controlled by an ever-expanding range of software, and distributed across our natural, built, production, and personal environments.
Money, Mayhem, and Stolen Secrets. Every minute of every day, this ecosystem is under threat or attack, and probed constantly by hostile actors looking for its weaknesses.
We are battling a rouges gallery of cyber culprits. Nation states undertake cyber intrusions to advance their strategic economic, technology, and military objectives. Terrorists and extremists see cyberattacks as tools of disruption and destruction. In underground online marketplaces, cyber criminals and crime rings traffic in illicit tools, stolen personal identification, credit card accounts, and corporate data. Billions of individual accounts have been affected by data breaches and personal information theft. IBM reports that the average cost of a data breach has reached an all-time high, $9.4 in the United States, the highest in the countries studied.
Banks have had tens of millions of dollars stolen, and ransomware attacks have cost companies millions. Critical public services and safety operations have been hit with ransomware including hospitals, police departments, 911 systems, county jail systems, and schools. In 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers resulted in an 11-day shutdown, affecting the work of 4,000 military and civilian personnel. The ransomware attack on the Colonial Pipeline disrupted nearly half the East Coast’s fuel supply. A breach at a pivotal company could be a force multiplier, disrupting an entire supply chain.
Through cyber-enabled collection and espionage, companies have had trade secrets, client lists, merger and acquisition data, company information on pricing, and financial data extracted from their networks. Collectors are especially interested in technologies vital to competitiveness and national security.
As the physical world and cyber world have converged through sensors, networks, and data, what happens in the virtual world has come to the physical world, creating threats to society and human safety. For example, industrial controls are used in nearly every industry and in critical infrastructure. Attacks on these controls can disrupt or destroy the equipment they control. Hackers breached the network in a German steel factory, and tampered with the controls of a blast furnace. The furnace could not be shut down in a controlled manner, resulting in massive damage to the plant. A cyberattack on circuit breakers took down a Ukrainian power grid. Iranian hackers intruded into the industrial control system of a U.S. dam. This is real danger!
A Whole-of-Nation Challenge. The sprawling reach and growing complexity of the cyber ecosystem has made it ever more vulnerable to attack, crime, and malicious activity. Yet, protecting the ecosystem from attack has devolved down to the smallest digital actor — small businesses, workers in offices and factories, soldiers, health care workers in hospitals, students in schools, and ordinary people using the Internet or exchanging emails. While large businesses have the resources and professionals for sophisticated protection, many small businesses do not and must depend on their owners and workers to defend their systems.
According to the Cybersecurity and Infrastructure Security Agency, more than 90% of successful cyberattacks start with a phishing email. The failure of one person in an office to recognize a phishing attempt could put critical services or the personal information at risk for millions of people. Clicking the wrong link in a fake email message from your bank may instruct you to click on a link to reset your password and PIN exposing those to cyber criminals, or allow a cybercriminal to encrypt your data and demand a ransom for it. Cybercriminals will use every method available to gain valuable information from you.
We All Must Be Cyber Guardians! No government or industry can tackle this mega-threat alone. Every business, every worker, and every individual that uses this cyber ecosystem must take precautions to avoid becoming a target, and help protect this vital national security, economic, and social system. At every level, we need cybersecurity skills — from professional cybersecurity experts to entry-level computer support personnel to employees in our workplaces to individuals using computing devices and the Internet at school or home. For example, the Bureau of Labor Statistics projects that employment of information security analysts — who plan and carryout security measures to protect computer networks and systems — will grow 33% this decade, with an average of about 16,300 job openings each year over that period.
In mid-July, I participated along with top leaders from the Biden Administration, business, and academia in the White House National Cyber Workforce and Education Summit, convened by my colleague Chris Inglis, who was unanimously confirmed last year as this nation’s first National Cyber Director. The event focused on building our nation’s cyber workforce, and ensuring that all Americans have the skills and knowledge needed to engage in our digital ecosystem effectively and safely.
Participating companies committed to contribute to these goals through apprenticeship, upskilling, executive education, and training initiatives. Through two new working groups — on the Future of Work and the Future of Technology — the Council on Competitiveness National Commission on Innovation and Competitiveness Frontiers will address how to advance and optimize cyber infrastructures of the future, including the robust cybersecurity and resiliency on which these digital platforms depend.
The Council will build on its Secure — Ensuring Resilience and Prosperity in a Digital Economy initiative, which convened three dialogues that engaged 150 experts in the cyber field from industry, academia, labor, national laboratories, and government. These deliberations helped form the Council’s National Agenda for Cybersecurity. This “call to action” initiative included recommendations on building cybersecurity skills in the United States, such as: developing state and/or regional cyber first responders, expanding access to cyber resources for small and medium sized companies, expanding the cybersecurity workforce, reforming curricula at the nation’s colleges and universities to better meet the demand for cyber-savvy students and workers, breaking down barriers that prohibit or limit cybersecurity practitioners from serving as educators, and increasing the cyber awareness of the general public.
Since the release of our call to action, the targets, the frequency, sophistication, and severity of malicious cyber incidents have only grown in scale and scope. We all must raise our cyber defenses; our lives and livelihoods depend on it. As National Cyber Director Inglis warned, shared defense is not a choice, but an imperative!