No Guarantees with this Executive Order

Interestingly, there are no guarantees for the continued development of the program, or so it seems. Section 12, General Provisions, states that the program is to be implemented “subject to the availability of appropriations.”

The president “directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure,” according to the National Institute of Standards and Technology. “The Framework will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.”

President Obama remarked on February 12, 2013, in a speech from the White House, that “we can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cyber security information sharing and collaboratively develop and implement risk-based standards.”

If there is to be an answer to the question of how cyber attacks must be met, then surely that answer is this: Government and the private corporate sector must work together, nations must work cooperatively, and every user of the Internet must take personal responsibility. And if there is a myth that abounds, it is that public policy and legislation that results in regulation will solve this complicated issue.

Is it necessary to pass laws and create regulations to implement those laws with respect to protecting personal information? It does seem that way. Is there value in the government working with the private sector in order to better protect a wide range of information, from personal information to trade secrets to the national defense? The answer is yes, but cooperation is no silver bullet. There is no silver bullet. Nevertheless, cooperation between governments and the private sector is essential. It's just that expectation levels need to be established regarding the result of such cooperation, because to date the issues remain clouded, the level of true cooperation less than compelling.

It's time for truth telling. The government needs to hear it, and so does the private sector. The track record of information protection has not been one to brag about. Media headlines every day illustrate the level of compromise. Fifty million credit cards breached here, 100 million breached there. Nation-states stealing technology over the Internet and through foreign nationals based in the United States. From most any perspective, the magnitude of information loss and theft has been frightful, whether we are talking about the U.S. federal government or about industry. Few industries have escaped the swift cyber sword—banks, investment firms, pharmaceutical companies, manufacturers, product development companies, utilities, defense contractors, and other interests.

Working cooperatively requires trust, or at least a high degree of it. To date, there's reason to doubt. No one seems immune. It is no one person's fault, no one agency or one company.

The breach of classified data by Edward Snowden, the NSA contractor employed by a private firm, has brought the issue of information protection and third-party vendors to a new high point, which is actually a low point in terms of information integrity. In this case there was someone with privileged access, who was subjected to a reportedly deficient background investigation, who was able to violate most every basic security tenet and then fled the country. A hearing on Capitol Hill in June 2013 brought the issue into sharp, bitter, and even disturbing focus. That hard focus was delivered by perhaps an unlikely messenger, Senator Jon Tester, a third-generation Montana farmer with a degree in music, who butchers his own meat and carries it with him in carry-on luggage to Washington, D.C. He also serves on the Homeland Security Committee. The subject of the Senate hearing was “Safeguarding Our Nation's Secrets.”¹

The senator from Montana said, “Recent events have forced us all to take a close look at the programs carried out by this government in the name of national security.” He was referring, of course, to the Snowden affair. He stated that it was necessary “to raise critical questions about how our government is vetting the individuals, whether they are Federal employees or contractors, who have access to our Nation's most sensitive data.” The same may be said of corporate executives and members of the board of directors. How are these company titans making sure that their organizations don't hire someone who will disclose critical secrets?

Some will argue that such vetting is the responsibility of human resources, or security, maybe risk management, but certainly not the board of directors. Yet look at the impact the Snowden affair has had. The government made a huge error. Companies make these errors, too. The goal is to protect the brand, not to delegate what some executives may think is not worthy of their consideration. That's a bad call.

Senator Tester raised an issue that should be addressed by any executive with fiduciary responsibility, every executive whose decisions contribute to or detract from corporate value and the defense of the brand. The issue is results and accountability. Too often these issues are sidelined.

A week before the hearing, Senator Tester asked General Keith Alexander, the director of the NSA, whose operation had been compromised by Snowden, “a straightforward question. After the outcry of WikiLeaks, after the presidential executive order calling for improved classified network security, and after spending tens if not hundreds of billions of taxpayer dollars to keep outsiders from accessing our nation's secrets, how in the world does a contractor, who had been on the job for less than three months, get his hands on information detailing a highly classified government program that he subsequently shared with foreign media outlets?”

That's a fair question. How many executives are asking this kind of question as they consider the defense of their brand? The follow-up question is, How many are asking that question before a breach occurs, rather than after the damage has been done? The answer is that far too few executives are asking this question before the breach.

If the actions of Snowden had taken place in a publicly traded company, the outcry would have been palpable. Heads would have rolled. But the damage would have been done, and a significant element of that damage would be the reputation of the organization—the brand.

“The long answer is one that we will ultimately require a great deal of soul searching by the folks in this room and throughout the government,” said Senator Tester. “But the short answer is that, in terms of securing classified information, we just do not have an external problem; we have an internal one.” He's right. The problem is not just in the government. The insider threat from employees and third-party contractors is huge. The reason is that, at least in part, the insider is just that: an insider. They are the beneficiaries of a certain level of trust. They are colleagues. Most workers do not think that colleagues are a threat. Colleagues are to be trusted.

Senator Tester went on to say that the government must “examine the efficiency and effectiveness of the security clearance process.” It's unsettling that many in the private sector fail to adequately apply this same standard to managing the reputation of the brand. Understanding who is in a given environment is part of the process of knowing whom to trust and in managing brand reputation. But, again, this is a process often crafted at lower levels of the organization, even though failures in the process threaten the brand.

Government-Industry Cooperation: No Silver Bullet

The government has not yet identified the right process for better risk management, which is why, to at least some extent, cooperation between the public and private sectors, while potentially helpful, is not that silver bullet. Managing risk must be a collaborative process, as much as it must be an individual approach. Reliance upon regulation and government oversight is not the answer, yet it is perceived to be the answer by companies that make the potentially fatal assumption that complying with regulations makes them secure. While the aim of the government may be to protect and defend, the reality is often far different.

In that same hearing with Senator Tester, Senator Claire McCaskill of Missouri raised an interesting point. More than 90 percent of the background investigations done for government employees and contractors are conducted by the U.S. Office of Personnel Management, not third-party contractors. The government process, as are many in industry, is flawed, even seriously flawed.

Said Senator McCaskill, the committee's research “portrays a government agency where there is fraud, limited accountability, and no respect for taxpayer dollars. Conducting and managing background investigations costs the federal government over $1 billion per year.” And what is the return on that investment? This is the question that executives and boards need to ask. The government has demonstrated that it has serious woes in managing information. But is industry doing any better? Not really. This is one area in which industry and government share much. It's just that the actions of government strike with an extremely wide swath and the impact can be felt by an entire nation.

Senator McCaskill was “shocked to learn” that the fund associated with the Office of Personnel Management used for conducting background investigations had never been audited. While the inspector general had attempted to conduct an audit, “The agency simply does not have or keep records that would allow him to do an audit.” This raises the issue of whether companies are auditing third-party vendor firms conducting background investigations. In any case, it is clearly not a best practice.

Since 2007, 18 investigators have been convicted of falsifying investigations. “There are more than 40 other active and pending investigations into fabricated investigations, and it is possible that there are far more,” the senator said. Such an admission certainly calls into question the efficacy of the program, as well as the legitimacy of it. How many employees at private companies conducting background investigations have been falsifying investigations? How many corporate clients of these background investigation firms have even asked the question?

Senator McCaskill remarked that these failures are “a reminder that background investigations have real consequences for our national security.” And for the corporate brand.

In the same hearing, Senator Rob Portman of Ohio said, “The security clearance process, performed well, is critical because it ensures that our nation's most valuable information is protected while ensuring that we have the necessary personnel to conduct the duties that we need to have them out there doing to protect our country. Done poorly, it can be incredibly damaging. We run the risk of damaging leaks, hamstringing our agencies' abilities to fulfill their missions, as we have seen in cases over the last couple years, harming our allies and our ability to build alliances around the world.” The same may also be said of any company's failure to ensure the integrity of the process.

Voluntary programs are often doomed to failure. Regulatory mandates help but are not generally successful, though regulations do establish a basic minimum requirement, which is better than nothing. Still, even mandated compliance levels are low, and even when compliance works, various regulations can seem contradictory and vary significantly from state to state and from one nation to the next. International cooperation is complicated. Obeying the rules internationally sounds great, but then reality interferes. Economic competition trumps strict adherence to the rules. Is it likely that China or other level-one economic competitors are going to stop using the Internet for domestic gain and international penetration of competitor sites? Visions of “one digital world” may sound appealing, but that is an unlikely scenario. It is not going to happen. Rooms full of diplomats pontificating about trade agreements and the economy and the state of relations are not going to result in the cessation of digital surveillance and information theft. Setting national goals, and then pursuing those goals as participants in the global economy, does not typically include detailed discussions of what is fair or just outside of domestic interests. This is neither criticism nor endorsement. It is simply reality.

The Challenge of Defining Cyber Public Policy

Defining public policy within the context of the cyber threat is challenging. A lot of energy and money is being invested in devising a comprehensive solution, and a lot of intellectual cycles are being burned as the threat intensifies. The U.S. government is doing a lot of the right things in the cyber defense, but the problem is immensely complex. There's also the issue that government is not doing everything right either. Perhaps expectations of the government are too high. How much is enough? Borrowing from the comic strip character Pogo, it is fair to say that “we have met the enemy and he is us.”

The Internet wars are pervasive and multidimensional and consist of many elements: offensive strikes against military targets, state-sponsored espionage, industrial espionage, transnational organized crime, money laundering, personal information theft, credit card theft, medical records theft. Rogue insiders compromise data and systems. Malicious intent and administrative errors seem to be the norm. The cyber threat affects everyone: individuals, families, cities, companies, organizations, governments; little remains untouched by its impact, including banks, hospitals, manufacturers, technology companies, utilities, and more. The easier observation is what isn't impacted. That's a short list. In other words, the threat is pervasive, and where the threat is so pervasive, the mitigation strategy is necessarily complex.

Several areas of improvement are needed in the development of public policy. Like the efforts to develop the atomic bomb and the race to the moon, the cyber defense initiative must be an extremely high priority. These vast initiatives required an integrated dedication by government and industry based upon the dimension of the threat. During World War II the necessity of developing the atomic bomb was based on the potential consequence of losing that conflict, which was an unacceptable outcome. While the cyber defense initiative is not equal in terms of impact, it is a model for winning the cyber wars. The race to the moon, begun during the John F. Kennedy administration, is a similar comparison. These ventures brought together the best minds, focusing vision and financial resources to prevail in times of great peril. Both World War II and the Cold War placed the United States and its allies at great risk of harm.

Cold War II: The Cyber Chapter

Cold War II is taking shape. Its evolution, though developing at a rapid pace, is often hard to see. For years it was practically invisible. Cold War II will ultimately be the story of the cyber threat. Like forces mounting on the front in preparation for a massive offensive advance, the cyber threat is diversified, mobile, swift, and ultimately destructive and perhaps even disabling. What Cold War II lacks is visibility. In World War II the image of a foreign army invading domestic shores brought fear and uncertainty into the land, resulting in an unprecedented response throughout the nation that brought the United States and its allies to victory. In Cold War I, the Soviet satellite Sputnik and the parades of military might in Red Square signaled a new age, one of technological and military achievement for the Soviets and one of uncertainty for the United States and its allies. The space race was not just about the ability of a country to place into a low earth orbit a mechanical object with technological and communications capabilities. The larger statement was that the United States was behind in this race, and losing it held unacceptable strategic consequences. It represented a military threat, a threat to the economy and society, and to Western civilization.

Cold War II is at the early stage of this evolutionary trajectory. The cyber dimension is not just a tool of the economy. Ultimately, it is a weapon of vast offensive and defensive capability. The failure to develop it will result one day in a conflict in which there will be a winner and a loser. As in World War II and in Cold War I, the force of deterrence will decide victory. The atomic bomb and the space race signaled a power ultimately measurable in degrees of stabilization, economic growth, international trade, military restraint, and diplomatic relations.

The cyber dimension is a threat, yet it is also an opportunity. Left unaddressed, it is a threat that guarantees painful consequences in the form of expanded nation-state economic espionage, geopolitical realignment, retrogressive diplomacy, pervasive transnational criminal engagement, and even loss of military superiority. Anyone doubting the contribution to military superiority of the Internet need only consider advanced malware targeted at communications interruption, critical infrastructure disruption and disabling, intelligence collection and enhanced analysis (Big Data), disinformation dissemination, and command and control interference and confusion.

The threat is clear, the opportunity less so. Right now, the strategy seems to be that industry is required to follow certain applicable regulations, which vary by circumstance and jurisdiction, though many industries have little or no regulatory requirements. Government pursues cyber security through many agencies and administrations. Critical infrastructure is a seeming hybrid of industry and government. These companies may sit in the private sector but must be responsive to the constantly changing threat condition. Companies want less regulation, government wants more of it. Consumers seem absorbed in the technology that enables mobility and social flourishing.

The difference between now and during World War II and Cold War I is one of perception and mission focus. World War II became an all-out effort to win the war, and the atomic energy program was the strategic focus to end the war in the Pacific. Nations thrive on multiple and sometimes disparate moving parts that seek to work synchronously in order to achieve a desired result: mission focus. This happened in World War II and in Cold War I's race to control space. A sense of destiny drove the nation. Destiny meant win or lose. Public policy reinforced the commitment to win. There was no middle ground. A middle ground was an indecisive result, leaving in question the outcome.

There is no sense of destiny associated with the cyber threat. There are several reasons for that. First is the misfire between government and industry, which can be seen in the government's timing and commitment level. The United States is quite likely behind China in the creation of a powerful and effective cyber force, making its position one characterized by the need to coordinate, accelerate, and surpass. It is easier for China, just as it was for the Soviet Union. Diversity of thought in communist regimes is subsidiary to the interests of the state. The cyber machine and mentality in China is not subject to voluntary participation, and funding is not subject to availability. In China, cyber is part of a strategy, an elemental piece of a larger strategy that permeates the national consciousness. Part military tactics, part intelligence collection, part economic espionage agent, and part economic expansion and global communications facilitation, all things digital are strands of a greater mission tied to China's interpretation of destiny.

That destiny won't work in the United States. The government in China may have made decisions pursuant to destiny, but its people have not. It's more complicated in the United States, and that makes cyber superiority even more difficult to achieve. The path to such a destiny in the United States will have to be paved with industry and the consent of the people. Public policy in the United States should reflect the will of the people, the will of industry, and the commitment of government to provide for the common defense of the best interests of the nation. Until such alignment shapes and sharpens the clarity of a cyber destiny, where the common defense of the future is an imperative, Cold War II will not result in favorable positioning.

Some argue that U.S. public policy reflects a cyber destiny. That's doubtful. It doesn't measure up to the examples of World War II and Cold War I. But why? What is the crucial difference between the race to build the atomic bomb or land on the moon ahead of the Soviets and the coming cyber threat? It's fear.

The nation feared an invasion of Japan and even the loss of the war to the Empire of Japan. Americans engaged in combat were dying daily. An invasion of Japan, it was estimated, could result in a million American casualties, even in victory. Fear of more loss of life than was necessary was a powerful incentive embraced by the government that ultimately was accepted by those whose loved ones could have perished in such an invasion. There was no shortage of fear in Cold War I. Visions of nuclear mushroom clouds, delivered by intercontinental ballistic missiles (ICBMs), filled the American consciousness. The race to space would establish at least technological parity, eventually resulting in a landing on the moon, a level of superiority translatable into military positioning and posing a retaliatory threat to an ambitious and acrimonious Soviet Union.

Today's cyber threat falls short of the fear factor of the past. No military invasion by flagged hostile powers is likely. No nuclear-tipped ICBMs trained on American targets pose a viable threat. Terrorists, transnational criminals, spies, and political and military use of the Internet have not yet aroused fear comparable to the historic fears of the past.

Almost by preapocalyptic definition, the cyber threat is not going to shape a public policy mandate. That will come after some grave event in the future. For now, the government may be expected to continue to work toward its stated goals as defined in the national cyber security agenda, including a program aimed at defending critical infrastructure. Law enforcement will continue its efforts in investigation and prosecution. The threat is considerable, funded by nation-states and criminal organizations that know no boundaries of geography or simple human decency.

In the absence of a quantifiable cyber destiny that meets the examples of decades past, the cyber threat will have to be met at the front gates of industry. Protecting the brand falls to those who own and manage the brand. This places a great burden on companies, which historically have not fared well in the face of the cyber threat. Largely misunderstood, the cyber threat has been a secondary concern by many in the private sector. Only recently has the boardroom begun to address the cyber threat within the context of the war on industry.

So as not to be misunderstood, the government is making strides and is taking action against the cyber threat. So is industry. That said, it is abundantly clear that the consolidated response to the cyber threat necessary to win the cyber war has not shaped public policy and has not sufficiently seeped into the psyche of an unprepared government and industry. In the final analysis, every company and every user has a responsibility in the cyber wars. But this is an uphill climb. While many companies are beginning to get the message, users don't think about security. There's no fear. Devices digital are part of work, part of pleasure and fun, part of the fabric of a mobile, digital life.

Is There a Silver Lining in an Attack?

In the words of Winston Churchill, “A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” In the cyber defense, the country seems stuck somewhere in the middle. An opportunity does exist to advance the agenda of cyber security. It requires commitment. It requires cooperation, domestically and internationally. If there is a silver lining in the increasing number and severity of cyber attacks, it is that the result is visibility of the invisible. It is impossible not to be aware of the trends. In both houses of Congress, in the White House, in most any government around the world, in boardrooms throughout corporations large and small, for-profit and nonprofit, awareness of the predicament is growing.

There is opportunity in this difficulty. Politics have divided many efforts to ensure the integrity of the electrical grid, for example. In the United States, Democrats have favored more regulation, Republicans less regulation. Legislation at the federal level often reflects the great difficulties in passing new laws. The result is often watered-down legislation, based on intense disagreement and negotiation. Some state legislation can actually be stricter.

It was an attack on the electrical grid in California in the spring of 2013 that may hold the key to bipartisan efforts to protect the lifeblood of the country—electric power. In an act of sabotage, a Pacific Gas & Electric Corporation substation in Northern California was attacked, not over the Internet, but with tools that cut telecommunications cables and firearms that ripped into the substation. The severed AT&T fiber-optic lines disrupted phone and 911 service. According to media and government sources, more than 100 rounds hit the facility, disabling 17 of 20 large transformers.

Due to concern about the attacks and the vulnerabilities of this area of critical infrastructure, bipartisan support is surfacing for protection of these assets. A letter of February 7, 2014, from Senator Dianne Feinstein of California and several other senators to the chairman of the Federal Energy Regulatory Commission noted, “We are concerned that voluntary measures may not be sufficient to constitute a reasonable response to the risk of physical attack on the electricity system. While it appears that many utilities have a firm grasp on the problem, we simply do not know if there are substantial numbers of utilities or others that may have not taken adequate measures to protect against and minimize the harm from a physical attack.”

Was this a dry run executed by foreign terrorists? Was it an extreme environmental group? The attack was sophisticated, and is under investigation by the FBI. Attacks against the electric grid and telecommunications infrastructure are a national security issue with immense implications where they succeed.

Voluntary measures are not enough to protect against physical or cyber attack. In fact, it is reasonable to forecast that future serious attacks against critical infrastructure are likely to be an integrated strike consisting of cyber and physical elements. Such an attack would create confusion and disruption of services, perhaps on a wide scale. Placing the political agenda behind the national security and safety interests of the nation is necessary. This is up to elected officials. There is no better time to pursue a bipartisan effort. The failure to act will have telling consequences.

Bipartisanship alone is not sufficient to meet the demand of the threat. Greater cooperation between government and industry is necessary. Yes, there are programs in place. And yes, there is communication. But there does not appear to be sufficient intelligence sharing about specific cyber attacks. It would seem reasonable that intelligence sharing would benefit everyone in the war against cyber attacks. Making this a requirement seems natural. But in the world of politics, what may seem unwaveringly logical is not always clear. Take, for example, a bill that should have passed to become law, a bill that would help the government and industry combat cyber attacks. The brief history of this bill is a lesson in how government, despite the best of intentions, is failing in some aspects of protection against cyber attacks.

But first, let it be stated here that those on the front lines of cyber defense, from law enforcement to the military and intelligence agencies, work hard in the defense against adversaries armed with computers and the Internet. Their work is often unrecognized, and their lives are often in jeopardy. Those they investigate are not beyond retribution. They are not the issue. But here's what is.

Government and industry are currently unable to share cyber threat information. Under Title XI of the National Security Act of 1947, it is illegal to share this information. Intelligence includes both foreign intelligence and counterintelligence. Officially, foreign intelligence means information regarding the “capabilities, intentions, or activities of foreign governments…foreign organizations, or foreign persons, or international terrorist activities.” Counterintelligence means the “information gathering, and activities conducted, to protect against espionage, or other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments…foreign organizations, or foreign persons, of international terrorist activities.”

The range of information sources is broad, including the Office of the Director of National Intelligence, the Central Intelligence Agency, the National Security Agency, the Defense Intelligence Agency, the National Geospatial-Intelligence Agency, and the National Reconnaissance Office. Information also comes from the intelligence offices of the Federal Bureau of Investigation, the Department of State, the Department of Energy, the Department of the Treasury, the military branches, and elements of the Department of Homeland Security.

The National Security Act addresses “national intelligence” and “intelligence related to national security” and information involving “threats to the United States, its people, property, or interests.” It also specifies information about “any other matter bearing on United States national or home-land security.”

In the 112th Congress, in November 2011, a bipartisan bill, H.R. 3523, was introduced that would have amended the National Security Act of 1947 and its 2007 amendments to allow the government and industry to cooperate in the national cyber defense. Clearly, cyber attacks represent a threat to the “United States, its people, or interests.” A bipartisan effort combating the escalating digital threat, H.R. 3523 was one of the few contemporary demonstrations of agreement between Republicans and Democrats. There was good cause for both sides of the political aisle to cooperate, and the bill was passed on April 26, 2012, by a vote of 248–168, including 42 votes by House Democrats.

Authored by Representative Mike Rogers (R-MI) and Representative Dutch Ruppersberger (D-MD), respectively the chairman and ranking member of the House Intelligence Committee, the bill would have allowed the U.S. intelligence community and private industry to share certain information about the complex array of cyber threats concentrated on the United States. Under strict rules and conditions, defined by the director of National Intelligence and monitored by Congress, industry and government would have been able to more effectively coordinate a defense against potentially devastating cyber attacks. Though the fact is hard to believe, it is currently illegal to share this information. It is worth noting that federal restrictions impeding information sharing between the FBI and the CIA contributed to the attacks of 9/11.

In order to have been eligible to receive intelligence, companies would have to have been able to demonstrate to the director of National Intelligence that classified information could be handled securely. The concept of the private sector possessing sensitive government information is not new. In fact, it is a long-held practice. Some 10,000 U.S. defense contractors have access to classified information, which requires special security protection. Has that record been perfect, free from abuse, from internal misuse and external acquisition? No. But the system does work. The fundamental framework is reliable, it is protective, and it can work to help defuse the cyber threat. However, H.R. 3523 died a quiet death in the Senate.

It was resurrected in February 2013 in the form of H.R. 624, the Cyber Intelligence Sharing and Protection Act. In late April that year it was passed in a bipartisan effort by the House in a vote of 288–127. The nonpartisan Congressional Research Service remarked of H.R. 624 that it “amends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing.” It would direct “the federal government to conduct cybersecurity activities to provide shared situational awareness enabling integrated operational actions to protect, prevent, mitigate, respond to, and recover from cyber incidents.”

The bill also “defines ‘shared situational awareness’ as an environment where cyber threat information is shared in real time between all designated federal cyber operations centers to provide actionable information about all known cyber threats.” H.R. 624 would direct “the DHS, Attorney General, Director of National Intelligence (DNI), and Department of Defense (DOD) to jointly establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the federal government.”

The signing into law of H.R. 624 would enable a comprehensive effort to reduce the many risks associated with cyber attacks. It recognizes that such attacks are potentially devastating threats to the economy and to national security and that those threats represent rapidly evolving capabilities that can be difficult to identify, monitor, and mitigate. The bill recognizes that the cyber threat is an asymmetric, nontraditional national security and economic threat that requires the participation of industry and the government in order to be addressed. Sharing intelligence under tightly constructed rules is fundamental to addressing the cyber threat, arguably one of the most significant threats facing the nation. The United States has the capability to conduct this cyber defense program, it has the demonstrated need, but it lacks the purpose and immediacy to make this public policy. Unfortunately, there's little chance H.R. 624 or any successive legislation will pass in the Senate.

This condition is somewhat reminiscent of the days in this country leading up to December 7, 1941. Up until then, most polls showed that some 80 percent of the country had no appetite to fight Germany or Japan. Robert E. Sherwood, an American playwright and speechwriter for President Franklin D. Roosevelt, in the days leading up to that “day of infamy” observed that most Americans were more interested in the Army–Notre Dame football game. The surprise attack on Pearl Harbor changed everything.

It seems reasonable to suggest that the nation has failed to rally in support of a cyber war against its aggressors. The government knows the level and significance of the threat, much like it did before World War II. The people, however, in large measure, do not. Until there is enough pressure brought to bear on the political and legislative process, the will in Washington will remain in doubt. Public policy in support of a strong offensive and defensive cyber state reflects the interest level of the people and industry. Right now the focus is elsewhere, and there will be a price to pay for that.

Ideally, the war against the cyber threat would include most of the nations on the planet. A cyber crime in one country would be a cyber crime against all. But that is not the case, not really. There are levels of cooperation, yes. But it is not enough. Accept from government whatever intelligence and information is available. But don't depend on the government to solve the problem. Protecting the brand is the responsibility of every board of directors and every chief executive. Lobbying for better public policy will help. But until there is an attitudinal shift, perhaps brought about by a disabling cyber attack, circle the wagons around the brand and manage operational risk consistent with the threat level. Of course, establishing that threat level will require more guesswork until things change in Washington, D.C.

According to privacy attorney Ellen Giblin of the Ashcroft-Sullivan LLC law firm in Boston, Congress should “authorize the government to provide private companies with classified cyber threat information. Empower businesses to share threat information with each other and the government on a voluntary basis, and limit the liability for companies that share threat information.”² None of the above will protect your brand and indemnify companies that suffer a cyber attack. But then again, the government is really not the vendor of the Internet. Financial institutions are looking to the government to indemnify them from attacks to online banking. Perhaps the government should tax or subject to fees each banking transaction on the Internet to provide a central fund the banks can draw on to increase their security and make them whole after a cyber attack.

Failure to sign into law H.R. 624, or anything like it, is the digital equivalent of muffling the communications capability of the American Revolution's Minutemen, who served as an early warning and response system. Would the British attack by land or by sea? It is hard to fathom such an information and intelligence gulf between the colonial militia, the blacksmith, the farrier, the silversmith, and the lamp maker on April 18, 1775.

One thing we do know is that the next attacks are not likely to come by land or by sea, but by way of the Internet, ironically a communications system of last resort devised to prevent mutually assured destruction in a nuclear war. The real question is, how will we know if a cyber attack is about to happen? Perhaps the Cyber Intelligence Sharing and Protection Act should be renamed the Paul Revere Act of 2014. Maybe then it would pass with less resistance and become the law of the land. Everyone would be better off for it.

Thomas Paine said, “The instant formal government is abolished, society begins to act. A general association takes place, and common interest produces common security.” Government is not likely to be abolished, but take Thomas Paine's observation under advisement. Think now. Act now. Society must act; nation-states and organized crime are already in motion.