On November 17th, The Academy and the American University School of Public Affairs kicked off its first of four Presidential Transition forums with a robust discussion on the Institutional Barriers to Cybersecurity. The forum, which was held at the University Club in Washington, D.C. and featured several panelists associated with American University, covered such topics as the cyber capabilities of terrorist organizations, the federal government’s role in aiding small businesses in cybersecurity, and educating employees and students to prevent internal lapses in security.
Each of the four Panelists—Tricia Bacon, Chris Wilkins, Bill DeLone, and Priscilla Regan—provided commentary on what they believed to be the largest and most daunting institutional barriers to implementing sufficient cybersecurity measures in government. A few of the barriers provided by the panelists included:
- Lack of support from top leadership
- Insufficient resources
- Inherent tradeoffs between time/resources and proper security measures
- Unfamiliarity with cybersecurity and IT among top executives
After each Panelist concluded their opening remarks, the moderator, Professor Howard McCurdy, opened up the floor for questions, which spurred an interesting and engaging discussion between the audience and the Panelists. Several of the more interesting questions (with answers below) and points raised during the session were:
- Why don't the SES requirements include a deeper understanding of technology and cybersecurity?
- If the cyberattacks conducted by terrorist organizations become more offensive and sophisticated in nature, will they look different from those conducted by traditional state actors? If so, what is the government doing to proactively prevent them?
- While it is safe to assume that terrorists will convert their cyberattacks from small scale disruptions to larger, more devastating assaults on infrastructure and personal data, it is important to acknowledge the good news: these attacks will look more similar to the attacks we have seen recently from state actors and criminal organizations that the government is already preparing for.
- How do you get people to take internal cybersecurity training more seriously? Many agencies and institutions conduct these training exercises simply as a matter of compliance and an item on the checklist.
- A few solutions include incorporating cybersecurity compliance into performance reviews, frequently testing one's knowledge of the proper protocols, and instituting regularly recurring training.
The thought that our critical infrastructure and personally identifiable information are facing constant threats from hundreds of malicious attackers of various natures is naturally discomforting. The Panel closed, however, by reminding the audience that each and every one of us plays a role in preventing these attacks. The contribution could be as simple as creating a complex password or as audacious as encouraging your employer to establish more rigorous security protocols, but as long as cybersecurity remains in back of everyone's mind, the country will undoubtedly move towards a safer place.