By Jeb Bush
With alarming regularity, foreign-intelligence services, terrorist groups like ISIS, rogue hackers, and common thieves are conducting attacks against computer networks belonging to the US government and private companies, and against critical infrastructure like power companies, hydroelectric dams, and water-treatment plants.
In the face of this threat, we can be certain of one thing: We can't trust someone as our next president who didn't take cybersecurity seriously when she was secretary of state.
Sensitive US military networks have been targeted. Federal agencies have been hit. Local governments have been attacked. Voter databases have been compromised. Multinational companies, banks, casinos, health insurers, Hollywood movie studios, pharmaceutical manufacturers, Silicon Valley titans, online and brick-and-mortar retailers -- the list goes on and on.
It is said there are two types of companies: those that have been hit by a cyberattack, and those that don't yet realize they've been hacked.
Virtually every aspect of our way of life in the 21st century depends on data stored in or communicated via the Internet; failure to secure it will harm all of us.
Recent high-profile cyber attacks are another reminder that we are not keeping up with the growing threat, and there are thousands of more attacks that go unreported and unnoticed by the general public. I have a plan to address this growing threat.
Cybersecurity is not solely the responsibility of the federal government, but the next president must harness an array of tools to confront this challenge. Without meaningful presidential leadership, there is little chance the US government, private sector, and international partners will coordinate effectively to secure the Internet. As president, I will ensure the private sector is provided the most current threat information, the best practices and standards to protect systems and critical infrastructure, and a legal framework that better allows it to defend itself.
As with national security generally, cybersecurity has been undermined by a lack of leadership and by massive cuts to the US military and intelligence community imposed by Obama and Congress. The backbone of US intelligence efforts and frontline defense against cyberattacks are the talented intelligence professionals and law enforcement officers who work tirelessly in the shadows to identify, deter, and respond to cyber-attacks. They do not deserve to be demonized by the political class in Washington, but rather praised and provided with the capabilities and authorities needed to keep America safe.
Although our military and intelligence community are often ahead of the cyberthreat curve, the rest of the government clearly lags behind, as thetheft of millions of documents from the Office of Personnel Management demonstrates. If it is to lead the way in addressing these threats, the federal government must put its own house in order, prioritizing to reflect the urgency and importance of protecting key databases and communications. Agency chiefs who fail to prioritize cybersecurity and poorly performing IT managers must be held accountable.
Good cybersecurity is not just about technological solutions and physical improvements to firewalls, perimeters, and data links, but about the cultural and behavioral aspects of security. Just as preventative maintenance keeps our cars running, so too must we use best practices and vigilance to keep our networks secure and our data safe. The government has a role to play in promoting, and adopting, these best practices, and in helping to change the culture of complacency that makes us vulnerable.
The average time lag between a cyber attack and when the attack is detected is roughly 200 days. We need to adapt our approaches to cybersecurity so we are more likely to detect an intrusion before it its too late. This means more regularly scanning networks, applying new technological tools to detect intrusions, and better sharing of threat signatures so an attack on one does not lead to an attack on many. Recently passed legislation to increase information-sharing between the government and private sector, and within the private sector, is a step forward but more needs to be done.
Deterring attacks in the first place is as important than detecting them. We must increase the cost to those who are stealing our nation's intellectual capital and personal information. Exposing, sanctioning, prosecuting, and in some cases retaliating against these attackers will help deter other would-be attackers.
Presidential leadership will be needed to encourage international partners to join us in writing international rules of the road and legal frameworks to facilitate prosecution of cybercriminals, who rarely operate solely within the physical boundaries of United States.
We should pursue negotiations with foreign governments who have been known to conduct cyberattacks, as the Obama administration has done to discourage China hacking, but it would be naïve to believe these countries will abide by such agreements unless we are willing to impose meaningful consequences. (Indeed, public reporting already suggests that Chinese industrial espionage has continued in spite of this recent agreement.)
Effective cybersecurity is essential for our national and economic security. The next president will have to marshal public and private capabilities to ensure our critical infrastructure, networks, and communications are defensible and defended. In my administration, this will be a strategic priority, not a talking point. We will maintain our technological edge and return to a position of unparalleled leadership in the world.