The Need for a Joint Effort Between Government and the Private Sector
In recent years, an increasing number of sophisticated cyberattacks—including ransomware and nation-state attacks—have targeted businesses, government agencies, schools, hospitals, non-profits, and others.
The complex challenge of strengthening cybersecurity and deterring attacks requires a coordinated, multi-pronged response from governments and the private sector. No single company or government can stop attacks, but a coordinated effort, including implementing best practices and policies worldwide and within our borders, can help stem the tide.
The Role of the Federal Government
Every federal agency has a role to play in securing our cyber ecosystem, whether through improving its own cybersecurity, driving increased cyber hygiene practices across organizations, or identifying and neutralizing cyber attackers. In 2021, John Christopher Inglis was confirmed as the nation’s first National Cyber Director (NCD), and his office will lead the country’s strategic efforts to align and strengthen cybersecurity roles and responsibilities throughout the federal government.
The NCD will work closely with the White House, the Cybersecurity and Infrastructure Security Agency (CISA), other agencies, and the private sector to improve coordinated cybersecurity efforts. CISA serves as the lead agency for protecting and defending federal civilian networks and performs an ever increasingly important coordinating function between public and private sectors to identify and disseminate actionable threat information to enhance the nation’s cybersecurity.
Congress has a critical role to play as well—both in creating policies and investing in cybersecurity programs. The Infrastructure Investment and Jobs Act (IIJA, also known as the infrastructure bill), signed into law on November 15, 2021, provides substantial cybersecurity investments, including funding to help strengthen the cybersecurity of utilities and state and local governments.
In 2022, Congress is expected to consider adopting additional cybersecurity policies, including:
- Requiring Cyber Incident Reporting—A bipartisan group of Congress members has proposed requiring critical infrastructure private sector entities to report certain cyber incidents to the U.S. government. Such a law will be most effective when it is focused on reporting a confirmed cyber incident to mobilize response and mitigate impact, as opposed to penalizing businesses or creating new liabilities.
- Designating and Protecting Systemically Important Critical Infrastructure (SICI)—To strengthen cybersecurity for national security reasons, some members of Congress have proposed legislation to identify, designate, and secure Systemically Important Critical Infrastructure (SICI). The goal of this legislation would be to improve cybersecurity for critically important—and often vulnerable—national assets, such as energy infrastructure and key software.
- Requiring Ransomware Payment Reporting—Separate from a broader cyber incident reporting requirement (which would include ransomware attacks), Congress may debate legislation specifically focused on ransomware that would require certain ransomware victims to notify federal authorities of a ransomware payment and require certain steps to be taken prior to making a payment or risk losing liability protection.
Voices for Innovation will continue to monitor debates about cybersecurity legislation and highlight the best opportunities for our members to engage on this issue.
Cybercrime knows no borders. The most severe attacks on U.S. businesses, institutions, and government have come from nation-state actors and hacking groups located outside our borders. Our government as well as the tech sector must also engage at the global level to strengthen cybersecurity.
The U.S. government, as well as the European Union, recently joined the Paris Call for Trust and Security in Cyberspace, a global cybersecurity initiative. More than 1,200 private sector entities, international organizations, and governments have signed on to the Paris Call. The United Nations is also engaged on this issue, and many technology companies, including VFI partners have signed on to the global Cybersecurity Tech Accord.
The Role of Tech and Microsoft Partners
The tech sector supports cybersecurity on several fronts, including by developing secure software and systems; monitoring and securely managing systems; and supporting the cybersecurity of customers. Cloud, enterprise, and platform technology companies, including Microsoft, have special responsibilities and capabilities, such as notifying customers of attacks, disrupting attacks and hostile infrastructure, and collaborating with government agencies.
Microsoft partners can support strengthened cybersecurity in several ways as well. In addition to following cybersecurity best practices, partners can advise their customers about the importance of maintaining cyber hygiene—and point them toward resources such as the “Actionable Insights” of Microsoft’s Digital Defense Report. Microsoft partners can also help mitigate the impact of attacks and help customers restore systems.
At appropriate moments during policy discussions, Voices for Innovation may also encourage partners to share their expertise and experience with policymakers. Partners have a unique perspective that can help policymakers better understand the threat landscape and impacts on small businesses.
Protecting People from Recent Cyberattacks – Tom Burt, Microsoft on the Issues
America Faces a Cybersecurity Skills Crisis – Brad Smith, Official Microsoft Blog
The Next Chapter of Cyber Diplomacy at the United Nations Beckons – Kaja Ciglic, Microsoft on the Issues