US must shift cybersecurity burdens to those most capable | Opinion

Jim Langevin
·3 min read

Former R.I. Congressman Jim Langevin served in the U.S. House of Representatives from 2001-2023. He is now the distinguished chair for the Institute for Cybersecurity & Emerging Technologies at Rhode Island College and is also a strategic adviser at the Paladin Capital Group.

The Biden/Harris administration released its landmark National Cybersecurity Strategy a year ago to put our nation on a path to achieve a safe and secure digital ecosystem. One of the fundamental shifts listed in the strategy is a call to “rebalance the responsibility to defend cyberspace” away from individuals and onto organizations that are most capable of responding. I truly believe this pillar must be realized, and I implore my former colleagues in Congress to take this issue seriously.

As the co-founder and former co-chair of the House Cybersecurity Caucus, I’ve always considered cybersecurity a top issue of our time. However, it’s been a small band of us who have long cared about these critical issues. That’s why I’m glad to see this administration give this issue the attention it deserves with the strategy’s publication.

While the National Cybersecurity Strategy is an excellent start, I still think we can do more to prevent high-level cyber breaches, ensure companies acknowledge shortcomings, and take accountability when a hack does happen. Several high-profile breaches have generated outrage momentarily but then faded to the background of public discourse. For example, Russian actors penetrated federal organizations in the well-known hack now called SolarWinds – but that outrage was just a flash in the pan.

More: RIC's cybersecurity institute plans to grow with AI courses and new 'cyber range'

Additionally last summer, Microsoft confirmed that a Chinese actor was able to breach its systems in a sophisticated attack that left the private information of high-ranking U.S. government officials exposed. Last month, a government review board of cybersecurity experts released its scathing report findings on the incident, detailing how Microsoft could have done much more to be transparent about missteps and protect sensitive national security data. But again, another flurry of anger ensued, and the shock has worn off without much follow-up.

Right after the summer blitz that left U.S. government officials' email exchanges exposed, an expensive ransomware attack also hit several casinos and hotels in Las Vegas, requiring those vendors to revert to manual systems for days, impacting tourists and employees alike. Yet, who was left picking up the pieces from these hacks and others? Namely individuals and small businesses, not the software companies that created the vulnerabilities in the first place.

It's frustrating that large companies with the means to take responsibility for these attacks often flip the script to blame the user. When a car’s brakes malfunction, the driver is not responsible – it’s the manufacturer that is held responsible. Cyberattacks should be treated no differently, yet they continue to financially burden Americans and small businesses around the country.

More: McKee signs executive order for AI task force. Here's what it will do.

As our world becomes ever more digitized and connected, our elected officials need to view cybersecurity as a top priority and lean into the pillars of the National Cybersecurity Strategy. Solutions that shift the responsibility will ease Americans’ fear of bank information theft and comfort senior government officials that their private information is secure.

My former congressional colleagues must take a hard look at how much damage recent hacks have caused not only for our citizens but also for our national security. In this year alone, Microsoft revealed that Russian state actors breached the email accounts of senior company executives, and they still haven’t evicted them from their systems. Additionally, recent reporting states that we still don’t know the extent of damage from the Chinese hacking group Volt Typhoon that targeted a widespread swath of our nation’s critical infrastructure.

With so much at stake this year, Congress must heed the words in the National Cybersecurity Strategy by shifting the burden of responsibility to be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the negative consequences. Let's not wait for another SolarWinds-style attack before implementing smart policies. Let's make real changes now.

This article originally appeared on The Providence Journal: Several high-profile breaches have generated outrage momentarily but then faded to the background of public discourse.