Defining Success and Mapping the Road Ahead for Public-Private Partnership and Critical Infrastructure Cybersecurity

February 4, 2021

MIT Political Science

The recent discovery of the SolarWinds cyber-attack offers yet another example of the significant cyber risk America’s critical infrastructure faces.1 In particular, it raises questions about US cybersecurity policy for critical infrastructure, a policy that is founded on voluntary partnership between government and industry. Despite its importance, however, the government has yet to clearly articulate in strategic terms what its policy aims to achieve.

Defining what “success” looks like can guide the massive public and private efforts in this approach. In its absence, the result has been a policy patchwork, pieced together over time in response to newly discovered vulnerabilities and threats like those of the SolarWinds incident. Strategic direction is essential to get ahead of dynamic security challenges and it appears to be lacking in an area critical to the nation.

For Tony Sager, a former National Security Agency Information Assurance leader who now runs the Center for Internet Security’s global cybersecurity best practices initiative, “success” is a more mature approach to critical infrastructure cybersecurity.