A Three-Pronged Strategy for Cybersecurity

The United States is at war. Virtually unchecked for years now, our adversaries have been stealing our intellectual property and disrupting American commerce and our democratic way of life. This war is being waged primarily on our nation’s critical infrastructure, mainly the energy sector, telecommunication networks and financial systems. Eighty-seven percent of critical infrastructure in the United States is owned and operated by the private sector, making collaboration between the private sector and the government imperative. Collectively, we must reimagine U.S national security doctrine for this new digital reality.

The layered cyber deterrence approach outlined in the recently released Cyberspace Solarium Commission report, which I co-authored, offers a practical roadmap to protect, prepare, hold accountable and respond to existential cyber threats. We propose a three-pronged strategy for success—reshape behavior on the battlefield, impose costs on our adversaries and deny benefits to our enemies.

Currently, there exist no internationally accepted principles of escalation and de-escalation in cyberspace. The first step in reshaping behavior on this battlefield is to define state accepted behaviors in cyberspace, to include clear consequences for behaviors that are not acceptable. Then we need to communicate these behaviors to not only our friends but also our adversaries.

Our next imperative is to impose real costs on our adversaries who attack us.  Every day, American companies like Southern Company face millions of cyber attacks, including from nation-state adversaries.  With the full support of the private sector, the federal government must advance a strategy to “defend forward” and maintain an offensive posture in cyberspace through regular, persistent engagement with friends and foes alike. This engagement must include the full weight of the federal government—the Department of Defense, FBI, Secret Service, and the Intelligence Community—to allow for rapid and effective responses to attacks.

The third strategic prong is to deny benefits to our enemies. We do this by strengthening critical infrastructure’s ability to maintain continuity and be resilient against a cyber attack. We must also take steps to reshape the cyber ecosystem – the people, processes, technology and data that makeup cyberspace – towards greater security. Finally, we must create a true joint effort between private industry and government. This means moving beyond information sharing towards common access to actionable intelligence, collaborative analysis, joint planning and joint action. It also means clearly identifying the most systemically important critical infrastructure and bringing to bear the full resources of the U.S. government in supporting and defending them from nation-state attacks.

The cost of inaction is too great. The public and private sectors are true partners in this effort, and we must move forward in better harmony. I am confident the Cyberspace Solarium Commission’s report and recommendations will help us do that.

Tom Fanning, Chairman, President and CEO, Southern Company