The Lawfare Podcast: Admiral Bob Day on Cybersecurity and Accountability

Last month, I attended a briefing given by members of the Virginia Cyber Commission hosted by the Northern Virginia Technology Council. I was impressed by what I heard. So we invited the Commission’s Executive Director, Rear Admiral Bob Day (USCG, Ret.) to come tell us more about the Commission’s work and the upcoming release of its report later this month. But first, some background on the Commission:

The Commission was created by Governor Terry McAuliffe by Executive Order Number Eight (2014), which was updated in February 2015. The Commission’s mandate is expansive, and ambitious. It aims to take on: securing Virginia’s government networks, systems and data; incorporating cybersecurity into state government emergency planning; improving citizens' cyber hygiene; developing a cybersecurity workforce; and improving economic development opportunities for cybersecurity business sector, particularly in relation to military facilities and defense industry present in Virginia. Accordingly, the commission is looking across sectors – government, corporate and academic – to foster an advanced cybersecurity-competent environment.

We asked Admiral Day how the Commission has initiated its work over the past year. He informed us about what the Commission has learned, not only from business owners, but also from everyday citizens, through the Town Hall meetings the Commission has held across the Commonwealth in recent months.

We also talked about the accountability issue, and how in the world it can still be the case that large organizations – whether in the private sector or government – are still struggling with whose job it is to be responsible for the cybersecurity of an organization. Who or what entity is accountable for proactive cybersecurity as well as for incident response has been the subject of some recent debate on Lawfare, as it relates to the OPM breach. So it is worth taking note of a specific step Virginia has already taken on this point, by passing legislation making it part of an agency head’s job description to take responsibility for the information security of their agency. Senate Bill 1121, which was signed into law this spring, added this to agency heads’ job description:

The director of every department in the executive branch of state government shall be responsible for securing the electronic data held by his department and shall comply with the requirements of the Commonwealth's information technology security and risk-management program[.]

But the federal government has the Federal Information Security Management Act (FISMA), too, which was supposed to make clear that agencies are responsible for their own information security. So what else needs to be done?

As Admiral Day describes, the Commission is tackling the “cybersecurity ecosystem,” which means that not only is it focused on economic development, but also on the education pipeline. Expect the Commission’s forthcoming report to contain recommendations about how to integrate cybersecurity workforce development at all levels, from K-12, to community colleges, to the university level. He shared a surprising statistic about how many (well-paying) jobs there are compared to how many qualified applicants available to fill those jobs. We’ll look to the Commission’s upcoming report to see how it proposes to close that gap.

Finally, we took on the confidence issue. Cybersecurity failures - not only in prevention (which will not be fail-safe), but in detection and handling – are reducing Americans’ confidence in industry, and in government. We'll see what governments and organizations at all levels, are doing to address that.