Suppose we were prescient. Suppose the United States could look down the road, identify serious threats to our security and well being and take actions to avoid tragedy and destruction.
Something in human nature makes us more likely, as individuals and as a nation, to recover from a disaster than to prevent one.
After a heart attack, we take steps to get healthy. After World War I, the League of Nations aimed to resolve nation-state conflicts to forestall war. After World War II, we created the International Monetary Fund and World Bank to restore monetary, financial and commercial stability. The Marshall Plan, the United Nations and NATO were also part of our push to avoid another world war.
Given that human nature remains inherently aggressive and defensive, and since both national and collective security require anticipation, what should we prepare for today rather than recover from tomorrow?
The answer is starting us in the face. A cyber attack.
“Cyber” – including all the instruments of our digital age – poses unprecedented dangers to societies dependent on critical infrastructure for survival. And that means us. Drinking water, electricity, transportation, the management of financial institutions, hospitals and public security are examples of such dependence.
We know that a cyber attack on our public utilities or major information systems could bring our state or even the country to its knees.
We know that devastating acts are possible. We know that people and nation-states around the world, who are orders of magnitude weaker than the U.S. in conventional terms, possess the prowess and tools to wage asymmetric warfare against us.
We know cyber vulnerability permeates our society. We know effective defense cannot be left to the federal government, clever anti-virus software or a battalion of chief information officers. It requires cultural change, new habits and cyber hygiene as a way of life. Education is at the heart of the solution. Businesses, civic organizations, law enforcement, security experts and individuals are all players.
What’s more, we know the enemy is at the gates, trolling and penetrating our systems every day.
Because we know all this, Connecticut has created a cybersecurity strategy with seven principles adaptable to any person or group – executive leadership, literacy, preparation, response, recovery, communication and verification. Our goal is to infuse our state with a culture of cybersecurity, not only because it is a necessary, patriotic duty to strengthen our national security, but also to bolster our own communities, give our businesses a competitive edge and guard against the potentially crippling consequences of compromise.
Of course, a grim but necessary corollary to prevention, also addressed in the Connecticut strategy, is thorough, effective response.
We must operate under the assumption that there will be a cyber attack on U.S. infrastructure, taxing our emergency management capabilities and our resilience, triggering fears and disruptions we have not previously experienced. All who manage emergencies, report and convey the news and live and work in our state need to understand the threats and rehearse response management.
In New England, experience has strengthened our ability to deal with hurricanes and ice storms. We know that cyber dangers exist, and we call for preparation. Shame on us if we wait for a cyber version of September 11 to confront modern digital threats.
Our cybersecurity strategy will be followed by realistic action plans addressing both prevention and recovery. In times of disaster, individuals and institutions must become a community, and communities need plans and priorities to speed recovery. We must also come together as a community to keep disaster at bay.
Being prescient means acknowledging that terrible things can happen to us in a connected, global world. Here in Connecticut, we accept the fact that collective, thorough defense is more than a good idea; it is a survival skill. For the sake of our families and communities we intend to shake off complacency and do our part to plant victory gardens of cyber defense in every home, business and organization.
Connecticut’s strategic plan is an initial step on a road we must travel. Its success will be measured by the breadth and depth of its acceptance by Connecticut’s citizens. We do not have to wait for disaster to become a nation stronger, more resilient and more able to recover from clear and present dangers.
Arthur H. House is Connecticut’s Chief Cybersecurity Risk Officer.