Part of the problem in creating a cybersecurity strategy lies in the lack of accountability in government leadership. When a cyberattack happens in the private sector, the consequences are immediate. Target chief executive Gregg Steinhafel was fired last year after a credit card breach that affected more than 40 million customers, and lower level employees at other companies have lost their jobs over other cyber breaches. The private sector is not afraid to hold its leaders accountable for cyber failures. As congressional hearings have clearly demonstrated, however, such a culture doesn’t exist in the federal government. It was three months after the breach was discovered and five long weeks of intense public criticism before OPM Director Katherine Archuleta finally resigned.
There is another consideration beyond simple accountability. The president needs to do the heavy work of implementing a strategy that includes deterrence. Because bullies don’t pick on those who are willing to fight back, we similarly need to offer a credible deterrent to our adversaries. As Adm. Michael Rogers, head of the National Security Agency and U.S. Cyber Command, testified at a recent Senate Armed Services hearing: “In the end, a purely defensive, reactive strategy will be both late to need and incredibly resource-intense.”