Cyber Crisis: Who Rates The Providers?

America’s addiction to the Internet is proving to be a mixed blessing. Although every facet of commerce and culture has been energized by the coming of digital connectivity, the early adopters of emerging information tools include criminals and foreign spies. Trillions of dollars in intellectual property has been stolen, and the networks supporting our nation’s vital infrastructure — electric grids, financial institutions, healthcare facilities — are constantly being probed by intruders. Nobody really knows what enemies might do to impair those networks in a future conflict.

As I wrote that last line, an email appeared in my in-box from an address I didn’t recognize with the opening salutation, “Kindly view the attachment and get back to me.” I know that if I click on the email, it will try to download some sort of virus or other “malware” into my computer. So I won’t click on it. But this sort of thing is happening millions of times every hour across America, and is only the most obvious manifestation of a pervasive effort by foreign actors to subvert America’s information-age foundations. Separately and collectively, we are all at risk because our society is open, because it is wired to the Internet, and because we have more things worth stealing than any other nation.

The Obama Administration’s latest effort to deal with this new cold war is an Executive Order issued on February 12 to improve the cybersecurity of critical infrastructure. The order, coupled with a presidential directive, would facilitate information sharing about cyberthreats between government and industry, and develop a framework of standards and practices for dealing with the danger. It’s a crucial initiative that deserves the support of everyone who recognizes how serious the challenge has become to our security and economy from cyber operatives in places like China and Russia. We should not let excessive concern about privacy or regulation impede the protection of our networks, because the nation’s future is at stake.

In general, the Bush and Obama Administrations have done a good job of recognizing the danger and developing plans to address it. They could have acted a little faster, but working fast is not one of the federal government’s core features. The one area where almost nothing has been done is in developing metrics for rating the capability of companies that provide cybersecurity services. Cybersecurity is an infant industry with low barriers to entry. The field is full of players who were doing other things five years ago. There are few hard and fast metrics for sorting out reliable sources from charlatans. And without clear standards for assessing qualifications, the government’s default setting is usually to favor whoever offers to do work at the lowest price.

This is a recipe for disaster. The federal government has enough experience with cybersecurity now so that it should be able to issue criteria for judging who can be a trusted provider of cyber services. Among the obvious questions that might be posed: How long has a prospective offeror been in the business? What range of relevant skills does it bring to the table? How mature is its organizational culture? What level of resources has it committed to cyber activities? What do its previous customers say about how well it performed? The issue here isn’t whether start-ups and cyber boutiques bring anything useful to the business. The issue is who has the experience and expertise to lead multi-year efforts that may determine whether our society can function the next time it goes to war. The best companies for that job won’t always be the lowest bidders.