In a new book, Janet Napolitano, the former head of the Department of Homeland Security, says it is “impossible to overstate the urgency of improving our country's cybersecurity.” She says we're vulnerable all over the place, from critical infrastructure like utilities and 911 dispatch systems to our elections and our personal data. But there are lots of federal agencies in charge of it, and they have to work with lots of private companies to address it.
Host Molly Wood spoke with Napolitano about her new book “How Safe Are We? Homeland Security Since 9/11.” She asked her what she wishes her agency had done differently. The following is an edited transcript of their conversation.
Janet Napolitano: I think one key gap was our inability to have formulated national cybersecurity standards that were mandatory, not voluntary.
Molly Wood: Do you mean mandatory standards for companies?
Napolitano: For those that own and operate critical infrastructure. And because of that [failure] we've really outsourced to the private sector a key area of what is involved in our national security. It's the only area of national security where we've left it primarily in private hands. I'm concerned that that just does not go far enough.
Wood: You mention possibly incentivizing the private sector to invest more in its own security infrastructure, maybe through tax credits and a federal insurance program. But do you think it needs to be combined with some higher standards and regulations?
Napolitano: I think ideally so, but in the absence of mandatory government regulation, which is always tricky to accomplish, I think we could do more to incentivize the private sector through tax credits, through the ability to buy into basically a federal government insurance program that, if they met certain standards, would cover excess losses that were attributable to a cyberattack. Those kinds of tactics have worked in other areas, and I see no reason why they wouldn't work here.
Wood: Is anybody doing this right? Is there a country that you can point to as really doing a good job in cybersecurity attack prevention?
Napolitano: Not yet, and that's why I think there is a role here to be played by the community of nations coming together. They can do so through their security agencies. They can try to bring together their major companies, their major utility operators and owners and the like. But to create some kind of international understanding, some kind of a global treaty on cyber would be a place to start.
Related links: more insight from Molly Wood
Janet Napolitano said that a government insurance program could be one possibility for incentivizing companies to improve their security. The New York Times had an amazing story Monday about hacking and insurance that's sort of the opposite kind of cautionary tale. It's about how, since 2017, some private insurance companies have been using something called a war exclusion clause to deny insurance claims from companies that are hit by big cyberattacks.
Snack foods company Mondelez was hit by a cyberattack in 2017 called NotPetya that U.S. officials said originated in Russia. Its insurance company refused to pay almost $100 million in damages. Mondelez has sued. Pharmaceutical giant Merck sued its insurance company after the NotPetya cyberstrike cost it nearly $700 million in damages. The insurance companies said Merck and Mondelez were the victims of a cyberwar.
The court cases are still playing out, but I think you'd have a hard time finding a cybersecurity expert who would say that we are not, in fact, in a cyberwar. A piece in the military news magazine Breaking Defense from earlier this month cites Army and National Security Agency officials saying exactly that. The headline reads: Wake up, Washington.
So far only one person in the crowded field of 2020 presidential candidates has made cybersecurity a top concern. Former Maryland Rep. John Delaney proposed an independent agency to tackle it.