Thursday, March 23, 2023
A new report by former Federal CIO Tony Scott highlights key capabilities for government leaders in the US and around the world.

Each year, the volume of cyberattacks and their impact reaches new levels. The number of cyberattacks targeting governments increased 95% worldwide during the last half of 2022, compared to the same period in 2021 while the cost of public sector data breaches increased 7.25% between March 2021 and March 2022. High-profile attacks, including those involving the US Office of Personnel Management, SolarWinds and the Colonial Pipeline infrastructure, have demonstrated how closely cybersecurity is tied to business continuity and operational resilience. Recent reports have found that many organizations struggle with chronic shortages in cybersecurity capacity, resources, skills, and budget.

Meanwhile, reliance on connected devices and services is expanding attack surfaces and the associated vulnerabilities available for exploit. Inconsistent protection, often stemming from a lack of user awareness about cyber risk management, has become key variable opening organizations to compromise. Indeed, many traditional risk models are now obsolete, along with the existing relationships and longstanding assumptions that have long guided cybersecurity decision-making.

New thinking and new approaches to cyber governance – for governments and their work with industry partners and the nations they serve – are required. Governments must act to bolster security capabilities, for agencies and to protect critical infrastructures across the nation.

A new report released this week, Preparing Governments Future Shocks:  An action plan to build cyber resilience in a world of uncertainty,  draws on insights from experts to frame actionable recommendations for governments in addressing this critical issue.  The report was written by US Federal CIO Tony Scott, and published through the IBM Center for The Business of Government and the Institute for Business Value, in collaboration with partner organizations including the National Academy of Public Administration and Center for American Studies.  These groups recently convened leaders and experts from the government, nonprofit, academic, and commercial sectors for a highly interactive, moderated discussion in Washington, DC and Rome, Italy. The sessions, titled "Preparing for Future Shocks: Actions to Build Cybersecurity Resilience", provided content for governments and key stakeholders to help government to increase cybersecurity resilience for government and critical infrastructure. This content will assist in preparing for the inevitable impact of future cyber shocks to our communities and societies especially in light of the increasing vulnerabilities posed by hybrid and distributed work.

The report summarizes many insights shared by the experts in these sessions, and draws on those insights to make recommendations for action in four areas.

  • Increase the cyber talent resource base -- ensure that governmental organizations can meet the cybersecurity staffing challenge will require a multi-pronged effort and new thinking to recruit talent from a wider population.
  • Improve organizational collaboration for faster response -- increase collaboration and expedite information sharing to stay a step ahead of threat actors who can quickly adapt new technologies to penetrate networks and thwart countermeasures.
  • Build cyber resilience to bolster democracy -- work together on new methods to defend against misinformation and disinformation campaigns that have the potential to sway public opinion and undermine democracy.
  • Promote government-private sector partnerships – ensure that governments and businesses addressing key cybersecurity priorities and consistently implement best practices for mutual benefit.

This report is the second in our year-long series of high-level meetings with leaders around actions that governments and stakeholders can take to address major shocks, which are only increasing in frequency and magnitude (see our first report that focused on emergency preparedness and response). Each topic in this series is the focus of advanced research, as well as high-level discussions that build on lessons learned and develop new frameworks for action. These learnings are then summarized in a report, which will be followed by a capstone report in Fall 2023. In addition to the emergency response and cybersecurity topics, future reports will address supply chain resiliency, sustainability, workforce skills, and international cooperation.

We hope that the cyber report, as well as the entire series, helps governments work together and across sectors as they prepare for and respond to future shocks.