As the recent Log4J fiasco has put into stark relief, much of the cybersecurity risk in a large organization comes from the pervasiveness of visible and invisible technical debt and the prevalence of unmaintainable legacy systems across the enterprise. There is an incentives mismatch for technical and business decision-makers within large enterprises and infrastructure firms. Mitigating technical debt, migrating legacy systems, and upgrading security posture is often complex, expensive and unglamorous compared to competing initiatives such as omnichannel, AI, RPA, CX, DX, and other neologisms birthed in the murky bog of “digital transformation”. 

A recent Foreign Affairs article rightly calls out the “decades-old tendency among the large and sophisticated actors who design, construct, and operate digital systems to devolve the cost and difficulty of risk mitigation onto users who often lack the resources and expertise to address them” and the often calamitous “tendency to charge isolated individuals, small businesses, and local governments with shouldering absurd levels of risk” [1].

Given “a world where clicking the wrong link or neglecting a single software patch can result in a geopolitical incident,” Inglis and Krejsa call for a new Cyber Social Contract wherein government becomes both a close regulator of and active partner in securing the economy, providing both critical information and oversight to enable and incentivize the radical transformations necessary in critical infrastructure and enterprise firms. They recall historical precedents for revolutionary public-private partnerships such as those pioneered by the NTSB, FAA, NHTSA, and FDA. They point out the now integral role these agencies play in driving forward industry innovation while securing the public good, and posit how cyber aligned agencies such as CISA and the ONCD could expand and transform their roles to achieve these objectives [1].

It’s been demonstrated time and again that organizations, large enterprises and startups alike, have been spectacularly bad at estimating and mitigating the downside costs of rare catastrophic events in the technology space. For infrastructure deemed critical to national and international functioning, perhaps this new cyber social contract, with its models for vigorous oversight and active public-private partnerships, can provide vital incentive, oversight and engagement that drives proactive mitigation of vulnerabilities and accelerates the pace of technology modernization.