This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
Four months ago, the 22 sponsors of the Internet Security Alliance (ISA) launched an online campaign suggesting the need for the United States to rethink our approach to securing our cyber infrastructure.
The theme seems to have growing resonance with both policymakers and the general cybersecurity community.
At the House Homeland Security Committee’s first hearing addressing the subject this year, the Chair of the House Cybersecurity and Infrastructure Protection Subcommittee, Yvette Clarke, noted that she, too, thought we needed to “rethink” our approach to cybersecurity.
At the House Appropriations Subcommittee on Homeland Security the following week, the Acting Director for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Brian Wales, also opined that we needed to “rethink our approach to managing cybersecurity.”
The following week at the Senate Homeland Security Committee’s hearing on the SolarWinds attacks, the CISA Acting Director included the same terminology – we need to “re-think” cybersecurity.
While the notion of rethinking our approach to cybersecurity is taking hold in DC, it is also being reflected in the broader cybersecurity community. As of this point, 5,000 cybersecurity practitioners, thought leaders, policymakers, and educators have signed up as part of the ISA’s “Rethink Cybersecurity” campaign – a rate of over 1,000 per month.
The campaign is based on two premises: First, as pointed out by preeminent cyber experts Dick Clarke and Bob Knake in their 2019 book The Fifth Domain, U.S. cybersecurity policy has changed very little since the Clinton Administration.
Second, by virtually any objective measure, we are not succeeding in securing cyberspace. In fact, things are getting worse – much worse – in cyberspace daily (and maybe hourly).
Coinciding with a new Administration and Congress being installed, it is an opportune time for us to rethink our overall approach to cybersecurity and hopefully design a more effective strategy for the future.
For those just learning of the campaign, a brief recap: Over the past few weeks, we have analyzed the following aspects of our currently unsuccessful cyber policy including:
- We have misanalysed the issue by thinking of it in too narrow a context. Cybersecurity requires more than technical/operational tactics, yet we have done little beyond the technical operational elements of the issue.
- The threat picture has changed dramatically since the Clinton Administration, particularly with respect to the geopolitical threats from nation-states and aligned criminals. China, for example, has developed a far more comprehensive and effective digital strategy, whereas the U.S. has nothing of comparable expanse and thoughtfulness.
- We have done very little to consider the systemic risk of cyber threats such as those illustrated by the SolarWinds catastrophe (our blogs on systemic risk preceded the SolarWinds revelations).
- The traditional regulatory structure used for industry-government relations is ill-suited to the dynamic nature of cyber threats. It has already proven to be ineffective in improving cybersecurity and likely hurts our collective efforts more than it helps.
(Posts detailing these arguments are available at ISAlliance.org – there are no fees to subscribe.)
From this point forward, the Rethink Cybersecurity campaign will turn from analyzing why our current approaches are not working to offering a series of policy proposals that would come from a rethinking.
Some of the proposals are longstanding policy positions consistent with ISA’s ideology that cybersecurity needs to be addressed not just with standards and information sharing – the mainstays of traditional American cyber policy – but also with greater attention to the economics that underlie the issue.
Examples of movement in this direction are the increased recognition of the need to vastly expand U.S. funding on cybersecurity and develop a system of market incentives to encourage greater systemic security.
In several cases, there is already movement in these directions. The recent COVID relief bill contained a substantial funding increase for CISA to address federal network upgrades. ISA not only supports this funding but endorses CISA’s assessment that this is just a down payment (which we conceive of as about 10 percent) of what is needed. Just this week, former CISA Director Chris Krebs called essentially for the federal government to provide block grants to states to help shore up their cybersecurity – another ISA-endorsed idea.
On the incentive side, this week the Information Technology Industry Council urged the Biden administration to establish a “robust” incentive structure to encourage U.S. investment in the semiconductor industry, as part of the White House’s supply chain agenda.
All of these are steps we see as moving along the right path and worthy of stepping up the pace.
However, a great deal more also needs to be done if the U.S. is to develop a sustainable system of cybersecurity adequate to manage the investments the attackers are making. The United States needs to create a much more fulsome digital strategy that includes cybersecurity as part of a broader digital transformation, fitting the demands of the information age and providing mechanisms that 20th century models (like traditional regulation) do not adequately address.
Ideas for these “rethought” policies will be the focus of this space from this point on.
Join the Rethink Cybersecurity Community click here