January 3, 2022

By Larry Clinton, President and CEO, Internet Security Alliance

I have to say I’m disappointed the language requiring more stringent timelines for reporting cyber events to the government didn’t make it into the National Defense Authorization Act (NDAA). I’m not disappointed because I have strong feelings one way or another about that provision – to be honest, I doubt any version of it – or the lack of it – will make any appreciable difference in our nation’s security. I’m disappointed because it probably means we are going to spend excessive amounts of time on this “issue” and not nearly enough time discussing what really matters in making the desperately needed improvements to our cybersecurity. 

In 2022 let’s resolve to give proper, proportional attention to things that really matter in cybersecurity and a little less to the quick “fix” pass-the-buck “solutions” that seem to dominate the public policy debate.

Specifically, I’m thinking we need to spend much more time on things like exactly how do we intend to match China’s multi-trillion dollar (and very successful) Digital Silk Road initiative? Or how are we going address the vast imbalance in economic incentives which massively favor the attackers over the defenders and are the core motivation for cyber-attacks? Or how are we going to make it practical for private industry to take on and finance national security obligations of defending the country from nation-state attacks? Or what do we need to do to reallyfill the cyber workforce gap that has existed – and steadily gotten worse –for decades?  

As a New Year’s resolution, perhaps we — and I mean industry and government together – need to acknowledge that the overall approach to security is inadequate. Implied in this resolution is that the so-called partnership model is failing. Of course, it’s not that the partnership model is wrong — I very much believe it’s the right model. The problem is that the “partnership” in many instances is misunderstood and, in many cases, only rhetorical. The partnership desperately needs to be expanded and matured. To begin with, we need to stop thinking of things in terms of government and industry with separate solutions for each. The reality is that the bad guys are attacking all of us –consumers, government, and industry – we are actually all on the same side, but we rarely act that way. We shouldn’t even be talking in terms of government and industry. We should be thinking of the attacking community vs. the defender community, you know like we were partners in the same endeavor, which we are.

As Dick Clarke and Bob Kanke pointed out in The Fifth Domain, we basically haven’t changed our cybersecurity strategy since the Clinton Administration. That’s a long time ago. In the interim, our adversaries have been pretty busy. We need something that is the equivalent in effort and sophistication as our adversaries are doing — the rough equivalent of China’s Digital Silk Road initiative — that’s the kind of thing we are up against. Instead, we spend most of our time on tactical issues like information sharing, standard development, and reporting requirements. These tactics, while important, are not going to get it done versus the far more strategic and integrated offensive strategies we are up against.

As we move into a new year, why don’t we try to seize the narrative and collectively come up with a program that is focused on actually improving security? Despite the common wisdom that we can’t move anything significant through Congress, I think I think we could come up with a substantive and strategic – not tactical – program that could actually move the needle in terms of our collective security.

I’d suggest four pillars I think most if not all of us could support.

1. A MAJOR cybersecurity workforce development program. I mean big. Presidential National goal stuff. None of us — government or industry — will ever be able to effectively address the 

Cybersecurity problem until we have enough trained people to do it and we are hundreds of thousands of people short — and that number keeps growing — some already say a shortfall is millions. Let’s go big ideas — like free tuition for all cyber security majors, a virtual Cybersecurity Service Academy,  special funding to develop programs at elementary, high school, and university levels for women and minority communities (our field is uniquely deficit in these regards)

2. Improved cybersecurity law enforcement. According to the World Economic Forum, cybercrime is a 2.2 TRILLION dollar a year business — that’s how they fund the R&D to come up with the sophisticated attacks. The FBI’s budget to fight cybercrime — about 500 MILLION. Our law enforcement structures have never been adapted to the digital age. No one really knows “who do you call?”  — the secret service, FBI, local law enforcement, and the military are all engaged in turf battles over budget and responsibility, and the international picture for cybercrime law enforcement is even worse. There are tons to do — and no one is doing it. Even setting up a Commission to identify the problem and come up with a solution would be a major step – and as the education issue, this problem has been around for literally decades. As far as I know, the Judiciary Committees — with jurisdiction have never even had a hearing on this.

> 3. Regulatory Review. Talk about making a bad problem worse. Cybersecurity regulation doesn’t work because the traditional regulatory model is incompatible with the problem. The healthcare industry has been regulated for cybersecurity for two decades, and they are one of the absolute worst sectors for actual security. Yet some seem intent on expanding this failed system — which actually HARMS cybersecurity efforts. GAO reported last year that duplicative federal cyber regulations of states and localities force them to misuse up to 70% of their cybersecurity budgets – no wonder they have massive ransomware issues. There are similar studies on the private sector side. There are alternative models such as — for regulated industries mandating sophisticated cyber risk assessment tied to modern,  risk assessment techniques such as FAIR or X-Analytics that puts cyber-risk on an economics basis — or incentive programs for industries that are facing nation-state cyber threat for which their traditional economic model can’t sustain. This is where the “regulatory debate” ought to be, not expanding the endless compliance checklists — none of which have been proven to actually enhance security.

 4. Access our nation’s best minds to design a better approach to addressing risk in the digital age. The fact is the digital age just kind of happened to all of us. — it really wasn’t planned for, and security was not even really considered when the digital platforms which we now all really on were designed. Oliver Hart, who won the 2016 Nobel Prize in Economics, recently proposed the development of an economics-based cybersecurity model that would address issues like ransomware, small businesses cybersecurity, and how to finance security of critical infrastructures vs. national state attacks. Industry and government ought to jointly fund that project (not really very expensive if we share) and also jointly assess how to implement its findings.

I’m sure there are some who are reading this who are already saying, “I see this problem with that idea and these problems with implementing those.” Fine, I’m saying let’s debate these ideas instead of what we mostly have been talking about.

Let’s change the narrative. Let’s be pro-security. Let’s be the good guys trying to solve the nation’s problems in true partnership with our government – which is actually how things should be.