The lead story in today’s New York Times on the investigation into the January 6 attack on the U.S. Capitol reports that yesterday’s Senate hearing “also showed that the overlapping jurisdiction of the Capitol Police, District of Columbia government and other agencies created utter confusion that hindered attempts to stop the assault.”
CrowdStrike just posted their latest research on cybercrime and found that intrusions threatening organizations’ cybersecurity across the globe grew – not 25 percent – but 400 percent in 2019 and 2020 combined. Nearly four out of five of those compromises in 2020 stemmed from cybercriminals, and attacks are unlikely to let up in 2021.
We are all in this together” has become one of the major narratives of the COVID era. The notion is that the virus can attack anyone of us – we are all essentially targets — and by protecting ourselves we are also protecting our friends and neighbors.
The classic TV Drama Dragnet was famous for Lieutenant Joe Friday’s straight forward instruction to witnesses “Just the facts Ma’am. So, let’s look at the facts with respect to cybercrime. The World Health Organization (WEF) currently estimates cybercrime as having revenues over $2 Trillion dollars a year.
The old model simply doesn’t work. All this analysis is not to impugn the policy makers who created, or more precisely attempted to adapt it, to the cyber environment. Faced with the quickening apparent threat from cyber-attacks policy makers naturally went to their ‘go-to” option using the independent agency model designed to address the hot technology of the 19th century – railroads. It was pretty much all they had.
In previous posts we have documented that independent research shows that even the most highly regulated industries for cybersecurity such as health care and financial services are not achieving adequate levels of cybersecurity, and in fact don’t score better on security effectiveness than less regulated sectors like IT and professional services. We have also documented that even the highly regulated federal government sector scores poorly with respect to cybersecurity effectiveness.
As we all know in addition to massive death and social destruction the pandemic has also brought economic collapse on many dimensions. Our economy, like just about everything else, is ultimately reliant on cyber systems. If the purpose of the legislation on the Senate floor is COVID relief then that needs to include making sure our economy recovers and our economy cannot recover unless the core systems of the economy – which in the 21st century are cyber – also recovers.
The foundational assumption of the expert agency regulatory model is that government knows what to do; all that is needed is to compel a recalcitrant private sector to follow government mandates. There is no evidence that government has attained that degree of expertise in cybersecurity. In fact, the data suggest the opposite.
Today The World Economic Forum, in collaboration with the National Association of Corporate Directors the Internet Security Alliance and PWC is today publishing a new set of principles for boards of directors to follow in exercising their duty of cyber risk oversight. While a number of these principles will be familiar to those who have followed the ISA/NACD work one important additional principle has been added.
A major reason why we are not making progress in securing cyberspace – and we are in fact losing ground rapidly– is that for the most part we have mis-analyzed the issue as a case of traditional corporate malfeasance.