February 8, 2023

Last week, Foreign Affairs magazine published an article written by CISA Director Jen Easterly and Asst. Director Eric Goldstein entitled “Why Companies Must Build Security into Products.” The central thesis of their article is we need a “new model” for cyber security because what we have been doing isn’t working. This is precisely the messaging ISA, and many of us in industry, have been promoting for the past few years. It is clear we, government and much of industry, need to Re-think cybersecurity and, more importantly, go about Fixing American Cybersecurity (book by the same name, available now on Amazon–OK, shameless plug.)

Easterly and Goldstein make several important observations in their article and suggest how these may offer a more productive path than we have taken previously.

First, Easterly and Goldstein point out that “over the past decade adversaries of the United States have developed increasingly sophisticated offensive cyber capabilities” and that “the incentives for developing and selling technology have eclipsed safety in importance.

This is a key insight that needs to inform cyber policy as it never has been historically. Attack methods that were considered advanced a decade ago are not relatively commonplace and the existing incentive structure is not adequate to the problem, hence the need for a new model. Easterly and Goldstein, with limited space in Foreign Affairs, focus on one key aspect, the need to have producers better incentivized in product development, but that is only one aspect of the problem. As they also point out, “what the United States faces is less a cyber problem than a broader technology and culture” and, I would add, economics problem.

The broader problem is that the economic incentives of the digital age all favor the attackers. Attack methods are comparatively cheap and easy to acquire, cost of entry into cyber-crime is incredibly low and the rewards are enormous – literally, trillions of dollars on an annual basis and there is virtually no law enforcement – we prosecute less than 1% of cyber criminals.  The result of this evolution as Easterly and Goldstein point out is “the cybersecurity burden falls disproportionately on consumers and small organizations which are often least aware of the cyber threat and least capable of protecting themselves.”

A second key insight is that we need to re-think how we conceptualize, and therefore address, the cyber issue. One of the main reasons that we have made little or no progress in cybersecurity – in point of fact, things are only getting worse – is that, for the most part, the issue has been thought of in too narrow a context as essentially an” IT” issue and its management relegated to the IT department.

Obviously, IT is a critical element of the cyber issue, but it is not the entirety of the issue. At one point, Easterly and Goldstein compare cybersecurity to automotive safety, which calls to mind the longstanding observation in that community that the most vulnerable part of an automobile has always been “the nut behind the wheel” – people.  Same is true in cyber, making human resource management a critical, and non-IT-centric, element of cyber risk management. The same can be said of supply chain management or managing reputational risk,

which is the more province of legal, strategic relations, and the PR people. The point being that we need to grow our understanding of our cybersecurity problem as not simply a technical issue but an enterprise-wide risk management issue. As Easterly and Goldstein put it, “under this new model cybersecurity would ultimately be the responsibility of every CEO and every board.”

This is one space where the private sector seems to be well ahead of our government partners. For nearly a decade, leading corporations have been moving away from the IT-centric management of cybersecurity to an enterprise-wide model with direct and growing involvement from the most senior levels of the organization, including the board of directors.

Conversely, virtually all government programs dealing with cyber issues are intensely tech centered.  In the last ten years board organizations around the world have published handbooks on cyber risk oversight for directors.  There is no similar document for government leaders. Here in the US, the National Association of Corporate Directors has been running cyber risk oversight training for board members for many years There is no similar training program for Cabinet members, Agency heads or Members of Congress – the government equivalent of the corporate board.   This may explain why, notwithstanding Easterly and Goldstein’s perceptive commentary, most government leaders still conceive of cybersecurity in primarily, if not totally, IT terms; which may also explain why these programs have no documented evidence of success.

A final key point raised in the Easterly-Goldstein article relates to the wisdom of elevating cybersecurity discussions to the board.  Anyone who has been to a board meeting and heard a discussion of risk – be it financial, geo-political, or environmental – sees the board is intensely focused on the numbers. Again, returning to their automotive analogy, Easterly and Goldstein note, “The readily apparent safety issues with cars also led to a simple solution: government action to compel adoption of specific security measures with proven better outcomes (italics added).”

I think it’s fair to assume that securing our critical infrastructure from the sophisticated attacks Easterly and Goldstein identify in their article is not going to be as simple as buckling a seat belt, but the key term here is “proven better outcomes.” When making risk-based decisions boards of directors want to know the metrics.  Will the interventions have proposed work? Are they cost effective or cost prohibitive? These are the real-world issues we need to address if we are going to talk about enhancing cybersecurity through government action. 

Unfortunately, there is virtually no evidence that existing government regulation of cybersecurity works, let alone its cost effectiveness. On the other hand, the principles and toolkits embedded in the Cyber Risk Handbooks alluded to above have been independently assessed and produce proven better outcomes. An independent evaluation from PWC noted that organizations that use these handbooks have better cyber risk management, closer alignment of cybersecurity with business goals, and develop a culture of security.  In November of 2022, the World Economic Forum published research from MIT that found that “organizations that use the consensus principles can significantly improve their cyber resilience without raising costs.” and “The CEO who follows the principles is predicted to have 85% fewer incidents.” Should Congress or the SEC choose to incentivize better cyber risk oversight and management they would do well to stick to these proven techniques rather digging deeper into technical mandates. 

| Link to Video Introduction