by Larry Clinton
In Chicago this week the National Association of Corporate Directors (NACD) will host the first in a series of nationwide events on the economics of cybersecurity.
The courses start with a brief discussion of the now well-known existence of cyber-attacks on enterprises. However, they quickly move beyond the problem and instruct board members in why traditional methods of cyber-risk assessment are inadequate – and possibly counterproductive. The courses then highlight the emergence of modern methods to assess cyber risk in quantitative economic terms, which will enable more efficient and effective cyber budgeting and security efforts.
This is the difference between cybersecurity awareness programs and cybersecurity education programs. As we near the end of the second decade of the 21stcentury, our problem is not so much that we are unaware of the cyber threat, it’s that we generally don’t understand it.
The existence of these courses, and the fact that so many individuals who sit on corporate boards are signing up to take them, illustrates the growing appreciation at the board level of the need to understand the intricacies of how digitalization has changed the face and operations of enterprises. Moreover, it demonstrates that board members realize that in order for them to meet their responsibility of developing the strategies required to keep their organization functioning and meeting their core objectives they need to develop a sophisticated understanding of not just the technology of the 21stcentury but the interaction of that technology with overall economic imperatives.
Question: If members of corporate boards can find the time to educate themselves on the nuances of the cyber threat and modern methods to assess and address it, why can’t the government equivalent of board members – members of Congress and agency heads (not the tech guys) – do the same?
We need no evidence beyond the embarrassing recent Senate Facebook hearing to see the need for cyber understanding training in our government. At that hearing our most senior legislators – the ones officially charged with overseeing this issue – betrayed a fundamental ignorance of how the digital economy works, much less any idea as to address public the issues it has generated.
Due to the lack of understanding of the cyber issue, when we do hear from legislators, we typically get vague and simplistic calls for “accountability” and regulation, virtually none of which appreciates the economic interactions that are necessary to make a digital public policy effective. Given this state of knowledge, we are probably lucky they haven’t done more.
But, the need to develop a solid understanding of the economics of the digital world is something our policymakers need to address. The public policy issues at stake are far more serious than the privacy issues – which are serious enough – that were the focus of that Senate hearing.
For example, there is much hand-wringing around the beltway this season about the Chinese and Huawei. That hand-wringing is well deserved. The Huawei/Chinese government threat is real and serious.
This threat is also a product of the fact that the Chinese government understands the economics of digitalization, and they developed a strategic plan to use it. Years ago, the Chinese launched a strategy to subsidize their technology and use these subsidies to win contracts placing their tech in communications systems throughout the world. Essentially, they launched a digital Marshall Plan. As a result, they have now honeycombed communication systems throughout Asia, Africa, Latin America, and Europe with their technology, which could provide them a potentially impregnable digital beachhead in the cyber competition/conflict that will likely emerge in the coming years
My fear is that the current U.S. efforts to unplug Huawei from the rest of the world’s systems may be a day late and a dollar short. But the main point is we are in this fix in large part because they understood the economics of digitalization and developed a strategy to use it, and we largely have not.
At the board level, the NACD is teaching their members about the economics of cybersecurity and how to use that knowledge to develop strategies to protect their organizations. Where is Congress?