Dear Members of the House and Senate Appropriations Committees: The Internet Security Alliance (ISA) is writing to the in support of using President’ Biden’s FY’2022

President Biden’s massive infrastructure proposal – dubbed infrastructure for the digital age – includes a wide variety of items not traditionally thought of as infrastructure such as home health care, as well as some items that are very much digital infrastructure such as $650 million for expanded broadband networks.

New Homeland Security Secretary Alejandro Mayorkas outlined his vision for cybersecurity at the Department of Homeland Security in a speech yesterday at Hampton College.

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here Sadly, a quarter century after the cybersecurity

Although most of the ISA’s “Rethink Cybersecurity campaign” is targeted toward public policy, a rethinking at the corporate level is also required. This morning at

“We need to rethink our approach to managing cybersecurity,” said Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales at a House Appropriations Homeland Security Subcommittee hearing last week last week.

Guest Blog: Robert Mayer USTelecom’s Senior Vice President of Cybersecurity & Innovation There can be no clearer evidence of the need for industry and government

As Commander-In-Chief, the President is the ultimate strategic player in defending the country. Merriam-Webster defines warfare as military operations between enemies, also:an activity undertaken by a political unit (such as a nation) to weaken or destroy another

As cyber-attacks, including from nation states, are accelerating and the lines delineating criminal activity from nation state activity grow increasingly blurry. As a result, greater engagement from the military is now called for

For the past two weeks we have been documenting the enormous costs, and total lack of effective action to address cyber-crime. Without repeating the staggering statistics, the evidence shows demonstrably that cyber criminals are getting filthy rich, their businesses expanding and innovating and there is virtually no chance that virtually any of the criminals are going to be held responsible.

International jurisdictional disputes often keep law enforcement from effectively operating. What may be legal in one country may not be legal in the U.S. and may be treated differently in a third country. In these instances where cybercriminals are at large internationally, countries require extradition agreements. The U.S. has many of these such agreements, but currently does not have them with China or Russia.

The lead story in today’s New York Times on the investigation into the January 6 attack on the U.S. Capitol reports that yesterday’s Senate hearing “also showed that the overlapping jurisdiction of the Capitol Police, District of Columbia government and other agencies created utter confusion that hindered attempts to stop the assault.”

CrowdStrike just posted their latest research on cybercrime and found that intrusions threatening organizations’ cybersecurity across the globe grew – not 25 percent – but 400 percent in 2019 and 2020 combined. Nearly four out of five of those compromises in 2020 stemmed from cybercriminals, and attacks are unlikely to let up in 2021.

We are all in this together” has become one of the major narratives of the COVID era. The notion is that the virus can attack anyone of us – we are all essentially targets — and by protecting ourselves we are also protecting our friends and neighbors.

The classic TV Drama Dragnet was famous for Lieutenant Joe Friday’s straight forward instruction to witnesses “Just the facts Ma’am. So, let’s look at the facts with respect to cybercrime. The World Health Organization (WEF) currently estimates cybercrime as having revenues over $2 Trillion dollars a year.

The old model simply doesn’t work. All this analysis is not to impugn the policy makers who created, or more precisely attempted to adapt it, to the cyber environment. Faced with the quickening apparent threat from cyber-attacks policy makers naturally went to their ‘go-to” option using the independent agency model designed to address the hot technology of the 19th century – railroads. It was pretty much all they had.

In previous posts we have documented that independent research shows that even the most highly regulated industries for cybersecurity such as health care and financial services are not achieving adequate levels of cybersecurity, and in fact don’t score better on security effectiveness than less regulated sectors like IT and professional services. We have also documented that even the highly regulated federal government sector scores poorly with respect to cybersecurity effectiveness.

As we all know in addition to massive death and social destruction the pandemic has also brought economic collapse on many dimensions. Our economy, like just about everything else, is ultimately reliant on cyber systems. If the purpose of the legislation on the Senate floor is COVID relief then that needs to include making sure our economy recovers and our economy cannot recover unless the core systems of the economy – which in the 21st century are cyber – also recovers.

The foundational assumption of the expert agency regulatory model is that government knows what to do; all that is needed is to compel a recalcitrant private sector to follow government mandates. There is no evidence that government has attained that degree of expertise in cybersecurity. In fact, the data suggest the opposite.

Today The World Economic Forum, in collaboration with the National Association of Corporate Directors the Internet Security Alliance and PWC is today publishing a new set of principles for boards of directors to follow in exercising their duty of cyber risk oversight. While a number of these principles will be familiar to those who have followed the ISA/NACD work one important additional principle has been added.