Dear Cyber Commission, We Don’t Need a New Plan

May 13, 2016

By: Larry Clinton, CEO/PRESIDENT

A wise person once said every great plan eventually dissolves into actual work. What we need right now is actual work on cybersecurity.

We have spent much of the past decade, and particularly the last 5 years, coming to a consensus on the best approach to improve our overall cybersecurity.

Back in 2008, two competing approaches to cybersecurity existed: the strategy outlined by the Bush Administration’s National Strategy to Secure Cyberspace, and an alternative approach articulated in the Lieberman-Collins Cybersecurity Act.

The National Strategy to Secure Cyberspace argued that the Internet needed to be free of government involvement and adequate security would evolve naturally from the market in response to the growing threat. In contrast, the Lieberman-Collins legislation argued that the threat was so great we needed a Sarbanes-Oxley type regulatory structure with government mandated standards and severe penalties for non-compliance. Both models received substantial review and discussion, but were found wanting for various security, economic and political reasons.

A third model was developed and suggested by a broad coalition of private sector entities. This third model argued that government plays a role, but that role was different from the traditional independent regulatory model. This new model called for a collaborative approach wherein industry and government work together to identify standards and practices worth adoption, voluntarily, by private sector entities, based on their unique cyber risk assessments. Cybersecurity strategies that demonstrated cost effectiveness would be widely adopted with adequate awareness and understanding. Where security practices and technologies needed for national security reasons were greater than that required for commercial security, or other national interests, market incentives would be deployed to spur effective system wide security.

This model, originally articulated in 2008 in the Internet Security Alliance’sCyber Security Social Contract“, was the first and most frequently referenced source for President Obama’s “Cyber Space Policy Review.” The Pan-Industry Association also embraced this model in its white paper on cybersecurity, co-authored by the US Chamber of Commerce, the Business Software Alliance, TechAmerica, Center of Democracy and Technology and ISA. Its call for a voluntary, collaborative program reinforced by government-provided incentives became the very first recommendation offered by the GOP House Task Force (Thornberry Commission) Report on Cyber Security, and is also embraced in President Obama’s Executive Order 13636.

Despite the broad industry and bipartisan support of this consensus model, implementation has been comparatively slow. Perhaps the most significant implementation is the enactment of the CISA information sharing legislation, which promotes voluntary information sharing probated by a liability incentive. The most recent version of the National Infrastructure Protection Plan contains insightful analysis of the differences between public and private sector assessment of cyber risk and the need to evolve incentives to protect the system. Also, the development of the so-called NIST Cybersecurity Framework was a product of the collaborative model called for in the Social Contract.

However, at a time when our cyber systems are becoming technically weaker, the attackers are becoming more sophisticated, and the economics of cybersecurity all favor the bad guys. We need to substantially pick up the pace for overall cyber defense.

This is where the newly appointed President’s Commission on Enhancing National Cybersecurity (charged with crafting recommendations for the incoming Administration) ought to focus its efforts. Notwithstanding rhetorical support, there has been virtually no empirical testing of the effectiveness of the NIST Cybersecurity Framework. Its cost effectiveness and prioritization — both called for in the President’s Executive Order — has not even begun, and there has been no effort to identify incentives for promoting additional best practices and technologies beyond the liability protections in the CISA bill.

Now is not the time to go back to the drawing board — in fact, time is one of the things we lack most. We do not need another new national strategy. We need strong action toward implementing the consensus approach for cybersecurity.

Contact Larry Clinton
Join the mailing list.   



“If you had ten minutes to talk to the next President about cybersecurity, what would you say?”
We asked just that question of our ISA Members, Associates and  Friends representing an international coterie of C-level cybersecurity experts and thought leaders. Their answers became Social Contract 3.0, a new book from ISA rich in cybersecurity analysis and leadership across a wide range of topics and sectors.

SAVE THE DATE!  We will launch Social Contract 3.0 at our 15 Year Anniversary Conference in Washington, DC, September 15 and 16.  The Conference features panels from our experts along with keynote speeches from U.S Government leaders in Cybersecurity Policy and Legislation. 

Space Is Limited! If you would like to attend or receive more information, contact us.

JOIN THE MAILING LIST– send us your address to stay up-to-date on our ISA blogs and events.

Interested in more information about the Internet Security Alliance?  Read On.