PART ONE: A ONCE IN A LIFETIME OPPORTUNITY
I know I have cyber friends who will read that headline and say—”what are you talking about? Do you know what’s happening to CISA?” Yes, and we will get to that, but consider this: essentially, we have been doing the same things to address cyber threats for 25 years and it’s not working. We are losing the race to secure cyberspace and the gap is widening.
The cybersecurity lobby now has what may be a once-in-a-lifetime opportunity to move away from the failing approach that has been followed for two decades and help develop a paradigm that can finally begin to move us towards building a sustainably secure cyber system.
To not take this opportunity would be security malpractice.
We need radical change at the federal level. If we are going see profound transformation in how government functions as a whole, we in the cybersecurity community need to seize that opportunity to improve our critical sector. Someone once said “never let a good crisis go to waste”. So, whatever some may think about broader government reform issues, we in the cybersecurity world need to push aggressively for significant changes in our government’s approach to cybersecurity. And we need to do it fast.
WE REALLY OUGHT TO HAVE A SLAUGHTER RULE
How bad has the old approach been? Ann Neuberger, who has essentially been in charge of the U.S. cyber policy for the last four years recently said that the economic damage from cyber-attacks in the next two years would raise to over $23 TRILLION annually. That’s Trillion with a T. That is roughly the twice the size of China’s annual GDP. And according to Neuberger, that’s up from the roughly $8 trillion in impact from 2022.
This is essentially a tripling in economic gain for the cyber criminals (on a multi-trillion-dollar base) over four years. Where do I buy stock in that business? (Actually, you probably can go on the dark web and “buy stock” in that business, and no, I don’t really want to invest in cyber-crime… but you get the point).
And, by the way, we successfully prosecute less than 1% of cyber criminals.
The point is—and this is the main point cybersecurity advocates should have at the top of our agenda—we are getting killed out there. The bad guys are running up the score on us. If we had a slaughter rule like in Little League, the umpires would be calling off the game now. Unfortunately, we don’t have a slaughter rule, and the government, who should be the umpires, keep missing the calls. So, the slaughter continues unabated.
And it’s not just the money. Our adversaries, especially in China, have implemented a series of very sophisticated programs to turbo-charge economic the gains from digital attacks by massively cross-subsidizing their technology and communication industries to advance their legal, military, finance, civil law-enforcement, transportation (especially ports and cables) diplomacy, standard setting efforts all to the detriment of U.S. and Western security interests.
They have even leveraged our own higher education system against us. As many as 85% of computer science students in leading U.S. universities are Chinese and will return to China having been educated by America’s best. You read that right. Eighty-five percent of the top computer education students in the US, are Chinese. We are actually teaching them how to beat us. They must be laughing at us in Beijing.
THE FEDERAL GOVERNMENT HAS NEVER GONE THORUGH DIGITIAL TRANSFORMATION
Subsequent posts will detail several specific areas in need of speedy and dramatic reform, but let’s start with the basics. Unlike virtually every private sector entity in the world over the last 20 years, our government has never gone through digital transformation.
Two decades ago, virtually every private company realized that the internet had changed the world and remade their business: new products, new processes, new partners, and new structures. Businesses rethought every aspect of their processes and products to be able to compete in the new digital world.
Digitization changed everything, except the U.S. federal government.
Our government basically operates pretty much as it did in the 70s and 80s. There are literally scores of congressional committees that have competing jurisdiction over cybersecurity, which makes enacting effective cyber legislation nearly impossible. This is probably the main reason the United States has never enacted a comprehensive cybersecurity law, and why current House Homeland Secuity Chairman Mark Green is calling for a “whole of government” approach to cybersecurity.
One result of this balkanized and antiquated governing structure for cybersecurity is that the thought process and programs generated by the narrow perspectives of the committees of jurisdiction are similarly narrow in concept and scope. They discuss cyber issues through the narrow lens of their jurisdiction there are still many people in the federal government who think cybersecurity is just a technical or operational issue and all we need to do is improve information sharing,
Meanwhile the consensus in the private sector has long transitioned to understanding that cyber is an enterprise-wide risk management issue that needs to be addressed in a far greater context. While obviously the tech aspect needs constant attention, businesses around the world have launched sophisticated training programs for their boards of directors who set the strategy and culture of the organization. These programs have fundamentally altered the corporate approach to cybersecurity with empirical improvements in cyber risk management, creating a culture of security and driving down the number of successful cyber-attacks.
There is no equivalent training program for Congress or senior Administration officials.
Moreover, despite the fact that virtually every aspect of government, and our society, has long become reliant on these digital systems, there is no one in the US government who is charged determining how to digitally transform our government structure to meet the real needs in a fashion truly competitive with that of our major adversaries.
OUR ADVERSARIES HAVE NOT MADE THESE MISTAKES
Our adversaries have not been so provincial. China is an excellent example, and a major reason China has successfully compromised our critical infrastructure via cyber-attacks. Prior to the dawn of the digital age (roughly the 1980s) China could accurately be described as isolated, poor, and stale. However, China quickly saw the opportunities of digitalization— particularly the vulnerabilities in the information technology being developed and used in the West. China aggressively set out to use these vulnerabilities to steal the western tech and the products it was producing to leapfrog multiple generations of development in what some experts have called “the greatest transfer of wealth in human history.”
China did not stop there. In the intervening decades they have developed a well thought out sophisticated plan to leverage the theft of Western technology (in many cases improving it). Their goal is no less than to reconstruct the post-WWII world order, dominated by the United States and Western allies, so that it shifts the war China and Russia. In less than a generation China has gone from an after-thought on the world stage to the one truly competing super-power to the United States. My guess is that unless we act quickly, aggressively, and in much smarter ways than we have been, they will succeed in less than two decades.
The current manifestation of China’s digital strategy is known as the Digital Silk Road, which China has funded with $1.4 trillion dollars over a 5-year period. That is roughly six times the amount of money the U.S. government is predicted to spend on cybersecurity. China is thinking bigger, innovating their government better, and acting more aggressively that the United States—and they are succeeding. China uses its integrated program to massively cross-subsidize products from Huawei, TenCent, Alibaba China Telecom, and more to capture critical infrastructure with Chinese Tech. The Chinese tech companies are then required to collaborate with the Chinese government. All over the world in Asia, Latin America, Africa, Europe, Australia, and even the rural US telcos, Chinese technology has become dominant. They have literally become the Godfather of modern technology, making offers developing regions can’t refuse.
And thanks to our narrow thinking and outdated approach to the digital world, we are letting it happen.
There is, of course, a robust debate about the speed and extent of government reform broadly underway. However at least in the cybersecurity space the need for speedy and radical reform is all but incontrovertible. These reforms need to embrace the reality of the cyber threat and adopt private sector led approaches such as digital transformation, cost benefit analysis, empirical measurement and budgeting as well as true collaboration between industry and government.
There are pragmatic, and often low cost, legislative and policy proposals that can lean into the new government reform ethic and generate a new, more effective approach to managing our cyber risk. It is up to the private sector to capitalize on this once in a lifetime opportunity to engage our government partners in this new direction.
Next up… Part II developing a real public private partnership, and then … Part III let’s talk cybersecurity regulation.
