Chapter 1 – The Economics of Cybersecurity: Advantage Attackers
Chapter 2 – Dangerous and Effective: China’s Digital Strategy
Chapter 3 – The Solar Winds of Change: The Threat of Systemic Cyber Risk
Chapter 4 – Outdated and Ineffective: Why Our Current Cybersecurity Programs Fail to Keep Us Safe
Chapter 5 – Reinventing Cybersecurity: A Strategic Partnership Approach
Chapter 6 – The Cybersecurity Policy We Need: Incentivize, Modernize, Economize
Chapter 7 – Health: Cybersecurity as a Core Element of Patient Care
Chapter 8 – Defense: Leveraging the Dual Economies of the Defense Industrial Base
Chapter 9 – Financial Services: Regulation Isn’t Enough
Chapter 10 – Energy: Protecting the Smart Grid
Chapter 11 – Retail: Serving Consumers and Keeping Them Secure
Chapter 12 – Telecommunications: Managing International Risk in a Post-COVID-19 World
Chapter 13 – Information Technology: Defining How to Govern IT
This chapter begins by citing the observations of former Clinton, Bush and Obama cyber advisors Richard Clark and Bob Knake who note that the USA’s approach to cybersecurity hasn’t fundamentally changed in three decades. Clarke and Knake note that the overall approach to cybersecurity is for a “limited” government role proceeding through “nudges” for investment, information sharing and eventually regulation. The chapter then proceeds with a detailed analysis of why the current cybersecurity tactics are not working. The chapter points out that notwithstanding conventional wisdom there is already existing substantial regulation of cybersecurity in numerous industries. However, the regulatory model is ill-suited to address an issue as dynamic as cybersecurity. It is a slow, backward looking, compliance based pass-fail model (an entity is either in compliance or not). Whereas cybersecurity is a quickly changing forward looking risk management issue where security is best measured on a continuum as opposed to secure vs. insecure. In addition, the traditional regulatory model is designed to primarily address malfeasance whereas the core problem of cybersecurity is not that organizations are malfeasance but rather, that they are under attack – often by far more sophisticated attackers. For these, and other, reasons, the data show that the cyber regulation is not working. Indeed, the research shows that highly regulated sectors, such as health care rank near the bottom on most measures of actual security (and even supposedly good sectors such as financial services don’t do appreciably better). The chapter also discusses the many structural (as well as financial) deficiencies of cyber law enforcement, information sharing and international diplomatic efforts to fight cybercrime.
Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity
| 2500 Wilson Blvd, #245
Arlington, Virginia 22201
ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.
Larry Clinton is President of the Internet Security Alliance. He advises industry and government on cyber policy. He has briefed NATO, the OAS and G-20 and the US Congress. He has twice been named to the Corporate 100 list of the most influential individuals in corporate governance. He has written cybersecurity best practices books used in the US, Europe, Latin America and Asia.
Alexander T. Green is a staff editor for the Georgetown Journal of Law and Public Policy and is Vice President of the Corporate and Financial Law Organization. He holds a Juris Doctor from Georgetown Law.