This chapter begins by citing the observations of former Clinton, Bush and Obama cyber advisors Richard Clark and Bob Knake who note that the USA’s approach to cybersecurity hasn’t fundamentally changed in three decades. Clarke and Knake note that the overall approach to cybersecurity is for a “limited” government role proceeding through “nudges” for investment, information sharing and eventually regulation. The chapter then proceeds with a detailed analysis of why the current cybersecurity tactics are not working. The chapter points out that notwithstanding conventional wisdom there is already existing substantial regulation of cybersecurity in numerous industries. However, the regulatory model is ill-suited to address an issue as dynamic as cybersecurity. It is a slow, backward looking, compliance based pass-fail model (an entity is either in compliance or not). Whereas cybersecurity is a quickly changing forward looking risk management issue where security is best measured on a continuum as opposed to secure vs. insecure. In addition, the traditional regulatory model is designed to primarily address malfeasance whereas the core problem of cybersecurity is not that organizations are malfeasance but rather, that they are under attack – often by far more sophisticated attackers. For these, and other, reasons, the data show that the cyber regulation is not working. Indeed, the research shows that highly regulated sectors, such as health care rank near the bottom on most measures of actual security (and even supposedly good sectors such as financial services don’t do appreciably better). The chapter also discusses the many structural (as well as financial) deficiencies of cyber law enforcement, information sharing and international diplomatic efforts to fight cybercrime.
Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity
Larry Clinton is President of the Internet Security Alliance. He advises industry and government on cyber policy. He has briefed NATO, the OAS and G-20 and the US Congress. He has twice been named to the Corporate 100 list of the most influential individuals in corporate governance. He has written cybersecurity best practices books used in the US, Europe, Latin America and Asia.
Alexander T. Green is a staff editor for the Georgetown Journal of Law and Public Policy and is Vice President of the Corporate and Financial Law Organization. He holds a Juris Doctor from Georgetown Law.