INTERNET SECURITY ALLIANCE

This chapter begins by citing the observations of former Clinton, Bush and Obama cyber advisors Richard Clark and Bob Knake who note that the USA’s approach to cybersecurity hasn’t fundamentally changed in three decades. Clarke and Knake note that the overall approach to cybersecurity is for a “limited” government role proceeding through “nudges” for investment, information sharing and eventually regulation.  The chapter then proceeds with a detailed analysis of why the current cybersecurity tactics are not working.  The chapter points out that notwithstanding conventional wisdom there is already existing substantial regulation of cybersecurity in numerous industries.  However, the regulatory model is ill-suited to address an issue as dynamic as cybersecurity.  It is a slow, backward looking, compliance based pass-fail model (an entity is either in compliance or not).  Whereas cybersecurity is a quickly changing forward looking risk management issue where security is best measured on a continuum as opposed to secure vs. insecure.  In addition, the traditional regulatory model is designed to primarily address malfeasance whereas the core problem of cybersecurity is not that   organizations are malfeasance but rather, that they are under attack – often by far more sophisticated attackers.  For these, and other, reasons, the data show that the cyber regulation is not working. Indeed, the research shows that highly regulated sectors, such as health care rank near the bottom on most measures of actual security (and even supposedly good sectors such as financial services don’t do appreciably better).  The chapter also discusses the many structural (as well as financial) deficiencies of cyber law enforcement, information sharing and international diplomatic efforts to fight cybercrime.