January 30, 2023

I’m delighted to announce that this week the Internet Security Alliance will launch its Fixing American Cybersecurity campaign.

The campaign is based on three new publications. First ISA’s public policy book Fixing American Cybersecurity: Creating a Strategic Public Private Partnership (Georgetown University Press) [Link: available for pre-release purchase on Amazon] which will be released this week. The second publication is the fourth edition of the Cyber Risk Oversight Handbook for Corporate Boards (a joint publication of ISA and the National Association of Corporate Directors) which will be released in March and the companion volume to the board handbook that outlines how the security management management team will implement the new approach Cybersecurity for Business (Kogan Page) [Link: available for purchase on Amazon].

Taken together the books define a new coordinated and more strategic approach to both public policy and enterprise risk managements including very specific steps on both domains of cybersecurity many of which have already been independently assessed and found to work.

The title of the policy book is quite intentional and straightforward.  The nearly two dozen cybersecurity experts, typically CISOs from multiple critical industry sectors, who contributed to the volumes have collectively come to the conclusion that the USA urgently needs to fix its severe and growing cybersecurity problem. Moreover, the only viable answer is to create a strategic public private partnership – something that, rhetoric notwithstanding, we have never done before.

Any serious conversation about the state of American cybersecurity needs to begin with the understanding that we are losing the battle to secure cyberspace and things are not getting any better – they are getting worse, much worse. We are losing to the Chinese. We are losing to the criminals. We are losing to a wide and growing range of attackers. Successful cyber-attacks on government and private systems are commonplace. Annual economic damages run to the

trillions of dollars. We successfully prosecute less one percent of cyber criminals. We need to fix that.

Of course, those of us in the cybersecurity world all know this. It’s become such common knowledge that we often tend to skip over the critical point that we are losing this competition and move quickly to hype — even brag — about the terrific programs we have initiated to address the threat. I’ve been privileged to attend several events that may have a cyber segment but are not generally populated by cyber pros.  It’s disturbing the number of times I’ve heard board members and non-cyber execs listen to government and industry presentations and come away saying words to the effect “looks like you guys have got this handled.” Not true.  We have to fix that.  

To be fair, there are a good deal of terrific programs, ISA itself likes to point to our own, The problem is despite these programs what we are doing it’s not enough — not nearly enough.  Our adversaries are being far more aggressive, more strategic, and more far more effective.  We need to fix that. 

Take China as one example.  Many of those inside the beltway think the problem we face with China is Tic-Tok and maybe Huawei.  It’s not that – or better side, it’s not just that.  Huawei and Tic-Toc are just examples of the much larger sophisticated and integrated Digital Silk Road initiative that China is funding to the tune of $1.4 trillion dollars over 5 years – about 5 times what the USG plans to spend on cybersecurity.  The goal of this strategy is to fundamentally re-make the post WWII US/EU dominated world order and make it a Sino-oriented world order. Notwithstanding some current Chinese turbulence, they are doing quite well implementing it garnering significant geo-political advances in Asia, Latin American Africa, and Europe.

In comparison, the USG hasn’t fundamentally changed its cyber strategy in over 30 years.  In fact, it’s not truly accurate to say the US even has a digital strategy. What we have is a series of disjointed tactics like information sharing standards development and reporting regimes. These are important elements, although their effectiveness is dubious, but they are not a strategy in the same sense as China’s Digital Silk Road.

We have to fix that.  We need to develop a true cyber strategy that is as well thought out, has clear affirmative goals, and integrates our private and public sectors in a sophisticated system that effectively leverages our free-market and innovative private sector and is supported by a collaborative, as opposed to parental government system. This new approach needs to begin by understanding that the cybersecurity issue – let alone a comprehensive and competitive digital strategy – is not simply about the technology. 

The vast percentage of previous USG cyber initiatives have been all about technology and treating technical vulnerabilities.  Again, this is an important issue – but it is not the only issue.

Cybersecurity is not a technical issue to be addressed out of the IT departments in government and industry. It is a comprehensive strategic issue that needs to be addressed at the board or agency head levels.  The needed culture and practice to enact a successful cybersecurity strategy and practice will never bubble up from IT, it needs to flow down form the organizational leadership.    The companion enterprise risk management publications that are part of the new Fixing Cybersecurity campaign will define how this is currently being done successfully in leading private sector organizations.  These principles and toolkits will complement the broader public policy proposals that are detailed in the Fixing American Cybersecurity policy book.  In a regular series of blogs, tweets, and internet advertisements over the next few months we will outline the integrated program and welcome support and comment.