Government’s own cyber shortcomings undermine calls for regulatory approach, says ISA’s Clinton

February 16, 2021

The federal government lacks the expertise to mandate effective cybersecurity requirements for industry, according to Internet Security Alliance leader Larry Clinton, who says failures to secure the government’s own systems reveal the need for a major readjustment in thinking about cyber policy.

“[W]e can add government to the list of sectors that are highly regulated but fail to achieve acceptable levels of security,” Clinton said in a blog post late last week.

“The reason that these private and public entities are not faring well in terms of cybersecurity does not lie in the dedicated staff charged with providing security,” Clinton wrote. “The fault is in the system itself. Treating cybersecurity as simply a technical operational issue is an incomplete understanding of the issue. A different, enterprise wide, collaborative and economically based model needs to be evolved — and can be — developed and implemented.”

The blog is the latest in a series launched in November by ISA as part of a “national dialogue” to culminate in a comprehensive package of recommendations.

Earlier this month, Clinton said in a Jan. 14 post: “Traditional regulation empirically doesn’t work, in fact as we will show later it’s actually anti-security as it wastes scarce cybersecurity resources. It is an outmoded methodology for a modern problem.”

In the Jan. 22 post, Clinton said, “The foundational assumption of the expert agency regulatory model is that government knows what to do; all that is needed is to compel a recalcitrant private sector to follow government mandates. There is no evidence that government has attained that degree of expertise in cybersecurity. In fact, the data suggest the opposite.”

He pointed to Government Accountability Office and Senate permanent investigations subcommittee examinations finding failures to properly implement security requirements and a dramatic lack of insight among agencies into the security of their own systems.

“This kind of lack of compliance by the government with their own standards further calls into question if the government has the ability to judge the private sector on cybersecurity. The government itself has suffered from multiple successful cyber-attacks, including DOD, the SEC, and the Office of Personnel Management,” Clinton said.

A day earlier, on Jan. 21, Clinton blogged: “A major reason why we are not making progress in securing cyberspace — and we are in fact losing ground rapidly– is that for the most part we have mis-analyzed the issue as a case of traditional corporate malfeasance.”

He said, “The reality is that we, consumers, governments and industry, are all in this fight together. Notwithstanding rhetorical pledges of ‘partnership’ the implementation of a true partnership such as one would see in a business partnership has never been realized — and actually largely not even attempted.”

Clinton said “too many regulators feel the need to blame the victim of the attack thinking — wrongly — that severe penalties will drive better security,” while arguing that, “Instead of the parent-child relationship the cybersecurity partnership should be more like a successful marriage. Government and industry need to act like mature co-equal spouses. In good marriages partners understand, indeed relish their differences and don’t seek to manage the other but to work together. This is also characteristic of good business partnerships.” 

| Inside Cybersecurity January 26, 2021