President-elect Biden should demonstrate his commitment to improving cybersecurity in the aftermath of SolarWinds by moving to close a “cyber investment gap” in which both U.S. industry and foreign adversaries are vastly outspending the United States government in key areas, according to Larry Clinton, head of the Internet Security Alliance.
“With due respect, we might now say to Mr. Biden, don’t tell us you are not going to stand idly by while we are being constantly attacked in cyber space – show us your cybersecurity budget and we can tell you if it’s really a priority. As it should be,” Clinton said in a recent blog post.
Biden at a press conference last week promised a much sharper focus on cybersecurity and said the SolarWinds attack showed the current administration failed to prioritize the issue.
Larry Clinton, President, Internet Security Alliance
Biden said he would ensure “the right people are in place on day one of my administration to take over this effort, to prioritize cybersecurity across the board and I will consult with experts to plan for the steps that my administration will take in order to secure our systems, improve on our cyber defenses and to better withstand future attacks that we know will come and to impose cost on those who conduct them.”
ISA’s Clinton, in a separate blog post last week, highlighted the need to fundamentally rethink cyber policy in the aftermath of SolarWinds and go beyond the recommendations in the Cyberspace Solarium Commission report and cyber provisions in the fiscal 2021 National Defense Authorization Act.
The postings are part of a series that ISA launched in November to initiate a dialogue on cybersecurity that will culminate in a package of recommendations for pulling together a holistic cyber strategy grounded in the economics of the issue.
Clinton in his “show us the money” post, said, “In this space Mr. Biden will have a great deal of work to do. The fact is that the US government has been addressing cybersecurity on the cheap and our lack of investment is now showing.”
Just on funding for the Cybersecurity and Infrastructure Security Agency, the omnibus fiscal 2021 appropriations measure “Provides $2.0 billion for CISA, $9.4 million above the FY2020 enacted level and $267.2 million above the President’s budget request,” according to a summary by congressional appropriators.
By contrast, Clinton said, “The automotive industry alone plans to spend nearly $5 billion on cybersecurity this year. … Thus, by Mr. Biden’s measure, it is the private sector, that values cybersecurity many times more than the government.”
Clinton said, “Total federal appropriations on cybersecurity in fiscal year 2017, the last year for which we have final data, was $27 billion about half of which goes to the military which, as the recent events prove, has provided marginal assistance to the general public from cyber-attacks.”
But he cited figures from research and advisory firm Gartner showing private-sector spending on cybersecurity in 2020 of $124 billion.
“Moreover, as the National Infrastructure Protection Plan points out, the private sector security spending is appropriately focused on security at a commercial level. That will not accommodate our national security needs. This is what led the former Director of the Cybersecurity and Infrastructure Security Agency Chris Krebs to describe [as a] ‘gap’ in our nation’s cyber defense between what the private sector can be expected to provide for commercial purposes and what the government is now providing for national security and crime fighting,” Clinton said.
“The bad guys have now stepped in to fill the gap,” Clinton argued.
He cited Chinese spending on advanced technologies and inadequate U.S. spending on Science, Technology, Education and Mathematics education as key parts of the cyber gap.
“In the aftermath of our initial awareness of the existence of the Russian attack we are already seeing focus on the incremental operational issues and blame-seeking. Already there are stories about how SolarWinds didn’t have a person with the title Chief Information Officer. … We are also seeing stories about does this mean we need to decouple NSA from Cyber Command.”
But Clinton said, “These are the digital trees that are blocking our view of the larger, much more daunting digital forest – we need to focus on the big picture. We need to fundamentally re-think our approach to cyber security and that will, if intelligently done, require at a minimum, that we need to spend more money on this issue.”