Internet Security Alliance launches ‘national dialogue’ on a critical new phase in cyber efforts

November 20, 2020

The Internet Security Alliance wants to spark a dialogue in the cybersecurity community “around the idea that we need to re-examine the problem and do a lot more” to meet challenges in cyberspace that are gradually eroding the United States’ position as the world’s foremost economic, technological and military power.

“We need to engage the broad cybersecurity community across the nation,” ISA president and CEO Larry Clinton told Inside Cybersecurity. “There is not nearly enough conversation about the cyber crime problem, or how China is winning friends and influencing people around the globe.”

He said, “We still don’t have a functioning international structure to fight cyber crime,” and the result has been dramatic military and economic advances by China as well as criminal enterprises’ burgeoning capacity to use artificial intelligence and other advanced tools to drain away the life blood of western economies.Larry Clinton

Larry Clinton, President, Internet Security Alliance

The Internet Security Alliance, a nonprofit policy advocacy group representing chief information security officers from major companies, began reaching out to cyber stakeholders last week with a message unveiling a “fairly intensive social media campaign” and urging participation in a deep discussion on cybersecurity challenges and needs.

The campaign will involve a regular series of social media postings beginning this month, identifying the problem, what adversaries are doing in cyberspace, the systemic risks and why current efforts are failing, and finally recommendations on what should be done.

“A lot of these problems are structural or financial, and we can fix them,” Clinton commented.

“The reason we are doing this is that, to put it bluntly, and notwithstanding some excellent efforts by many of our friends — we are getting crushed in cyberspace,” Clinton wrote in a Nov. 5 message. “Not only are we not really making progress, we are losing ground hand over fist.”

The challenge requires much tighter engagement throughout the cybersecurity ecosystem, Clinton said, and involves key roles for industry and government alike. And it should involve an end to finger-pointing about who’s to blame for what when it comes to cybersecurity shortcomings. “We the good guys have to be better at fighting the bad guys — and stop treating each other like bad guys,” he said.

Clinton wrote that “adversaries have become far, far more sophisticated. Take for example, China. In some ways I confess an admiration for the Chinese in terms of how sophisticated, well developed and well supported — and successful — their digital strategy is. When we look at their Belt and Road Initiative (BRI), and their Digital Silk Road (DSR) it becomes readily apparent that we have nothing, no strategy even remotely as well thought out and developed. Most have heard about Huawei, TikTok and the ‘rip and replace’ strategies — but this is just the tip of the Chinese spear. Examined from a geo-political perspective, in many respects we are non-competitive with our Chinese adversaries and the implications not only for us, but for the western liberal democracy world order are significant.”

Clinton expanded, saying, “True, China has certain advantages with a controlled economy and authoritarian governmental structure. But we have advantages too. We have a larger economy. We have 100 years of developed and supportive alignments around the world. We have an incentive based entrepreneurial economy that rewards innovation and creative thought — characteristics that ought to be especially meaningful in the fast-paced digital age. We are not leveraging our advantages enough.”

He cited several pieces of evidence underscoring the growing challenge to U.S. and global cybersecurity:

  • According to the World Economic Forum Cybercrime was a $2 trillion a year business and in 2019 and is expected to grow to $6 trillion in the next couple of years. Meanwhile we are successfully prosecuting less than 1% of cyber criminals
  • All sorts of nation states, the Russians, the Koreans, the Iranians, the Chinese and others are stealing our personal data, our corporate intellectual property and our government secrets. We, industry, consumers and government are all on the same side, but we are spending too much time and energy pointing fingers at each other and not enough time and resources fighting our biggest adversaries.
  • Two of our nation’s most renowned cybersecurity experts, Dick Clarke and Robert Knake in their 2019 book The Fifth Domain observed wisely that “Since the Clinton Administration our Cybersecurity Strategy has changed very little.” As someone who has been involved in cybersecurity policy for the past 2 decades I’d have to agree with that. For example, we still tend to think of, and act on, the cybersecurity issue from an excessively narrow perspective as primarily a technical operational issue when it is actually a much broader and complex problem.

“We’re not into the blame game here, there’s been far too much of that,” Clinton told Inside Cybersecurity. “We’re talking about the need for more of what people have been doing, a lot more. We are not providing the attention and resources needed — that’s the driver for this.”

Clinton said in the interview, “We need to re-examine the problem and the policy. We’ve done a lot of nice things over the past two decades, but it’s mostly standards development and information sharing. That’s it. … We need a digital strategy that’s sufficiently funded. We need to substantially up our game.”

The effort begins with a fresh look at the problem, Clinton said, including the “profit and geopolitical gains” that adversaries derive from cyber attacks — and what that should tell policy makers about where to focus security efforts and resources. “There are all kinds of rewards for attackers — that’s what we need to look at,” he said.

“We need to get the whole community involved,” Clinton said. “We’re going to lay out bit-by-bit what we need, what’s in the country’s best interest. We’ll put these out in digestible pieces,” probably blogging several times a week in the coming months on why current policies aren’t deterring cyber crime and how to get “better Return on Investment” for government-industry engagement.

“Then we’ll go sector-by-sector on a real strategy,” Clinton said. “I’d like for us to have as comprehensive strategy as our Chinese adversaries have,” he said. 

| Inside Cybersecurity November 20, 2020