(WASHINGTON, D.C.) – In a blog published this morning, Internet Security Alliance President Larry Clinton called for a new approach to cybersecurity focused on systemic rick.
“We are losing the battle to secure cyber space – badly. Our New Year’s resolution ought to be to recognize this fact and come up with a new approach to the problem.
“The ugly truth is, we still are underestimating and over-simplifying the issue. The dominant narrative is that the victim entity was just stupid and just needs to be more ‘accountable.’ According to this narrative, our core problem is that we have stupid, lazy, corrupt and no doubt money-grubbing people running our cybersecurity (apparently at the recently compromised NSA and Army too—who knew).
“We no doubt do have some stupid, lazy, whatever, people involved in cybersecurity. However, the main problem is that we have a fundamentally vulnerable system protecting immensely valuable data. The system was designed to be open, not secure, and it is becoming more insecure with technical innovations, like mobile devices and the Internet of Things. The core problem is not that individual organizations are vulnerable. The core problem is the system itself is vulnerable. This systemic risk is a different – and is a much more difficult — issue to deal with.
“Making matters worse, cyber targets are being vastly out gunned by the attackers. Nation-states have expanded their cyber operations beyond traditional espionage to straight out cyber-crime, like bank robbing. Kevin Mandiant has been quoted as saying 90% of the attacks he sees are nation-state affiliated. It’s not just that one particular patch wasn’t downloaded. Modern attackers continually probe targeted systems until they find an opening because the profits from attacks are enormous.
“Although ‘providing for the common defense’ is the very first obligation of government under the U.S. Constitution, our government has failed to define and provide a clear policy, strategy, or structure to effectively assist private companies in fending off well-funded nation-state (or state-affiliated) cyber attacks.
“Government policy, structure, and funding needs to be substantially enhanced in order to carry out their Constitutional mandate and address systemic cyber risk in a fashion consistent with the market economy and democratic principles that will sustain the innovation and productivity, which are the foundation of our culture.”
About ISA: The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy and promoting sound security practices. ISA’s “Cybersecurity Social Contract” has been embraced as the model for government policy by both Republicans and Democrats. ISA also developed the Cyber Risk Handbook for the National Association of Corporate Directors. For more information about ISA, please visit www.isalliance.org or 703-907-7090.