This week the Internet Security Alliance (ISA) conveyed to the White House Office of the National Cybersecurity Director a set of five priorities that, if enacted would create a would create A Zero-Cost Pathway for American Cybersecurity (link to the report below).
These are pragmatic programs that can be implemented quickly. They will generate significant material improvements in our nation’s cybersecurity almost immediately. These steps will also put our nation’s intermediate and long-term security on a measurably effective and economically sustainable path that will enable us to address newly growing threats of systemic failure.
Most importantly, implementing these priorities will cost the federal government virtually nothing. Indeed, the modest start-up costs associated with some of these priorities will be more than offset by the savings they will quickly create. On balance, implementing the proposed projects will not only materially improve our nation’s security, both immediately and in the long term, but will save the federal government billions of dollars in the process.
As a bonus, the private sector will also save billions of dollars currently being wasted on unproven requirements. This money can be channeled into greater investment and innovation, which will generate increased economic growth and enhanced cybersecurity.
The specific policies advocated in this paper are:
-
- Have the Office of Management & Budget (OMB) act now to eliminate the massive duplication in existing federal cybersecurity regulation. This recommendation is consistent with the direction outlined in the Chairs of the House’s Homeland Security and the Oversight and Government Reform Committees in a letter to Director Vought this Spring that concluded that “eliminating the duplicative landscape of cyber regulations is the fastest, most cost-effective way to improve the nation’s cybersecurity materially.” This recommendation is also consistent with the letter a series of major trade groups have sent to Director Vought outlining a specific method using advanced technology and a private public partnership to streamline the regulations.
-
- Establishing a cost-benefit analysis requirement for future cyber rules. This will, for the first time change the underlying basis for government mandates on cybersecurity from the current compliance goal to a new goal of effectiveness in reducing the cyber threat and doing so in a practically sustainable fashion.
-
- Reauthorizing and modernizing the 2015 CISA Act before its September 30, 2025, expiration to address systemic risks from concentrated market dependencies and ensure the framework keeps pace with today’s threat environment.
-
- Passing the PIVOTT Act (already out of the House Homeland Security Committee), which would provide an adequately trained government cybersecurity workforce while closing the larger gap on a cost-neutral basis.
-
- Creating the first macroeconomic model of cyber risk, similar to the models already used to measure and evaluate other major risks such as financial risk, geo-political risk and environmental risk. This will enable government, and industry, to measure cyber risk as well as new risks generated by emerging technologies such as AI and Quantum and empirically evaluate reforms for maximum security impact and economic return.
The economics of this program are compelling. Using available Artificial Intelligence (AI) tools ISA was able to determine that 76% (232 of 304 cybersecurity regulations) are functionally duplicative across two or more agencies. Nearly a quarter of a million federal contractors are subject to overlapping cybersecurity mandates. Only three (3) of 22 agencies accept documentation from another agency, despite requiring similar content. As a result, an estimated 40% of industry cyber budgets are directed toward compliance—not risk mitigation. However, using AI tools to eliminate duplication could reduce the number of cyber regulations from 304 down to 75 core regulations. Reducing regulations by eliminating duplications would save industry $30-50 billion annually (based on 200,000+ affected companies saving $150,000-250,000 each). Moreover, government would save between $3-5 billion just from a reduction in administrative overhead.
What all this translates to is that if we simply right-sized our regulations (the program doesn’t eliminate the regulations – only the redundancies) eliminating the wasteful duplication would immediately free up enormous numbers of scarce cybersecurity professionals to focus on actual security and not meaningless compliance. In addition, the elimination of all this waste would save lager amounts of money for both the government and industry at the same time.
While the precise numbers involved can’t be determined until after the program is put into effect the low-end ranges of the estimates are still compelling in terms of saving.
These savings are more than enough to reconfigure the remaining core regulations to install as cost benefit analysis method – like that used in many other regulatory regimes – just not in cybersecurity so that we will, for the first time be able to measure and incentivize effective security practice.
The amendments to the 2015 CISA statute to address new risks cost virtually nothing.
The PIVOTT Act essentially creates a virtual national cybersecurity academy to fill the large gaps in cyber professionals the government is currently filling with high priced independent contractors. The lower salaries for the graduates will off-set the cost of the government paid tuition.
The development of a macro-economic model so that we could begin to assess cyber risk the way we assess other major risk is probably around 1 million dollars – easily pad for by the savings from eliminating duplicative cyber regulations.
Subsequent postings will develop each of these priorities similar to that explained on the document provided to the government.
As audacious as it may sound, this is a realistically doable program that would create a zero cost (net) pathway to American cybersecurity.
Read the Report: ISA ONCD Recommendations
