PRESS RELEASE
January 7, 2016 – FOR IMMEDIATE RELEASE: Washington, DC
CONTACT: LARRY CLINTON 202-236-0001 or lclinton@isalliance.org)
ISA TELLS CONGRESS WHAT GOVERNMENT SHOULD LEARN ABOUT CYBER SECURITY
In testimony to be delivered Friday, Internet Security Alliance President Larry Clinton will provide the Congress with a “top-ten” list of things the federal government can learn from the private sector about providing better cyber security. (For a copy of the testimony, contact tdoucet@isalliance.org Hearing website: https://science.house.gov/legislation/hearings/research-and-technology-subcommittee-and-oversight- subcommittee-hearing-cyber )
“Congress is not investing nearly enough in promoting cyber security,” according to Clinton “and what it is doing it is not doing nearly fast enough to keep up with a threat moving at the speed of light,”
Clinton noted that federal spending is increasing on cyber security but about half of that goes to DoD leaving the federal non-defense spending at about 7 $ billion compared to the private sector which is spending well over
$100 billion annually. In addition Clinton noted that private sector spending is increasing at about 24% a year compared to the federal government’s 11%.
“I know of 2 banks with a combined 2016 cyber security budget of $1.25 billion. DHS spending –to cover all the federal non-defense efforts and critical infrastructure is less than $1 billion on cyber security –about 75% of what 2 banks spend.”
Clinton also urged government to pick up the pace of its policy efforts. “It took us six years to pass a modest information sharing bill. Moreover, there has been almost no work done on the top recommendations in the 2012 House GOP Task Force Report, the NIST Framework has never been evaluated for cost effectiveness and the Administration has never come forth with an incentives policy despite the fact that is was called for in the Presidents 2013 EO and 2014 NIPP update.”
Additionally Clinton suggested Congress, and other senior government officials should take a page from the National Association of Corporate Directors which has launched an aggressive effort to educate corporate boards about cyber security. “We need an education program for the government equivalents of the corporate boards,” said Clinton. PriceWaterhouse recently documented that the NACD effort resulted in increased budgets, better coordination and improved risk management. “If we can educate senior government leaders as we are educating senior corporate leaders we’d get better policy.”
Clinton also cited research that showed that when federal agencies are compared to the private sector the government comes in “dead last” in terms of fixing cyber security vulnerabilities and following appropriate standards. Citing recent GAO testimony Clinton noted that government agencies tend to use a “policy-based” approach which amounts to a check list against a pre-determined set of regulations. In contrast, the private sector tends to use a risk management approach which looks first at how adversaries are most likely to attack and then devises strategies to combat that.
“Government needs to become more sophisticated, more innovative and act with greater commitment and urgency or things are going to get much worse for cyber security very fast,” said Clinton.
The Internet Security Alliance (ISA) is a unique multi-sector trade association, which provides thought leadership and strong public policy advocacy as well as business and technical services to its membership. The ISA represents enterprises from the aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security, and technology industries.