ISA’S CLINTON: GDPR SHOWS “FUNDAMENTAL MISUNDERSTANDING” OF CYBER PROBLEM

November 18, 2019

The Internet Security Alliance’s President Larry Clinton suggested that one of the main reasons we are not making much progress in securing cyberspace is that we are “focused on the wrong problem.” Clinton used the European Union’s General Data Protection Regulation (GDPR) as an example, claiming it represented a fundamental misunderstanding of the essence the cybersecurity problem and would most likely be counter-productive by increasing the adversary relationship between business and government. According to Clinton the two sides need to be “working together – really working together”

Clinton made the comments while delivering a keynote address to the XVI International Professional Conference on Good Corporate Governance which opened today in Madrid Spain.
Clinton, who has twice been named to the “Corporate 100,” which represents the most influential people in the world of corporate governance, also used his speech to point to more productive international efforts on cybersecurity. One such effort he cited is the government industry collaboration on developing a “top-down” risk management framework to address cyber security. This framework is being articulated through a series of Cyber Risk Handbooks that have been developed by a range of industry associations and have also been embraced by governmental entities including the U.S. Department of Homeland Security, the Department of Justice, Germany’s Federal Office for Cyber Security (BSI) and the Organization of American States. Clinton announced that ISA and the European Confederation of Directors Associations would be releasing their handbook early in 2020, and similar efforts are underway in Japan and will soon be announced in India.

Clinton cited GDPR as an opposite and less helpful approach. “The fundamental assumption of GDPR is that the core problem with the loss of private data is that corporations don’t care enough and they must be threatened with wildly unrealistic fines. In point of fact government agencies are not doing any better in protecting their systems from cyber-attack than are most companies. The real problem is not that we – either industry or government don’t care – it’s that we have invaluable data being protected by an inherently vulnerable system – the open Internet. In addition, all the economic incentives currently favor the attackers. Attacks are cheap, easy and profitable while defense is defending an open system, is almost always forced to be reactive and there is virtually no law enforcement.”

“Not only is government not doing any better than industry regarding cyber defense but there is a good argument that government has failed in the cyber fight far worse than industry since they are completely failing in terms of one of their most core responsibilities – we prosecute maybe 1 percent of cyber criminals,” Clinton said.

“If we look at the issue more realistically what we need to realize – what we know for certain – is that cyber attackers both nation state and criminal are attacking all of us. They are stealing private data from individuals, intellectual property from corporations and national secretes from government. This is not like Enron or Volkswagen, which were cases of corporate malfeasance. We are all on the same side in the cybersecurity fight. We need to fundamentally rethink our corporate structures – which is happening – but we also need to rethink our government-industry relationships and create a new Cybersecurity Social Contract,” Clinton said. “We need to be working together – really working together.”