ISA’s Clinton: Government shift to risk management is positive, but must accelerate

November 15, 2019

The federal government is gradually shifting to a “risk management” approach to cyber — epitomized by the creation of CISA and its National Risk Management Center last year — but that effort lags behind the private-sector’s embrace of “sophisticated” tools and must accelerate rapidly, says Larry Clinton, head of the industry-based Internet Security Alliance.

“We are losing the battle to secure cyberspace and losing it big,” Clinton said in an interview with Inside Cybersecurity. “The [Cybersecurity and Infrastructure Security Agency] team has done a good job — I just want them to be able to move faster with many more resources.”

But looking at the nation’s overall cybersecurity picture, Clinton said, “The headline every day should be, ‘We’re Still Losing.’”

On the private-sector side, Clinton highlighted training and certification programs, his group’s collaboration with the National Association of Corporate Directors and international counterparts on a popular cyber handbook, and tools like the FAIR Institute’s risk assessment model.

“Thousands of companies are adopting this,” Clinton said, while major insurers are incorporating “sophisticated risk assessment into underwriting.”

Clinton said “50-60 percent” of ISA’s work is now “outside the Beltway,” commenting, “Corporate boards are more activated than government. … We’re seeing substantial progress outside the Beltway in adopting sophisticated approaches” to cyber.

He said the NACD cyber handbook is that group’s single most popular document, and is currently publishing its third edition. Related handbooks have been published in six languages on four continents, Clinton said.

But, he said, regulatory compliance and cyber “check lists” still typically “eat up 30-40 percent of company’s cybersecurity resources.”

On the other hand, Clinton said, “there’s progress taking place without government mandates. The private sector is creating and adopting these tools and methods without government regulation or mandates.”

On the government side

As for the federal government, Clinton called CISA’s work “a bright spot in the government space,” and said the agency “has remained largely immune from the broader political issues” affecting the Department of Homeland Security, including the ongoing absence of a Senate-confirmed secretary.

“I’m a big fan of [CISA’s] Chris Krebs, Jeanette Manfra and Bob Kolasky,” Clinton said, pointing to the CISA director, assistant director for cyber, and head of the National Risk Management Center, respectively.

With his extensive international work in mind, Clinton said the U.S. government’s approach — along with that of Germany — “are head and shoulders above the field. They are very good, very collaborative,” especially compared to many other nations’ efforts, he said.

But Clinton offered a few recommendations for U.S. policymakers that he said would have major positive repercussions if implemented.

“Number one,” Clinton said, “I would love to see [the White House Office of Management and Budget] issue an order to streamline cyber-related regulations. This is strictly a government problem that government could fix. That would be an enormous help.”

Second, he said, move forward on developing incentives for companies to improve cybersecurity and finally implement such polices, as called for by a diverse set of players ranging from a House Republican task force on cyber to President Obama in Executive Order 13636.

“We need to create a menu of incentives that bridges the gap between corporate cybersecurity and national cybersecurity when it comes to protecting critical infrastructure,” Clinton said. “Government and industry assess risks in different ways and the private sector has a higher tolerance for risk than the government does.”

Clinton has been pounding on this point for years and he said he’s engaged even now with various policymakers and “some of the newer members of Congress” to rally interest in developing a cyber incentives program. He suggested that Congress “at the very least could fund studies on how to create a viable incentives structure.”

If policymakers can advance work on incentives “to align” government and industry on cybersecurity objectives, and work to streamline cyber rules, “that would be progress,” Clinton said.

However, the move to risk management isn’t uniform across government, Clinton said, and he recently criticized the Pentagon’s new Cybersecurity Maturity Model Certification program for contractors. In the interview he said, “We should not launch a massive, expensive program while unaware of any evidence that it’s likely to work.”

He said the proposed CMMC “could drive smaller suppliers from the market” and called for testing it for a year before implementing the program. Clinton made a similar proposal during the 2013-14 development of the National Institute of Standards and Technology’s framework of cybersecurity standards, which NIST didn’t take up.

Almost six years after its release, he called the NIST framework “still untested — I still don’t know what it means to say it works.”

Clinton concluded by saying, “The U.S. government and U.S. industry are well ahead of the rest of the world. There is a slowly growing recognition that this is a risk management issue more than an operational technology issue. The recognition has increased substantially and there are structural changes like the creation of CISA and the risk management center, which is all to the good.”

However, Clinton said, “the observation ISA would make is it isn’t happening fast enough. We’re still not seeing adoption of a risk management approach in a real sense — by which I mean constructing a completely different model for cybersecurity rather than fiddling with the command and control system that’s clearly not working.” 

| Inside Cybersecurity: ISA's Clinton: Government shift to risk management is positive, but must accelerate