The COVID-19 crisis reveals the inadequacy of the prevailing “operational” approach to cybersecurity and provides an opportunity for government and businesses alike to take cost-effective steps toward a cyber strategy rooted in risk management, says Larry Clinton, president of the Internet Security Alliance.
That should include developing systems to track and prosecute cyber crime, establishing legal structures to better enable international action — including in concert with China and Russia — and providing more resources at home for the Cybersecurity and Infrastructure Security Agency and the U.S. government overall, Clinton said.
“We’ve seen the largest and most dramatic shift in work ever,” Clinton told Inside Cybersecurity, noting that 80 percent of the workforce — up from 20 percent — “went to work-at-home overnight.” It was a completely unplanned event, he said, and exposed technical problems but more importantly, problems related to strategic risk management.
“CISA is pedaling as fast as it can, like everybody,” Clinton said. “Nobody knew this was coming, but it may indicate broader issues to address. … Step back from the immediacy of the crisis and you see we haven’t paid attention to systemic risk. Almost all the attention is on operational risk.”
Clinton said there has been work in the financial sector on systemic risk, but little elsewhere throughout critical infrastructure sectors.
“This is what we see with COVID-19 — this is systemic and worldwide,” Clinton said. “When you look at cybersecurity that way, you see we haven’t done nearly enough. This is where CISA, with appropriate funding, should be looking.”
Clinton said, “How we look at cybersecurity systematically right now is rudimentary. What happens if they take down the grid — that isn’t going to happen, there’s no economic incentive [for capable adversaries] to do that. The systemic threats are much more subtle and even nonstate actors are getting the tools” to inflict significant damage.
“I’m not criticizing CISA,” Clinton stressed, “but look at the government as a whole, we’re not funding nearly enough on cybersecurity. We prosecute 1 percent of cyber crime — which costs [the global economy] $1 trillion a year. The effort to rein it in is miniscule.”
Clinton called for developing an international system for “appropriate law enforcement” that includes Russia and China, while pointing out by comparison the nuclear arms deals reached by the United States and Soviet Union even during the Cold War.
“The Chinese have technology of their own that they don’t want stolen,” he said. “We should develop a nonproliferation pact with the Russians and the Chinese on intellectual property, cyber weapons and other issues. We should segment our goals and don’t hold up agreements over issues we can’t agree on.”
At the federal level in the United States, Clinton called for “vastly increased funding,” but cautioned, “The current crisis highlights that we’ve had too narrow thinking on cyber, it’s been too operational.”
He said CISA and its director, Christopher Krebs, are “interested in these approaches” with a more strategic, risk-management foundation, which also received a boost in the recommendations of the Cyberspace Solarium Commission. The commission called for a new social contract around cyber that tracks with a similar call from the Internet Security Alliance.
“People are listening, but it’s not happening fast enough. There’s a lot of activity but still not much progress,” Clinton observed.
Tangible steps that are cost-effective
While Clinton stressed the need for devoting more government resources to cybersecurity, he said significant improvements in cybersecurity are possible without “dramatic increases in spending” by either the government or private sector.
“We need more law enforcement personnel but a bunch of these things don’t require dramatic increases” in spending, Clinton said. For instance, “it would cost pennies to assess the [National Institute of Standards and Technology] cybersecurity framework for effectiveness and then provide incentives for small and mid-sized businesses to adopt proven techniques. If you study the NIST framework and identify 10 or 20 cost-effective things, small businesses will do those things!”
Business wants metrics, Clinton stressed, revealing how much security measures will cost and how much improvement they will deliver.
“If you do this, you’ll find important things that are cost-effective, and you’ll find things that are very important but not cost-effective for businesses. And that’s where we can identify incentives to cover the gap,” Clinton said.
The ISA recently weighed in with the Department of Homeland Security on private sector priorities — including on cybersecurity — for the next 30-, 60- and 90-day intervals during the COVID-19 crisis.
“Due to the near-immediate switch to unplanned online business, most managers have no idea how to run their operations using remote workforce and online tools in a secure fashion,” the ISA said in the submission to DHS. “The federal government needs to provide immediate managerial best practices on a ubiquitous basis to contain the cyber risk from growing exponentially.”
The Internet Security Alliance serves as a thought leader on cyber issues and its “sponsors represent some of the largest companies in the world … primarily chief information security officers of Fortune 100 firms.”