Larry Clinton’s Statement to U.S. Senate Committee on Commerce, Science, and Transportation

March 22, 2017

CYBERSECURITY IS NOT AN “IT” ISSUE. TO ADDRESS IT EFFECTIVELY WE NEED TO LOOK AT CYBERSECURITY AS AN ECONOMICS ISSUE

Expecting technology to provide the answer to our cybersecurity problems would be a perilous course. A more promising path would be to understand the true nature of the cyber threat and take a more enterprise wide approach to addressing it.

Two months ago, the National Association of Corporate Directors (NACD) released the second edition of its Cyber-Risk Handbook, the only private sector cybersecurity document ever endorsed by both the departments of Homeland Security and Justice.

The very first principle of the NACD Cyber Risk Handbook is that cybersecurity is not an information technology issue. While it has a substantial technological component, cybersecurity is an enterprise-wide risk-management issue.

Information technology is only the pathway for cyberattacks – the “how” of cyberattacks.

If we are to address the cybersecurity issue in a long term, sustainable fashion we need to not only address the “how” of cybersecurity, but also the “why” of cybersecurity: the reasons that attacks occur.

From the private sector perspective, (and the core of the Commerce Committee’s jurisdiction) the reason cyberattacks continue to occur is the unbalanced nature of digital economics.

The basic equation of cybersecurity economics is this. Cyberattack methods are easy and cheap to access, they can generate enormous profits – in the hundreds of billions of dollars – and the business plan for the attackers is secure and sustainable as attackers reinvest in their enterprise to become ever more sophisticated and effective.

On the security side, cyber defense must protect an inherently insecure system that is growing technologically weaker with the explosion of mobile devices and the Internet of Things. We are almost inherently a generation behind the attackers, our laws and regulations are not well suited to address international and often state-sponsored digital threats. Moreover, the government mandates being piled on the private sector are often counterproductive. Finally, there is virtually no effective law enforcement. We successfully prosecute less than 2 percent of cyber criminals.

So long as we continue to try to address the cybersecurity issue from a techno-centric perspective and ignore the fundamental economics that are driving the problem, we are destined to continue to fail badly.

To effectively address this issue, we must frame it differently. The problem is not that the technology is bad. Modern technology is nothing short of amazing.

The problem is that the technology is under attack. And the reason the technology is under attack is because all the economic incentives favor the attackers.

That is a fundamentally different problem that demands fundamentally different set of solutions.

Within the private-sector, we have begun to address the issue in a broader risk management perspective that includes technology but places it in the context of the overall enterprise operation, not at the center of it. We are already seeing positive results. (Click below to read the full statement)

| Downloadable Copy (PDF)