December 15, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

There are actually many lessons to be learned from the largest and most sophisticated cyber-attack to date reported in the New York Times Sunday, but perhaps the most basic is that what we are doing now to protect ourselves in cyberspace isn’t working. We need to rethink our approach to cybersecurity.

This is not to demean in any way the work of the many many dedicated public servants, and many more academic and private sector personnel who are working hard on this issue. The point is that this community is not getting the support it needs.

To be fair, some of the problem may lie in the cybersecurity community not adequately communicating the nature and severity of the problem. We have a cybersecurity “branding” issue that under play’s the true nature of the threat

To many outside the cyber community cyber-attacks are “just” an IT issue.

Of course, it is an IT issue – but not “just” and IT issue.

Another branding problem is that too many hear that all you have to do to be secure is follow a few basics.

Of course, you do have to follow the basics, but that isn’t “all” you have to do.  Not to be protected from sophisticated threats of the sort we have just been made aware of.

We need to start by doing away with all the happy talk about what a great job we are doing.

If one goes to any one of the multiple conferences on cybersecurity that take place seemingly every day and everywhere you will hear a parade of government officials outlining  the “aggressive” programs they are instituting to protect cyberspace.  This is followed by a legion of vendors all of whom seem to have found the answer to securing cyber systems which they are ready to provide to anyone really interested in security.

I’ve made it a point recently to go out into the audiences – assuming it’s not full of cyber practitioners all of whom know better – and gauging the impressions of the non-cyber attendees.  All too often I’ve heard comments like “sounds like you guys have gone to this under control.”

No, we don’t. Not by a long shot.

To begin, we need to be more candid with ourselves and “manage up” to get the support we need to truly be competitive in securing cyberspace from attackers.  What does that mean?

Follow the money.

It’s the economy, stupid.


  • CSIS estimates cybercrime is a $1 trillion drag on the economy. The World Economic Forum, citing research from Cybersecurity Ventures, estimates cybercrime costs $2 trillion a year. Cybercrime Magazine estimates the costs of cybercrime will be $10.5 trillion by 2025
  • The FBI’s 2020 cyber budget is approximately $450 million
  • The Chinese Digital Silk Road Initiative – which is a soft power global cyber offensive – is a $1 trillion dollar program
  • DHS’ cyber budget of around $1 billion
  • Jim Lewis at the Center for Strategic and International Studies estimates China is currently outspending the US on advanced technology by 1000:1
  • Current White House budget on education for fiscal 2021 has been decreased to a total of $66 billion – with only $90 million of that being invested in STEM
  • Five years ago, we had hundreds of thousands of cybersecurity jobs going unfulfilled, now we have millions of them

In previous posts we have shared numerous similar disparities documenting our underwhelming efforts at cybersecurity.  We can and need to do more and better.

However, we need to do more than just throw money at the problem — although that typical dismissive should not be used to side-step the massive funding issue we face in this area.

We also need serious structural reform. The National Defense Authorization Act, which passed last week with veto-proof majorities in both chambers of Congress, takes some very helpful initial steps toward government reorganization with the creation of a Cybersecurity Director in the White House and an Office in the White House charged with developing a serious plan for resilience in case of a cyber-attack of significant consequence.

While these are good steps, they are not enough.  For example, I doubt the very serious attacks we have just experienced would qualify as attacks of national significance.

Again, we have a branding issue.  Serious cyber-attacks not confined to ones that might dismantle our telecommunications networks or take down the power grid.  These could be considered “acute” attacks. But we are experiencing a constant barrage of chronic attacks throughout our cybercasters.

The Continuity of the Economy office in the NDAA needs to be expanded to create an Office of Digital Security Strategy.  This entity would be charged with doing the same vital exercise in government that virtually every private sector organization has already gone through – digital transformation.

We need to rethink the – primarily rhetorical – public-private partnership and develop more fulsome and supported partnerships that will be competitive with what the criminals and nation-states like China are doing to us.

There are numerous models for serious public-private consortiums that can be created dating back to the New Deal, but also including the initial NASA program that led to the moon landing and Sema-Tech which helped us overcome the computer chip deficit we had in the 1980s with Japan.

Join the Rethink Cybersecurity Community click here