LESSONS PRIVATE SECTOR CAN TEACH THE GOVERNMENT ON FIGHTING CYBERCRIME

October 6, 2023

Introduction by Larry Clinton

As we have documented past blogs (LINK, LINK), we are fighting an uphill battle against increasingly sophisticated cybercriminals. In fact the new national strategy to secure cyber space essentially says that only the most sophisticated private companies have any hope of preventing cyber-attacks.  This means we must increasingly rely on our law enforcement systems to protect us.

 Unfortunately, in an era when cybercriminals use advanced technology to achieve heightened efficiency and effectiveness, US law enforcement still operates with a disparate and often uncoordinated law enforcement structure rooted in a twentieth-century model. This antiquated organizational structure lacks the agility to keep up with the best cyber criminals – let alone catch them. As a result we successfully prosecute less than 1% of cyber criminals.

Our cyber law enforcement needs a systems update. There is a massive organizational disharmony resulting from government’s failure to engage in the sort of digital transformation that has characterized the private sector over the past 20 years. The prevailing landscape features a multitude of government bodies competing for enforcement responsibilities, leading to redundant projects, misallocation of funds, and jurisdictional ambiguity including the DOJ, SEC, DHS, FBI, ICE, Treasury, USPS, and USAID as well as state and local agencies. Our outdated organizational structure effectively acts as a roadblock to improving vitally needed operational collaboration.

Perhaps surprisingly (maybe not that surprising) government can learn from private sector efforts to address cyber crime and likely increase their own effectiveness. Leading private entities – facing similar stress in attempting to maximize scarce resources to fight cybercrime – have found success in adopting agile management practices. Successful implementation of agile management systems reduce redundancy while increasing efficiency and effectiveness. For example, agile organizational structures have been adopted by several major financial institutions specifically for their own cyber-crime prevention and response divisions – some of which are larger than the FBI’s similar offices. 

In its study of organizations using agile principles, McKinsey found that the successful entities “regularly evaluate the progress of initiatives and decide whether to ramp them up or shut them down.” This aspect of agile organizations can enhance the efficiency and cost-effectiveness of cyber programs and is a fundamental element of good cyber risk management practiced by the private sector that should be adopted by the public sector.

Research by McKinsey also found that “as criminal transgressions in the financial sector become more sophisticated and break through traditional boundaries, banks are watching their various risk functions become more costly and less effective. Leaders are therefore rethinking their approaches to take advantage of synergies. Most forward-thinking institutions are working toward integration, creating, in stages, a more unified model across domains based on common processes, tools and analytics.” This research showed that these organizational innovations can improve the efficiency and effectiveness of anti-cybercrime efforts. 

The McKinsey research describes several models that can be used, based on the size and sophistication of the financial institution, to move through stages of integration based on the institution’s unique circumstances. It notes that many financial institutions are integrating previously disparate criminal divisions to leverage better use of modern analytics and stimulate increased teamwork to fight cybercrime. The existence of multiple models is convenient as law enforcement organizations also have a variety of structures and can adapt the private sector model that most closely replicates their unique situation.

McKinsey noted a leading US bank that that had multiple operations addressing various cybercrimes and reformed to set up a holistic cybercrime “center of excellence.” McKinsey found the reform generated “significant efficiency gains,” The research identified another major institution went “all the way,” combining all their operations related to financial crimes and reducing operating costs by approximately $100 million. The study found such a saving in efficiency if applied to the FBI’s 2022 budget would be the equivalent of a roughly 20 percent increase. If we are struggling to adequately fund cyber law enforcement budgets (and we are), then we need to innovate to make the few resources we do have maximally efficient. Part of that innovation is government abandoning. Its current “not invented here” mindset and adapt the successful models industry is using on its own public facing cybercrime systems.