Mayorkas Vision: 2020 – Implementation, pretty retro

April 2, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

New Homeland Security Secretary Alejandro Mayorkas outlined his vision for cybersecurity at the Department of Homeland Security in a speech yesterday at Hampton College. 

The principles the Secretary laid out to define his vision were quite encouraging for those of us who understand that we are getting beaten badly in the race to secure cyberspace.

In summary, the Secretary’s main points were:

  1. We need to understand cybersecurity in a broad geo-political context.
  2. We must fundamentally shift our perspective on the issue, prioritizing investment and better preparing the federal government.
  3. Focus on a risk-based approach to cybersecurity.
  4. Strengthen collaboration with the private sector.
  5. Integrate diversity into our workforce development efforts. 

Unfortunately, there was little in the balance of the speech that suggested these visionary principles were going to translate into programs that recognize the seriousness of our current situation and the need for the Secretary’s principles to be aggressively followed.

For example, the first question the Secretary received was a real softball: What are the biggest challenges we face in achieving cybersecurity?

The Secretary’s answer? “Knowledge – information. Information and following the basics with CISA as the quarterback.”

Aside from the reference to the new operational arm, the Cybersecurity and Infrastructure Security Agency (CISA), it’s hard to think of a more retro 1990s answer than information sharing and following the basics.

Sure, information sharing and following good cyber hygiene (whatever that means) are good ideas and yes, we have issues with them still – but the imperfections in these tactics are far from our biggest obstacles.

I truly wish it were that easy.  I’m a little troubled that the new Secretary thinks these are our biggest problems. I guess, more than a little.

I feel quite confident companies like Microsoft and CrowdStrike have state-of-the art knowledge of cyber systems, do an exemplary job sharing information and are pretty conscientious about cyber hygiene. Yet they were victimized for a long time by SolarWinds.

I’m a little less sure the numerous federal agencies who were also compromised are quite as knowledgeable and practice good cyber hygiene but suspect at least several of them do, and yet they, too, were compromised.

Poor Information sharing and bad cyber hygiene are not what is causing even our best companies and best federal agencies from being compromised in ways we still don’t even fully understand.

Just off the top of my head I can think of five far bigger obstacles to achieving cybersecurity:

  1. We have an inherently vulnerable cyber system (getting more vulnerable all the time) and it contains immensely valuable data – hence it’s a ripe target for attack.
  2. All the economic incentives in cybersecurity favor the attacker. Attacks are relatively cheap and easy to acquire, and attackers have a great business model, massive available capital, and first-mover advantage. Defenders are defending a vulnerable system, it’s hard to show return on investment to prevention, and we get almost zero help from law enforcement – we prosecute less than 1 percent of cybercriminals.
  3. We don’t have a digital (let alone cybersecurity) strategy even close to equivalent to that of our adversaries (see below for some details).
  4. Our government has so far totally failed to appreciate the gravity of the problem as measured by the fact that they have come nowhere near to adequately funding cybersecurity.
  5. Quite apart from the lack of adequate federal funding, there seems to still be no understanding of the convoluted economics of the digital age, its role in causing our cyber insecurity, and the need to coordinate critical infrastructure’s (appropriate) commercial-level cybersecurity funding, with our unrealistic expectations that they will provide national security-level defense.

Now those are some real obstacles to cybersecurity.

However, the Secretary is absolutely correct in his first two principles, which interact. We absolutely need to understand cybersecurity in its geo-political aspects and fundamentally shift our perspective on the issue, including stimulating adequate investment within and without.

You know who does that? China.

As we have detailed fairly extensively in this space previously, China has a comprehensive digital strategy, in fac this had one for years.  It’s called the Digital Silk Road (only part of a far larger strategy known as the Belt and Road Initiative), and it is immensely successful from a geo-political perspective. In their new five-year plan, released a few weeks ago, China announced that they plan to spend $1.4 trillion on this digital strategy over the next five years, increasing it about 7 percent a year, which is more than they will increase their military spending.

The Chinese are essentially running a digital Marshall Plan in Asia, Europe, Africa, and Latin America, and there is compelling evidence that they are having great success moving toward their goal to replace the United States as the world’s dominant power – and they are doing quite well.

In the US, at best, our cybersecurity spending over the next five years will moderately exceed $100 billion (half of which will go to the Department of Defense). The DHS cyber budget is a little over $1 billion – the FBI’s cybercrime budget about half of that.

We are not going to defeat the kind of adversaries we are facing – and btw there are several others we need to consider (Russia, Iran, North Korea the vast cybercrime syndicate) – if we believe our biggest problems are information sharing and incomplete cyber hygiene.

The Secretary is also quite right that we need to prioritize investment, in his words, “both inside and outside.” I take it “outside” refers to the private sector, and he is correct about the need for strategic collaboration with the private sector.

Again, look to China, arguably our principal adversary, and the Huawei example.  Just a few years ago, Huawei was a modest maker of telephone switches.  Today it is the largest telecommunications manufacturer in the world, and one of the best. Huawei’s 5G technology is better in most respects than any Western providers.  How did this happen?  Massive government support which saw Huawei as a national asset that merited its support in the public interest.

And Huawei is just the tip of the iceberg.  Alibaba, Tencent, China Telcom, and others are similarly competing unfairly in free markets.  There is not enough space here to detail all this here (although we have done so in a series of earlier posts available at isalliance.org).

The point is not that we ought to emulate China’s digital strategy – certainly not. But the point is we do need to have a real digital strategy and it needs to do far more than list a series of tactics like standard setting, information sharing, and awareness programs. We need a true comprehensive, integrated digital strategy that embraces free market democratic ideals.

Often when I make these arguments people respond by saying you know, it’s much easier for China to do this since they have an authoritarian, centralized state.  That’s true. A centralized government-controlled system has efficiencies and we shouldn’t try to copy that.

But we have advantages too.  To begin with we have a much larger economy – much larger if we count western Europe with us. We also have a hundred years of alignments, whereas China isn’t particularly popular, even with its nearest neighbors like Japan and South Korea. And, perhaps most of all, we have a dynamic free market entrepreneurial system that embraces change and innovation.  That is precisely the sort of system that ought to be a perfect fit to compete effectively in the digital age.

We can do this but, as Secretary Mayorkas said, we need to shift our mind set – a lot. We need to rethink our whole approach to cybersecurity.  We can do this, but we do have to get started and think beyond info sharing and hygiene.

Join the Rethink Cybersecurity Community click here