December 14, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

At this week’s MIT Star conference, we were asked where we need to go in cybersecurity (see previous post) and then how are we doing on a scale of 1-10.

I was the optimist, I said I could stretch to a 1.5 out of 10. My fellow panelist Mark Montgomery, Executive Director of the Congressional Solarium Commission, wasn’t as generous.  He said it’s just a 1 out of 10.  No argument from me.

One of the things we desperately need to do is cut back on the happy talk about all our accomplishments in cybersecurity.

At “cyber events” the typical presentations are from vendors who all have wiz-bang new products and policy makers who all report various programs that are underway. When I go out into the audience – and talk to non-cyber people like board members – they will tell me “well, sounds like you guys have this under control.”

Nothing could be further from the truth.  We are getting killed out there.

We have been trying to enhance our cybersecurity for a quarter century and we are not making progress.  In fact, we are losing ground very quickly.

This isn’t because lots of people aren’t trying and not because we haven’t done some good things – we have.

But the bad guys are getting much better and we are not being adequately responsive.

Take cybercrime.  CSIS issued a report reported this week that cyber-crime is a $1 trillion a year drag on the economy. At the G-20 Digital Economic Security meeting earlier this year, the World Economic Forum reported on a study by Cybersecurity Ventures that  found that cybercrime globally is a $2 trillion a year problem and will rise to $6 trillion in two years. 

If we thought of the cyber criminals as a nation at $2 trillion, they would qualify as a member of the G-10 – slightly larger than the UK in revenues, and the criminals are probably better organized than the UK.

And these are conservative estimates. Cybercrime Magazine estimates that cybercrime will grow to $10.5 trillion by 2025.

What are we doing to stop it?  We successfully prosecute half of 1 percent of cyber criminals.  That number is actually down from estimates five years ago when we were prosecuting a full 1 percent of cyber criminals – mostly because there are now so many more criminals.

Our efforts to stop cybercrime are comparatively minimal.  The FBI’s total budget for cybercrime is $450 million – 450 million to address a $2-10 trillion criminal enterprise. It can’t be done – and it’s not not law enforcement’s fault.  We are not properly equipping them.

And it’s not just cybercrime spending.  We have known we don’t have a truly functional international legal structure to trace, extradite, and develop evidence for over a decade.  The laws have simply not been updated to the digital age – and there doesn’t seem to be much working progressing in this area.

Domestically we have a major problems with overlapping turf battels and many in the private sector have given up on truly getting law enforcement help.

Jack B. Blount, president and CEO at INTRUSION, Inc. noted in a recent Cybercrime Magazine story that “We ought not miss the broader implications of the power of the cybercriminal nation.  “Cybercriminals know they can hold businesses — and our economy — hostage through breaches, ransomware, denial of service attacks and more. This is cyberwarfare, and we need to shift our mindset around cybersecurity in order to protect against it.” 

And that’s just crime.  We have bigger cyber/digital problems when we put things in the bigger geo-political context.

China’s digital strategy has been far more aggressive and sophisticated than ours. Over a decade ago China initiated a sophisticated and coordinated effort to enhance its place in the world, largely through economic leverage. China’s Belt and Road Initiative couples with its Digital Silk Road strategy is essentially a digital Marshall Plan.  By implementing its sophisticated digital – not just cybersecurity – strategy, China has gained substantial – and growing –  prominence vs the post WW II US based world order.

For example, largely based on massive state economic support, China turned Huawei from a small telephone switch manufacturer into the world’s largest telecommunications provider in just a few years.  One result of this is that Huawei is now the world leader in the development and deployment of cutting-edge 5G technology.

They have been going around the world competing for telecommunications contracts with the benefit of massive cross-subsidization from the Chinese government and essentially making countries offers they couldn’t refuse – low-interest loans advance funding high quality technology at subsidized (by the Chinese government) prices. Chinese firms are now the dominant provider of 5G in Europe, Asia, Africa, and Latin America. These systems are full of technological backdoors enabling espionage and the Chinese firms are required by law to assist the government in espionage by accessing these systems

There is a great deal of talk inside the beltway about the threat,China, and5G, and in many ways that fight is over – we lost.  Chinese technology is now already embedded in at least 30 percent of telecommunications infrastructure around the world.

And we shouldn’t get deceived by the UK’s minimal “commitment” to stop using Chinese systems – a commitment that has not been echoed by the rest of the EU’s major players –basically all the UK has said is that when they next upgrade their system – in 7 years – they won’t use Huawei.  Not too much help there.

Ericcson and Nokia, the only other major providers of 5G (there are no US suppliers)  do not have the capacity to fill the 5G gap.  Even if they were up to the task, it would be economically unfeasible for most countries to rip out the Chinese tech and replace it with western tech. In most of these nation’s telecommunications systems, the 3G and 4G systems are already Chinese and the 5G will be built on top of that.  There is no practical way for them to rip and replace these networks – especially as they try to restore their economies in the face of the pandemic.

And Huawei is just the tip of the spear – and I don’t even care about TikTok – I’m worried about Alibaba, Tencent and Bidau. As well as China Telcom and China Mobile.

The Eurasia Group’s 2020 Report on Expanding China’s Digital Footprint found that

“A key thrust of the DSR is to ensure that leading Chinese platform players such as Alibaba, Tencent, and Baidu – as well as Huawei — and state-backed telecom carriers such as China Mobile, China Telecom and China Unicom can take advantage of the DSR umbrella and market access provided by BRI projects to compete in emerging markets with leading US companies in so called over the top services …including smart cities, cloud services, mobile payments and social media applications, and eventually include technologies such as AI, autonomous vehicles and internet of things technologies and services.”

Cybersecurity begins with risk assessment.  When we assess the risks to our nation and our position in the world, we are far worse off than most people think.

In answer to MIT’s question: How are we doing? Not so good.

Tomorrow’s question: What, specifically, do we need to be doing?

Join the Rethink Cybersecurity Community click here