April 16, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

We were delighted to see this week that the seventh annual Munich Security Conference – arguably one of most prominent, if not the most prominent, events in the world – has adopted the theme of the ISA social media program – #RethinkCybersecurity – as the conference theme.

As the conference website proclaims correctly, the conference will “explore the immensely complex threat landscape fueled by growing management complexity, a lack of oversight, and resource scarcity. In this sophisticated threat environment traditional tactics are failing and need to be reconsidered.”

We couldn’t have said it better ourselves – and we have been trying in this space for the past 4 months.


The notion that we desperately need to rethink our approach is catching on is very encouraging.  As we noted last week, the Acting Director of the Cybersecurity and Infrastructure Security Agency, Brandon Wales, as well as the Chair of the House Subcommittee on Cybersecurity, Rep. Yevette Clarke, have both made this observation – i.e., we need to rethink our approach to cybersecurity – in recent weeks.  The fact that the Munich Security Conference, which typically features the leading European Union government figures, will be centered on this idea is hopeful.

I say hopeful instead of encouraging because it’s an open question as to if the government speakers will truly follow the theme.  I naturally have attended many cybersecurity conferences that feature government speakers and have observed there is a strong tendency for them to recite all the programs they have undertaken to address the cybersecurity problem. 

That is perhaps understandable as they are often elected, and they want people to know they are on the job. However, the problem is they can be too convincing, especially if they are not talking to a cybersecurity expert audience.

At ISA we do a good deal of work with corporate boards and attend many board-level events.  I’m disturbed after many government presentations that the directors will come away thinking “OK, I guess you guys have a handle on this problem, so I can focus on other issues.”  And of course, that is incorrect. In reality, we are getting killed in cyberspace. The bad guys are winning, and we need to make sure the public understands that.

That’s the point of the “Rethink” agenda. Like an alcoholic, we must begin by realizing we have a problem.

Reassuring people that “we are on top of this” is wrong and counterproductive.  I am hopeful that the many government speakers at this extremely high-profile conference will take the theme seriously and realize what we are doing is not working. We need to reassess, rethink, and redirect.


While trying to remain hopeful, I have a nagging fear that many – especially my European friends – rethink how we will regulate more strenuously.  Given the existence of the General Data Protection Regulation and its outrageous penalty system, it’s hard to conceive how they could regulate more strenuously… but these are very creative people, so I’m fearful.

Again, the conference wisely encourages “more than ever, private and public entities need to reshape their focus on cybersecurity and find new models and strategies to collectively mitigate cyber risk.” Again, well said.  

We have previously detailed in this space multiple reasons why the traditional 20th century (19th century) model of regulation is inappropriate for the 21st century problem of cybersecurity.  We won’t revisit these here (they are all available at    

Rather than again detail the inherent shortcoming for traditional regulation, it might be best to focus on the need for new models and strategies.  A careful review of cybersecurity as a field finds a curious fixation on the technical vulnerabilities in the system as if this vulnerability were somehow unique to cyber systems as opposed to other critical infrastructures like agriculture or ground transport, which are similarly insecure. It is this technology-centric – technology-obsessive – model that may be the cause of our, in the conference’s parlance – “Insecurity.”


As usual, the conference will call forth the best technical minds on the issue – and ignore the best economists who might be able to explain and help mitigate against the actual causes of cyber-attacks, which can be found in economics, not technology.

The conference might have focused, for example, on the work being done in the environmental field to redirect the economics of institutions so that becoming “green” is more economically sustainable. In this case, we might not need to rethink as much as think like others who have also faced similar issues of sustainability and resilience but are thinking beyond the technology and taking a more holistic view of the issue.

Then there is the wise call for rethinking our strategy of cybersecurity.  Here I have a question: What is our strategy? I have been in the field for 20 years, and I don’t know. A set of tactics is not the same thing as a strategy. The West needs a strategy.  What does that mean? 

Well, look at what our adversaries are doing.  To take one example, look at China.  China has a strategy – and not just a cybersecurity strategy, a digital strategy – called the Digital Silk Road, which is a piece of a larger strategy known as the Belt and Road Initiative.

Our Chinese friends (and since they own about 50 percent of U.S. debt, I think we can think of them that way (although perhaps a rethinking is required there, too, but I digress) – have integrated their broad geopolitical goals with the infirmities of the Internet, economic cross-subsidization of domestic industry with diplomacy, military, and geopolitical ambition.

Now that’s a strategy.  We need something like that.  If the Munich Security Conference can start the ball rolling in that direction, I will be more than hopeful.

Join the Rethink Cybersecurity Community click here