June 16, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

Perhaps the most incisive part of Chris Inglis’ testimony before the Senate Homeland Security Committee was his statement: “Cybersecurity is comprised of far more than technology. Essential collaboration and integration will heavily depend on how roles and responsibilities are defined and executed.”

Perhaps the most troubling was his statement of “enlightened self-interest” and market forces “apparently are not working,” creating a need for regulation in some areas. As carefully phrased as it is, I, personally, have no problem with the statement. What is problematic is if it is over-read to mean that the partnership model of industry and government working collaboratively is misguided or that a broad regulatory program is the path to sustainable cybersecurity. I do have a problem with that kind of interpretation.

Just to be clear, the ISA has never supported the laissez-faire approach to government collaboration in cybersecurity.  Dating back to our comments on the first National Strategy to Secure Cyber Space issued by the Bush Administration, ISA has always maintained that existing market forces were insufficient to address cybersecurity because digital economics is completely upside down with all the economic incentives favoring the attack community. The “missing-link to effective cybersecurity is the development of a menu of incentives to rebalance digital economics.”

For nearly 20 years, ISA has been arguing that we need two essential steps to address the cyber issue. First, government needs to get serious – by which we mean appropriately fund – cybersecurity efforts.   

Total federal appropriations on cybersecurity in fiscal year 2020 was just under $20 billion (about half of that went to the Department of Defense). In contrast, a recent comparative analysis of spending on cybersecurity by Forbes concluded “as a result of government inaction, private sector companies have been forced to take cybersecurity more seriously and, according to some projections, will spend over $1 trillion on digital security globally through 2021.”

One of the most glaring examples of government underfunding cybersecurity concerns cybercrime.  Cybercrime costs literally trillions of dollars in damage each year, and the FBI’s cybersecurity budget is around one half of a single billion dollars.  There is simply no way law enforcement can fulfill their mission when they are so enormously outgunned, which is one major reason why we successfully prosecute only around 1 percent of cyber criminals.

However, there was great news that came out just a few days ago. Law enforcement was able to recover – quite quickly – about half of the $4-plus million Colonial Pipeline had paid in the recent high-profile ransomware attack. 

This proves law enforcement can make great strides against cybercrime – when they are provided the proper resourcing.  There are literally thousands of ransomware victims all wanting, and deserving, that kind of help from government in tracking down criminals. Of course, they won’t get it mostly because government won’t provide law enforcement with the appropriate tools.

This brings us to Mr. Inglis’ very preceptive observation: “Essential collaboration and integration will heavily depend on how roles and responsibilities are defined and executed.” Great question.

So, does Mr. Inglis believe is it industry’s responsibility to protect and defend against nation state and nation-state affiliated attacks – as in the case of Colonial cyber-attacks? Or is it government’s responsibility to provide for the common defense?

As Mr. Inglis presumably is aware, our National Infrastructure Protection Plan states clearly that private entities spending on security is done, appropriately, at a commercial level, which is more risk-tolerant than would be required if they had the responsibility to provide for the common defense against nation-state-affiliated cyber-attacks.

A related, and important, question is if U.S. private companies are now to make commercially uneconomic security investments to ward off these attacks, what would be the implications for capital investment in these firms and what will that mean for our national infrastructure? Would we need a multi-trillion-dollar infrastructure bill every few years?

This leads to the potentially problematic interpretation of Mr. Inglis’ statement that since the current system is “apparently not working” (you think?) we may need government regulation – in some areas. 

That ‘some areas” phrase tacked on at the end covers a lot of ground. Even ISA believes there ought to be cybersecurity regulation such as a national breach notification law and even prescriptive regulations in sectors where the economic model is built on a regulatory structure. But it was included in his statement, and we of course take him at his word.

Still, if more regulation is going to be teed up for serious discussion, we ought to be clear about the facts of the case as there is a substantial myth machine that sees government regulation as a panacea for cybersecurity. 

There are a couple of things to be clear about.

We already have a substantial amount of government regulation of cybersecurity. 

Don’t take my word for it.  Richard Clarke – Cyber Czar for both Presidents Bush and Clinton and Bob Knake, Cybersecurity Chief for President Obama, state in their 2019 book The Fifth Domain: “There is a mountain of cybersecurity regulation created by federal agencies. Banks, nuclear power plants, self-driving cars, hospitals, insurance companies, defense contractors, passenger aircraft, chemical plants and dozens of other private sector entities are all subject to cybersecurity regulation by a nearly indecipherable stream of agencies including FTC, FAA, DHS, FERC, DOE, HHS , OCC, and on and so on.”

Cybersecurity Regulation has not proven itself to be effective.

For example, health care is one of the earliest and most broadly regulated of critical industries for cybersecurity, yet a comprehensive 2020 study by ESI ThoughtLab found health care institutions ranked 11th out of 13 critical sectors in terms of average loss compared to revenue.  Health care also ranked 11th of 13 sectors in terms of understanding cyber risk using state-of-the art quantitative methods and 13th out of 13 sectors in terms of plans to increase spending. The study also found that healthcare institutions on average vastly underestimated the probability of a cyber breach and less than half of the healthcare institutions had disaster recovery plans, cyber incident recovery plans or did regular cyber risk assessments or stress tests.

The heavily regulated financial services industry did better than healthcare but was empirically not the consensus industry leader as might have been expected. In fact, among the 13 industry sectors analyzed, financial services led only in terms of plans to boost spending (followed closely by the largely unregulated technology sector in second place). Financial services came out middle of the road in terms of losses compared to revenues, was equivalent to healthcare in terms of vastly underestimating the likelihood of a cyber breach and only slightly better than the healthcare sector with just over 50 percent of financial institutions having disaster recovery plans, cyber incident and recovery plans and conducting regular risk assessments and stress tests.

Overall, the ESI study found heavily regulated sectors like finance and health regularly ranked often below generally unregulated sectors like tech, general automotive, and manufacturing sectors in several critical cybersecurity measures.

Even the federal government‘s self-regulation doesn’t work.

An April 2020 report from the Government Accountability Office on the Defense Department’s cybersecurity found that the Pentagon had not even fully implemented its own initiatives and practices related to improving cyber hygiene, leaving the department in the dark on how and when to respond to breaches: The report said: The department does not know the extent that cyber hygiene practices have been implemented to protect DOD networks from key cyberattack techniques.

A U.S. Senate Investigations Subcommittee review on agency cybersecurity compliance with NIST standards found 88 percent of them failed to properly protect personally identifiable information, 63 percent did not have an accurate list of their IT assets, and 75 percent did not install security patches.

A 2019 GAO report found: “The White House Office of Management and Budget and DHS examined the capabilities of 96 civilian agencies across 76 cybersecurity metrics and found that 71 agencies had cybersecurity programs that were either at risk or at high risk. The assessment also stated that agencies were not equipped to determine how malicious actors seek to gain access to their information systems and data” The reality is that the traditional regulatory model is ill-suited to the unique and dynamic cybersecurity problem.  If it was as simple as setting standards to be followed it would have been addressed by now. There are far more difficult and complicated issues that have historically not been addressed by government and this is where one would hope Mr. Inglis and his new office will begin.

Join the Rethink Cybersecurity Community click here