This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
We are all in this together” has become one of the major narratives of the COVID era. The notion is that the virus can attack anyone of us – we are all essentially targets — and by protecting ourselves we are also protecting our friends and neighbors.
The same philosophy is essentially true in cybersecurity. What we have now learned is that we are all targets — big companies – small companies — government and industry alike. The bad guys, like the virus are after all of us. We are all in this together.
Cybersecurity policy was essentially born back in the Clinton and Bush Administrations via a set of Presidential Directives from President Clinton and then the National Strategy to Secure Cyber Space from the Bush Administration. These documents, and those of every Administration since have held to at least the rhetorical notion that due to the core nature structure of our cyber systems – largely owned and operated by the private sector – the only way security could be effectively accomplished was though a public private partnership. The question has always been, what is the nature of that partnership?
As Dick Clarke and Bob Knake point out in their 2019 book The Fifth Domain
“Since the Clinton Administration our cyber-strategy has changed very little…We return to the basic idea that the companies that own and operate the Internet. will be responsible for protecting themselves.”
However, Clarke and Knake also note that government’s role in “helping the private sector help itself” will occur “ultimately through regulation.” And go on to document a plethora of instances wherein the government is to greater and sometimes lesser (leaning ever more toward the greater) extent through increasing regulation.
In previous posts we have documented that these regulatory efforts lack any concrete evidence of improving security and that research has demonstrated that lesser regulated sectors actually fair better in terms of several security outcomes than the highly regulated sectors. However, a question we have not addressed thus far is: Are these regulatory efforts consistent with our stated strategy of a public private partnership ? And could a different understanding of the nature of that partnership improve our collective cybersecurity?
The compliance/penalty culture, which is an inherent part of the regulatory structure, is especially problematic in the cyber domain. The mindset of the regulator tends to be like a parent who feels they must discipline their unruly, industry, child. In cases of actual criminal or fraudulent behavior on the part of industry this is appropriate. However, as we have demonstrated in previous posts, in cybersecurity the problem is more often the unequal balance between the corporate (and governmental) defenders and the better resourced and more intensively incentivized attackers. This is especially the case for major cyber events which naturally are the ones of highest concern to the government.
Too many regulators feel the need to blame the victim of the attack thinking—wrongly—that severe penalties will drive better security (the evidence suggests it wastes valuable security resources). Moreover, the adversarial nature of the compliance/penalty culture is counter-productive to the sorts of collaborative partnership that industry and government need to evolve in order to create a sustainable collective defense model. Simply the perception of the big stick of penalties and enforcement will intensify the already existing attitude of fear and mistrust which undermines the widely accepted wisdom that neither government nor industry can maintain a secure cyber system unless they act together in true partnership. The former Director of Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs summed this concept up recently saying “ Protecting privacy is at the cornerstone of everything we do as an agency that depends entirely on maintaining the trust necessary to work with industry through our voluntary programs.”
In instances such as the Enron and WorldCom or Volkswagen scandals regulators stand in for consumers and protect them from malfeasant corporations – as they should. However, in today’s cybersecurity environment, the opponents are vast criminal syndicates and increasingly nation-states and their surrogates. who are stealing and corrupting personal data, corporate intellectual property and national secretes. Government, consumers, and industry are actually all on the same side.
Rather than conceptualizing the government-industry relationship as a parent child relationship it would be far better to think of the partnership as would exist in a good marriage. As the existing National Infrastructure Protection Plan (NIPP) makes clear in protecting our nation’s critical infrastructure the public and private sectors have aligned but legitimately different ways of assessing risk. These differences can’t be papered over (or in a more apt metaphor to regulation paved over) with government mandates. They need to be worked out in egalitarian forums. Only the true appreciation of the other’s differences and adaptation to them in a mutually satisfactory approach will be sustainable.
This is the model similarly of a good marriage. In a good marriage the parties are, of course very different. One party does not set the rules for the other. They are worked out mutually and in an environment of equity. In so doing trust is enhanced and grows leading to increased willingness to attend to the other’s needs.
It might be a good idea, (I hate to put it this way) for our government partners to be a little less masculine and a bit more sensitive to industry needs. For example, stating, in effect you own the infrastructure so you take care of it is the rough equivalent of saying “you birthed those kids now you manage them.”
To make matters worse, following the regulatory model comes the implicit (often explicit) threat of “If you don’t do this to the degree, I feel is adequate there will be sever penalties” Try keeping a modern marriage happy and together with that attitude.
Of course, the question arises as to if this is possible. The answer is yes, it is. In fact, in isolated cases this alternative, egalitarian “marriage model” has already been tried and worked. The NIST cybersecurity Framework was designed in this more collegial fashion. In fact, the new CMMA structure developed by DoD and the DIB largely used committees of equal representation. Several years ago, a joint industry DHS study found that cybersecurity programs that adhered more closely to this model were more successful than those that followed the more traditional approach.
As we have made clear in multiple earlier posts in this campaign (and will continue to do so) the current model –dating back to the Clinton Administration – is not working. We need to adapt the model to make the industry-government marriage work. We need to do so for the sake of the “children (the US citizen) and then maybe, someday, we can all live happily ever after.