Any examination of US cybersecurity policy must begin with one simple and immutable fact.  We are losing the fight to secure cyber space, and we are losing it badly.  Even though administrations of both US political parties and the vast majority of private sector entities list cybersecurity as one of their top priorities, and hundreds of billions of dollars have been spent to enhance cybersecurity in the past two decades, our cybersecurity system is weak and getting weaker all the time.[i]

As this book goes to press in early 2022, the US has experienced one of its worst years at the hands of cyber attackers.  Attacks such as SolarWinds, Microsoft Servers as well as a dramatic escalation in Ransomware attacks highlighted, but by no means limited, to major attacks such as on the Colonial Pipeline provided incontrovertible evidence that the number, sophistication, and impact of cyber-attacks is continuing to grow at an alarming rate.  All indications are that these trends will continue and escalate.

Although Congress and the Biden Administration have proposed a range of actions to address the ongoing attacks, the broad consensus is that these efforts are unlikely to dramatically change the situation.  For example, in response to the SolarWinds engineered by the Russian government attack President Biden issued sanctions against Russia.  However, event cyber experts in his own party quickly observed that while they supported the moves, they didn’t expect that they would have much effect.  In response to the Microsoft server attacks promulgated by China, the response was even more muted.  Although President Biden was able to gather a wide range of condemnations against China, there were no sanctions at all proposed.  In the case of Colonial Pipeline, although the FBI was able to recover a significant portion of the multi-million-dollar ransom for Colonial, thousands of other ransomware victims received no such assistance.

The premise of this volume is that the US needs to rethink its strategy, its structures, and policies for the digital age. In November of 2020, the authors of this book, the Internet Security Alliance (ISA), created a social media campaign called #RethinkCybersecurity.  The main themes of this campaign were that the defender community – government and industry – needed to adopt a broader understanding of the cybersecurity issue and forge a new “social contract” to create a sustainably secure cyber system. The traditional approach, which conceives of cybersecurity primarily as a technical operational issue, needed to be broadened.  Cybersecurity needed to be understood as a strategic issue which focused on the economic causes for the attacks as much as the technical vulnerabilities of the system.  This reconsideration would also focus more on the aggressive, and sophisticated strategies of our adversaries and the systemic risks we face in addition to those of specific entities.

Throughout 2020, ISA posted over 1.5 million Internet ads associated with hundreds of blogs designed to reach targeted audiences who focus on cyber policy all carrying the “Re-Think Cybersecurity” theme.  As the year wore on numerous policy makers including the Chairs and both the House and Senate Homeland Security Committees started to use the phrase, as did the Chair of the House Cybersecurity Subcommittee and the Acting head of the Cybersecurity and Infrastructure Security Agency, as did numerous trade press articles.  On May 11, 2021 a bipartisan group of Congressmen and women comprising the Chairs and the Ranking Members of the House Homeland Security Committee, The Committee on Transportation and Infrastructure, the Subcommittee on Cybersecurity, the Subcommittee on Railroads, Pipelines and Hazardous Materials, the Subcommittee on Transportation and Maritime Security and the Subcommittee on Intelligence and Counter Terrorism wrote a joint letter to the President’s National Security Advisor Jake Sullivan stating that they needed to stress “that cybersecurity is no longer just an ‘IT’ issue but instead an economic and national security challenge that can have real-world impacts on our security.” This volume will attempt to sketch out what a freshly conceived US policy for cybersecurity ought to look like and go beyond, what cyber practitioners often refer to as “admiring the problem,” and move toward defining an approach that will integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity.

This volume brings together a unique group of cybersecurity experts–a group of individuals whose day job — and night job – is to defend cyber systems from attacks by criminals and nation states and others. This analysis leads to the conclusion that the US government needs to increase the priority it places on cybersecurity. The United States needs to develop a digital transformation strategy like those its adversaries, and many leading businesses, have developed. The government needs to restructure the way it considers digital issues, appreciating the economic and geopolitical aspects of cybersecurity as much as the technical operational aspects. It needs to modernize how it partners with industry. And yes, it needs to spend more money on cybersecurity.

The book is divided into two sections.  The first chapter begins with a reanalysis of the cyber security issue demonstrating the dominant paradigm for cybersecurity is excessively narrow and the broader economic causes of the attacks need to be addressed more strategically and comprehensively.

In chapter two, a model of a sophisticated strategy is outlined – that practiced by our major (but not only) cyber adversary — China. This chapter details how the Chinese have leveraged the vulnerabilities of the digital world to make substantial inroads on the western liberal democratic order that grew out of World War II and have used numerous integrated strategies to promote their geo-political goals to the great disadvantage of the USA and western allies – and Huawei is just the tip of the iceberg.

In chapter three, a newer, more dangerous and less analyzed type of cyber threat – systemic attacks – are highlighted.  Although there have been some premiant examples of systemic attacks, such as Wanna-Cry and SolarWinds, most of the analysis in cybersecurity has been focused on specific entities, not entire systems.  However, these systemic attacks are growing in number and the extent of the damage they can create is many times that of attacks on individual organizations.  Moreover, many of the traditional defensive are not designed to address these attacks.  They provide still another unique need to re-think our overall approach to cybersecurity.

In chapter four, a detailed analysis of why the various tactics historically used to address cyber-attacks are failing is provided. The chapter begins with the disturbing realization that the USA’s overall approach to cybersecurity has not changed for three decades.  All the major policy tools generally recognized as bulwarks against cyber-attacks from regulation through law enforcement, international treaties, and information sharing systems are addressed and found wanting in their current form.

Chapter five proposes a new government structure that would enable the USG to better position itself to deal with the emerging threats. An Office of Digital Strategy and Security (ODSS) is proposed. This structure would be charged with a more extensive portfolio than the recently created Office of the Cybersecurity Director.  The ODSS would be charged with developing a national strategy for digital transformation like what private entities have gone through, including a much more fulsome partnership between the public and private sectors.

Chapter six concludes Section One by identifying several specific policy recommendations designed to incentivize, modernize, and economize US cybersecurity policy. Naturally, incentivizing begins with spending decisions that are commensurate not only with the extent of the threat, but what our adversaries are spending.  As President Biden has often said “don’t tell me your priorities, show me you budget, and I’ll tell you what your priorities are.  However, simply spending more money will be insufficient to address the growing threat.  The digital age, and the realities of asymmetric war, have thrust upon private entities national defense responsibilities they will be incapable of addressing on their own in a sustainable fashion.  Particularly with respect to critical infrastructure (but not just critical infrastructure) our overall national defense will need to evolve a collective model which will entail both structural as well as policy and economic changes.

In section two of the book, senior policy practitioners (typically CISOs) from several critical infrastructure sectors (defense, financial sacrifices, healthcare, power utilities, telecommunications, and IT) examine the unique cybersecurity challenges they face in their sector as the digital age alters their business models.  Each provides specific policy recommendations that can be integrated into the overall strategic structure and policies identified in Section one. What the reader will see as they proceed through these chapters is that cybersecurity is a far more complicated and difficult issue than has generally been realized, and as we laid out earlier in this section, policy makers are only beginning to reconceptualize the subject and search for new approaches.

[i] Mlitz, Kimberly. “Cybersecurity Spending Worldwide 2021,” March 29, 2021. https://www.statista.com/statistics/991304/worldwide-cybersecurity-spending/.


Overview of “The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity”

If you had 30 minutes with the president to advise on cybersecurity, what would you say?Front cover of "The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity."

In 2015, we began asking our board members that question.

The result is The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity. It’s a 400-page book with more than 100 recommendations we published in late 2016.

Most importantly, the recommendations are credible, because they were written by our board members: mostly chief information security officers on the front lines of cybersecurity. Defending networks is our members’ day job.

The recommendations are comprehensive, because the book’s analysis isn’t limited to the usual suspects of critical infrastructure, like defense, information technology, telecom, financial services and utilities. It also addresses unique threats felt within equally critical sectors such as manufacturing, healthcare and agriculture.

Collectively, the recommendations also have the backing of some of the most forward-looking thinkers in cybersecurity policy (see below).

Click on the menu bar left to read synopses of the contributions from representatives of 10 different vital sectors of the U.S. economy.

Praise for The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity
“The Cybersecurity Social Contract is a comprehensive assessment of the state of cybersecurity and offers the administration and Congress a road map for sensible and practical progress dealing with urgent security issues.”

-Michael Chertoff, Executive Chairman and Cofounder, the Chertoff Group, former Secretary, Department of Homeland Security

“This well-researched and documented book is the most comprehensive work to date in addressing these issues. I strongly recommend the administration and the Congress adopt the recommendations of this work.”

-Admiral Mike McConnell (Retired), former Director of National Intelligence; former Director, National Security Agency

“The Cybersecurity Social Contract provides a thoughtful roadmap of recommendations that places risk management principles at the core of the next administration’s cybersecurity agenda.”

-Melissa Hathaway, President, Hathaway Global Strategies, former Director of the Joint Interagency Cyber Task Force

“What an accomplishment. The Internet Security Alliance continues to prove its thought leadership by laying out a practical framework that integrates technology, government policy and business economics.”

-Air Force General Charlie Croom (Retired), Senior Vice President and Director, Strategic Account Executives, Leidos

“The Cybersecurity Social Contract blends for the first time real world economics and politics of cybersecurity. This volume offers the incoming administration the best hope for making serious progress.”

-Pradeep Khosla, Chancellor, University of California-San Diego; former Dean, College of Engineering, Carnegie Mellon University

“The Cybersecurity Social Contract presents a comprehensive overview of why we have failed to get our arms around these issues—including privacy—and what the next administration needs to do to avoid catastrophe.”

-Art Coviello, Jr., Executive Chairman (Retired), RSA