Saul was on the road to Damascus when he fell to the ground, blinded by a heavenly light and realizing he finally knew the truth. Juhan Lepassaar, the executive director of the EU’s Agency for Cybersecurity may have just come to a similar insight
In an AP article yesterday Lepassaar was quoted telling Politico. “We are losing this game, “We are not catching up, we’re losing this game, and we’re losing massively.”
ISA has been using this exact same terminology for several years. Three years ago, ISA won three national Reed Awards for our public awareness campaign “RE-Thinking Cybersecurity.” Lepassaar seems to be among the recently converted, telling Politico that despite recent upgrades in the EU cyber program ““We just don’t need an upgrade. We need a rethink.”
We welcome Mr. Lepassaar to the choir.
One of the most fundamental elements of the needed rethinking of cybersecurity is the realization that the economics of cybersecurity are upside down. All the incentives favor the attackers. Virtually none of the major governmental initiatives – EU and US — regarding cybersecurity addresses the need to rebalance the economics of cybersecurity. Cybersecurity policy has been almost entirely built on the narrow band of technology and regulation. As Lepassaar points out in the AP article many of the “reforms” the EU is undertaking are just warmed over versions of the traditional, failed model.
We need to realize the core approach we have taken to cyber defense is fundamentally flawed. It’s not working. In never really has. As Lepassaar points out the EU, one of the most heavily cyber-regulated areas on the globe, has continually been pummeled by successful attacks on their airports, their banks, their electric grid, their hospitals. Their critical infrastructure cannot defend itself from nation-state attacks which are essentially unbudgeted.
Things aren’t any better over here. Over the past 2 months the ISA has produced a series of reports documenting that virtually every aspect of US critical infrastructure is now under attack from nation-state actors operating without budget constraints — essentially Volt Typhoon for everyone. Privately owned critical infrastructure, bounded by commercial economics, cannot adequately defend itself regardless of what government regulations prescribe.
As Nasrin Rezai, Chief Information Security Officer for Verizon, recently put it
“We’re really dealing with an extremely sophisticated nation-state threat actor that will do anything and everything at any price to get a foothold into our critical infrastructure.”
Moreover, these recent attacks are fixated on not simply stealing data but strategically compromising the infrastructure itself. This changes the purview of cyber-attacks from the traditional consumer protection construct most cyber regulation has focused on, into a straight-forward national security issue. The modern cyber threat is different and needs to be addressed differently.
The historic strategy for critical infrastructure cybersecurity is ever-expansive government regulatory mandates. There is no evidence these mandates enhance security – indeed all evidence is to the contrary. Moreover, the regulatory schema in the US – and far more so in the EU — is massively redundant uncoordinated and lacking in any cost benefit analysis. The regulations themselves may undermine effective security.
These are all facts that are uncontested. The overall approach needs to be “re-thought”
Fortunately for Mr. Lepassaar there are several people who have been busily rethinking the current outdated model of cybersecurity, and they have come up with a variety of practical, low cost, steps that can be undertaken fairly quickly and which will create material improvements almost immediately
- Eliminate duplicative cyber regulations. Multiple international studies have documented the massive amount of duplication in cyber regulation. Depending on which sector is analyzed between 40-70% of cybersecurity budgets are being occupied by filling out redundant compliance regulatory forms (again with no evidence the compliance enhances security). What changes this finding from one of merely waste into one of compromised security is the fact that we do not have nearly enough trained cybersecurity personnel resources.
While we are under almost constant, and ever more sophisticated, cyber-attacks we are wasting our most precious resources. Whereas once identifying and eliminating redundancies would have been a timely and labor-intensive process, modern technology can identify these redundancies efficiently and effectively even when the regulations are written in different languages.
The goal here is simply to eliminate duplication, not the core regulation. Just eliminating duplication would free up significant amounts of cybersecurity resources and save billions of dollars for both industry and government which can be put to more effective cybersecurity initiatives. A recent letter from House Oversight and Government Reform Chairman, cosigned by several other congressional committee chairs stated that “eliminating the duplicative landscape of cyber regulations is the fastest, most cost-effective way to materially improve the nation’s cybersecurity.”
- Mandate that all remaining cyber regulation be required to meet clear cost benefit goals. Cost benefit analysis (CBA) is commonplace in most regulatory environments, but not cybersecurity. Regulations are not useful if they do not meet their intended goals i.e. effective. Regulations are not sustainable if they are cost prohibitive, i.e. cost-effective. All cyber regulations – especially given the unbalanced economic of cybersecurity – need to be subject to CBA. If a regulation cannot meet its CBA, then it needs to be amended or replaces. This reform would introduce a needed economics criteria into the overall security assessment process and change the goal of cyber regulation from compliance to effectiveness
- Build the workforce. In the US there are an estimated 500,000 cyber jobs currently unfilled and world-wide that number reaches to the millions. Moreover, the nature of the cyber workforce is changing with AI able to perform many basic level functions, but also generating the need for even better trained personnel. Quantum computing is a great example. “Q-Day,” when quantum technology mauy undermine all current encryption and hence security, is estimated as only a few years away. When that happens, without a massive program to create adequate experts to help virtually every orgianzation with sensitive data make a speedy transition to the post-quantum world there could be a security breakdown of massive proportions. We have nowhere near enough trained personnel to manage just this one coming change.
The Bible tells us that Paul got back on his horse and proceeded with enlightenment and spread the word that made life better for millions. One hopes Mr. Lepassaar will now get on his horse and help lead the EU to a more productive and secure cyber world.
