There are probably various government agencies where regulators have already sharpened their virtual pencils preparing to write up some new regulations go along with the new National cybersecurity strategy released yesterday.
Please put down your pens. That is not where implementation of the new strategy needs to begin.
While much of the conversation about the new strategy is about potential new regulation, there are more practical and impactful steps that need to be taken before we get to new regulation. Allow me to suggest three less heralded steps along the road to implementing a new, more effective cybersecurity strategy.
- “Workforce” Development
Workforce is in quotes because this activity is better understood as national security mobilization. We are under attack, all day every day and pretty much everywhere (sounds like a good title for a movie) and we don’t have enough soldiers.
Sadly, and ironically, the “workforce’ section was the very last page in the new strategy. Actually it ought to be the very first page and first initiative of the new strategy because nothing else can work – not the regulations, not the frameworks not the technologies – nothing works unless we have enough knowledgeable and skilled people to implement them – and we don’t – not by a long shot.
When I started at the Internet Security Alliance 20 years ago, we were complaining that there were a hundred thousand cyber jobs we couldn’t fill. Now there are 750,000 in the US alone. Three and a half million world-wide and 35,000 in the government alone. According to Bloomberg the gap is growing at nearly 10% a year. The current approach is not working. We need to address this problem at scale.
The workforce/mobilization issue needs to be the very first one we address. This is an economics problem – supply and demand. We can solve it by stimulating the supply. There isn’t a family with kids between the ages of 5 and 15 that isn’t apoplectic over the cost of college. We need to leverage this gap.
The government spends about $60 billion on cyber security a year. The first billion ought to be on training enough people. We need a national, virtual, cyber academy offering free tuition in return for government service (not just military).
We can train 10,000 new people a year and solve this issue, then we can move on to the others.
2. We need to create an economics model for cybersecurity.
The President himself in his introductory letter announcing the new strategy says, “we will realign incentives to favor long-term investment in security.” That is a great idea, very necessary and the strategy continues this theme.
One question: anyone know how to do that?
No, it’s not spelled out in the strategy, and unlike item one – which we actually know how to do — there isn’t a model for how to realign the incentives of the digital age.
I mean that literally. There is no existing economic model for cybersecurity. In virtually every other area of policy – environment, education, defense — there are tons of models many backed up by sophisticated statistical tests so you can run simulations and make fairly good predictions on effects. We don’t have any such thing for cybersecurity.
Oliver Hart, who won the Nobel prize in economics in 2016 has offered to create such a model – but we do have to pay him. His organization—the Prysm
Group, came to ISA 3 years ago and offered to create one, but that is beyond our capacity, so we worked on a proposal and sent it to DHS (a couple of times) – no response.
If we really want to realign the economic incentives for cybersecurity – and we really need to do that – we ought to get the best minds in the country to provide us with a model. So that is step two.
3. Streamline Regulations
OK, so we got to the discussion on regulation. The strategy is pretty good on promising (not the first time but who is counting) to streamline cybersecurity regulation. The redundant and conflicting regulations we currently have take-up around 40% of our cyber security resources in some sectors – as much as 70% of state and local government budgets. This means we are distracting our cybersecurity personnel (and remember we already don’t have them) from doing actual security work to comply with redundant regulations.
Happily, the Chairs of the new House Homeland Security and Cyber Subcommittee, Congressmen Green and Garbarino respectively, have already responded to the new strategy by saying, before we start writing new regulations, we need to first streamline the old ones. (I’d add we also ought to test these, to be sure they actually work, but I’m probably getting greedy)
There is a lot to like in the new strategy and this is where we should start.