February 24, 2023

US cybersecurity policies have been inadequate for decades and need to be updated to counter the heightened digital and physical risks the nation faces from our adversaries today. The US cybersecurity effort over the past thirty years largely comes down to a series of modest, disjointed, incremental tactics.

On the other hand, one significant rival, China, has a comprehensive Digital Strategy; in fact, they have had one for years. It is called the Digital Silk Road (DSR), which is only part of a far larger strategy known as the Belt and Road Initiative (BRI). This program has already succeeded throughout the world in placing the West in general, and the USA in particular, at a substantial geopolitical disadvantage.

Unlike the Chinese, we have not configured a thoughtful, comprehensive Digital Strategy that factors in the impact of digitalization on all sectors of our society. It should leverage our economic advantages, technical expertise, and openpolitical philosophy. The point is not that we ought to precisely emulate China’s approach.But we do need a new vision that provides more than a series of tactics which currently include standard-setting, information sharing and awareness programs. We need to embrace free market democratic ideals and try out long-term, creative planning mechanisms which take advantage of our Western ethical standards. It is time to make a majorchange.

The US has advantages that facilitate the creation of dynamic policies in cyberspace.  We have a much larger economy than China, especially if we factor in WesternEurope. We also have a hundred years of alignments, whereas China isn’t particularly popular, even with its nearest neighbors like Japan and South Korea. And, perhaps most of all, we have a dynamic free market entrepreneurial system that embraces change and innovation.  That is precisely the sort of system which ought to be a perfect fit to compete in the digital age.

However, even with these resources, the US is falling behind at developing a comprehensive strategy. Richard Clarke and Robert Knake are two of the most experienced and well-respected experts in the field of cybersecurity, and in their 2019 book, The Fifth Domain, they wrote:

Since the Clinton Administration our cybersecurity strategy has changed very little…We return to the basic idea that companies that own and operate the internet and the things they connect to it… will be responsible for protecting themselves. Government’s role will be limited to support the private victims of cyber-attacks with law enforcement, information sharing, diplomacy and in the rare cases where it is both feasible and in the national security interest, military force. Government will also play a role of helping industry help itself through nudges to encourage investment and cooperation in cyber-security through research training convening and ultimately through regulation.

Perhaps the most common response for those engaged in cybersecurity issues (and the tactics mentioned by Clarke and Knake) is to promote a standard regulatory model. In such a system, the federal government prescribes a set of standards and industry needs to comply, subject to independent audits, legal enforcement and stiff penalties.

Unfortunately, this reliance on regulation demonstrates a lack of understanding of the cybersecurity problem and the limited success of regulations to date. More important, it ignores the fact that traditional regulatory frameworks are fundamentally ill-suited to the digital age – a conclusion that has been reached even by those who have been put in charge of implementing such frameworks.

Much of our traditional regulatory enforcement system is designed to address malfeasance. However, the core problem with cybersecurity is not that the technology or the users are incompetent, uncaring, or evil. The core problem is that our technology is under attack. The attacks are not because the system is inherently vulnerable, although it is. Most of our infrastructure is extremely vulnerable, but rarely attacked. The primary cause of cyberattacks is the overwhelming economic incentives which favor the attackers.

The “why” of cyberattacks is almost always economic. Typically, the economic motive is financial gain, although there are other profit-and-loss motives as well. Approaching cybersecurity from this economic perspective is crucial to developing an effective strategy that can transcend the traditional operational/vulnerability model that has dominated the field. Sadly, economic analyses have been all but ignored to date.

Historically, public policy considerations of digital economics have been confined to the direct economic impacts of cyberattacks. While this metric is clearly significant – suggesting that the government needs to vastly increase its spending on cybercrime – it is far from adequate. We need fresh insights into the economic causes, as opposed to the technical aspects of the problem.

The size, frequency, and impact of cyber-attacks clearly indicate that the current model does not work. As Clarke and Knake noted in 2019, US cyber policy has changed “very little” in the past thirty years. In contrast, during that time the world itself has changed quite dramatically. In this transformed digital world, the “limited role” and “nudges” Clarke and Knake suggest as the basis for government support of the private sector are obviously inadequate. Government’s role in collective cyber defense is more challenging than simply setting and enforcing regulations and assessing if industry has followed them – or urging modest investmentswith seed money.

The advent of the digital age has fundamentally changed how companies do business, how employees do their work, how privacy is protected, and how national security is assured. The United States needs a more robust cybersecurity strategy that is comparable in integration and economic support to what our major adversaries have – in particular, China.