This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here
The announcement today that the World Economic Forum (WEF), the National Association of Corporate Directors (NACD), and the Internet Security Alliance (ISA) are working in collaboration on developing consensus principles and metrics for cyber-risk oversight, representing an important turning point in how cyber risk will be understood.
Historically cybersecurity has been conceived as a technical issue, and by extension, the management of cyber risk is best shifted down the corporate and governmental organizational charts to the operations personnel. This has led to an almost exclusively technical/operational approach to addressing cyber risk – a strategy that has been, let’s face it, an abject failure.
Our cyber systems, notwithstanding some excellent technical and operational work, have never been more at risk. The sad reality is that our cybersecurity systems are weak and getting weaker all the time. The statistics are incontrovertible. According to WEF, cybercrime is now a $2 trillion – trillion with a T – a year industry and will quickly grow to a $6 trillion in a couple of years, according to Cybersecurity Ventures. Meanwhile, we are successfully prosecuting less than 1 percent of cyber criminals. The FBI budget to fight cybercrime is $450 million – million with an M – dollars a year.
Meanwhile our main adversaries in the cyber wars, China, have developed a trillion-dollar program – the Digital Silk Road – that is leveraging both the vulnerabilities of the internet to steal western intellectual property and governmental support to build a dominant – Chinese – international technological ecosystem. A few years ago, Huawei was a little-known manufacturer of telephone switches. Now, largely thanks to massive economic support from the Chinese government, it is the world’s largest provider of 5G technology. And Huawei is just the tip of the spear. Far larger initiatives with long range geopolitical risk to the U.S., and western world order, come from Tencent, Alibaba, and others.
The Chinese government has, for years, been operating the equivalent of a cyber–Marshall Plan offering governments around the world Chinese technology for their communications networks – literally making economic offers they couldn’t refuse to embed Chinese technology into their systems. And it’s not just the telecom systems. These networks are integrated with physical infrastructure initiatives, many with military benefits to the CLA. The technologies come complete with backdoors enabling the Chinese government to have access to whatever communications traverses on these networks. The Chinese providers are also literally required by law to collaborate with the Chinese government in whatever recognizance – let’s just call it spying – the Chinese government chooses to engage in.
Notwithstanding some admirable, if belated, efforts by the federal government, the reality is we have lost the 5G competition. Chinese technologies are already embedded in telecommunications systems around the world in Asia, Africa, Latin America and Europe. They even made inroads in U.S. systems by getting contracts to deploy technology in rural US telcos – again based on the sweetheart economic terms they offered. Fortunately, emergent U.S. policy will essentially “rip and replace” the Chinese technology here – but that option is economically unavailable in most of the rest of the world. In many countries their 3G and 4G technology is already Chinese, and the 5G will be built on top of that. It is simply economically infeasible to rip and replace all that technology and start again even if there were adequate non-Chinese competitors to fill that void – by the way, there aren’t adequate replacements. The situation is even more dire since the embedded technology is desperately needed to carry on essential economic function in the midst of the COVID-19 pandemic.
The point is that cybersecurity policy – better understood as digital policy – is not just about technical vulnerabilities and operations. Is the internet infrastructure vulnerable? Of course, as an open system it was built vulnerable, and it’s getting more vulnerable all the time with the explosion in smart phones, tablets, IoT, etc., etc., etc. But the vulnerability does not cause attacks. Practically all our critical infrastructure is vulnerable. Our surface transportation system is incredibly vulnerable. So is our water system and our agricultural system. Despite these vulnerabilities we never hear of these infrastructures being attacked. Meanwhile our cyber systems are under constant attack – thousands of attacks a day, all day 24/7. Why are the cyber systems under constant attack and the other infrastructures are not?
As the great American philosopher “Deep Throat” advised – “follow the money.” (or we can refer to that other great philosopher James Carville who became famous by observing, “It’s the economy, stupid”). Our core problem is not that our cyber systems are vulnerable, it’s that they are under attack. And they are under attack because there is so much profit – financially and geo-politically – from attacking it.
Digital insecurity needs to be addressed not just from an operational perspective, but from an economic perspective. US cyber strategy, to date, has not appreciated this reality.
The core economics of cyber are simple. Cyber-attack methods are comparatively cheap and easy to acquire, cyber-attacks are immensely profitable, and the attackers have a great business model. On the defender’s side we have an inherently insecure system, we are almost always in a reactive mode, it’s hard to show ROI to things you have prevented and there is virtually no help from law-enforcement.
The announcement of the collaboration of the World EconomicForum with theNational Association of Corporate Directors and the Internet Security Alliance to work on principles and metrics to enhance cybersecurity oversight at the most senior levels of industry illustrates that, at least in the private sector, the centrality of the economics is being realized.
In truth, this announcement is largely a recognition of an already ongoing evolution in corporate governance. For several years now leading enterprises have been consciously been engaging in digital transformation. Part of that evolution has been the movement of the cybersecurity function away from its sole location in the “IT” departments to a flatter organizational structure that makes cyber more than just an IT issue and instead makes it a strategic issue addressed at the board level. Digital issues are then being integrated via enterprise-wide cybersecurity teams as part of the core business mission not just as a technical/operational appendage. The Principles and methodologies the WEF-NACD-ISA process will be producing will no doubt illustrate and advance that process.
It’s an open question as to if the U.S. government will similarly adapt its cyber strategies to appreciate the centrality of economics – which will include the need for the general government to invest far more – into cybersecurity. In their 2019 book The Fifth Domain, the venerable cyber experts Dick Clark and Bob Knake observed that U.S. cyber strategy hasn’t really changed much since the Clinton Administration. Since the world has actually changed a good deal in the ensuing 30 years, maybe now it’s the time for that change.
When he was Vice President, now President-elect Biden was known to tell people, “Don’t tell me what your priorities are, show me your budget, and I’ll tell you what your priorities are.” Another of the most respected voices in cyber policy, Jim Lewis of the Center for Strategic and International Studies has written that the Chinese are currently outspending the U.S. on advanced technology 1000 to 1 (not a misprint). Will the federal government follow the private sector’s lead and make us competitive with our adversaries in cyberspace?