Getting Our Cyber Act Together: What Really Matters and What’s At Stake 

By Larry Clinton, Skytop Contributor / January 25th, 2022 

Larry Clinton is President of the Internet Security Alliance (ISA). The ISA is a multi-sector trade association that focuses on thought leadership, policy advocacy and developing best practices for cyber security. Mr. Clinton holds a certification on Cyber Risk management for Corporate Boards from Carnegie Mellon University, He is on the faculty of the Wharton School where he teaches a graduate Executive Education course in cyber security. 

The National Association of Corporate Directors has twice named Mr. Clinton as one of the 100 most influential people in the field of corporate governance. He is a two term Chair of the IT Sector Coordinating Council and serves on the Cybersecurity Advisory Board for the Center for Audit Quality and the Cyber Advisory Board for the Better Business Bureau. He is widely published and has been a featured spokesman in virtually all major media outlets from WSJ, USA Today Fox News, NBC, CBS, NYT, PBS Morning Edition CNN & even MTV in India. He testifies often before Congress. He has briefed industry and governments world-wide including NATO and the OAS. ISA was also the only trade association to be part of the official cyber security briefing for the Republican National Convention in Cleveland. 

ISA recently published the Cyber Social Contract (Vol. 3), which outlines 106 recommendations for the President and Congress. The previous editions of the ISA Social Contract were endorsed by the House GOP Task Force on Cyber Security and were the basis for President Obama’s Executive Order 13636 on Cyber Security. He is the industry co-chair – DHS is the government co-chair– of the Policy Leadership Working Group on Cyber Security Collective Defense featured at the National Cyber Security Summit in New York in July. 

He literally “wrote the book” — the Cyber Risk Handbook for corporate boards which is the only private sector publication endorsed by both DHS and DOJ. PWC has independently evaluated the Cyber Risk Handbook and found it substantially changed how corporate director’s address cyber risk management leading to higher budgets, better risk management, closer alignment of cyber security with business goals and helping to create a culture of security. In 2017 ISA adapted the Handbook for the UK and Germany. As in the US, the German edition has been endorsed by the German government. ISA is now working with the OAS on a Latin American version of the handbook; as well as an edition for India and Japan, in partnerships with industry groups. 

Cybersecurity Issues for 2022 

In 2022 let’s resolve to give proper, proportional attention to things that really matter in cybersecurity, and a little less to the quick “fix” pass-the-buck “solutions” that seem to dominate in public policy debate. 

Specifically, I’m thinking we need to spend much more time on issues like:  

• How do we intend to match China’s multi-trillion dollar (and very successful) Digital Silk Road initiative?  

• How are we going to address the vast imbalance in economic incentives which massively favor the attackers over the defenders and are the core motivation for the vast majority  of cyber-attacks?  

• How are we going to make it practical for private industry to take on, and finance, national security obligations of defending the against cyber attacks carried out, funded or facilitated by nation states who have vastly greater resources?  

• How do we develop a defense structure  protecting against systemic risks to the system itself and not specific entities in the system?  

• What do we need to do to really fill the cyber workforce gap that has existed, and steadily gotten worse, for decades?   

These are some of the major security issues that truly will impact our ability to function within a sustainably secure system. Yet, the fulsome discussion of issues such as these, and others such as AI, in the public policy arena are currently not receiving nearly enough attention. The necessary analysis and fundamental changes that will be required are being crowded out by excessive focus on outdated tactical issues such as reporting requirements, technical standards and check the box regulatory structures, none of which are demonstrating any impact on our overall cyber security.   

In fact, any fair analysis of the impact of 20 years of such tactical policy approaches would have to come to the conclusion that they are failing. Is anyone willing to argue that our cyber systems are more secure now than 20 years ago? Is there any empirical evidence at all that these government imposed regulations and requirements have actually improved security? Understanding that compliance and security are not the same things, at all.  

Part One: Getting Our Acts Together 

Perhaps we, meaning the industry and government together, need to acknowledge that the overall approach to cyber security, which in the 21st century is all security, is inadequate. Implied in this realization is the fact that the so-called and much beloved industry-government partnership model is failing. Of course, it’s not that the partnership model is wrong. In fact, I very much believe it’s the right model. Indeed, it is the only model that can work in an inherently diversified and interconnected digital world. 

The problem is that the “partnership” concept is largely misunderstood and, in many cases, really only exists rhetorically. The partnership desperately needs to be expanded and matured. To begin with, we need to stop thinking in terms of government and industry with separate agendas and solutions for each. The reality is that the bad guys are attacking all of us, consumers, government and industry, etc. We are actually all on the same side though we rarely act that way. We shouldn’t even be talking in terms of government and industry. We should be thinking of the attacker community vs. the defender community. You know, like we were partners in the same endeavor, which in truth we are, even though we rarely behave as such. 

Step Two: Understanding the Problem 

One of the major reasons why we haven’t made any real progress on cybersecurity (in fact we are losing ground at a head-spinning rate) is because the problem has largely been misanalysed. 

Virtually all the policy work that has been done on cybersecurity for the past 20 years has been technology focused. Virtually all the “experts” the government tends to go to get insight from on cybersecurity are technicians or IT companies. As the old saying goes, to a hammer everything looks like a nail. If we only look at cybersecurity as a technical issue we are only going to get technical fixes, and we have already seen they are not working. 

Cybersecurity is an Enterprise-Wide Risk Management Issue  

Although cybersecurity obviously has a technological component, it is not at heart an “IT” issue.  Rather, it is an enterprise-wide risk management issue. Very different from a back office computer fix. This realization suggests we need to consider cybersecurity on a strategic, not just technical, level. Even though our cyber systems are vulnerable, the most vulnerable element in the system is human, not technical. Hence human resources need to be fundamentally involved  since the major motivation is economic not technical. We’ll need to involve the finance people. And since virtually all institutions will eventually have breaches that need to be explained, PR is an important part of the system too.   

This alternative conceptualization of cybersecurity is already being adopted by leading corporate boards around the world. In 2021, publications co-authored by the National Association of Corporate Directors (NACD) in the USA, the European Conference of Directors Associations in the EU, and the World Economic Forum have argued that cybersecurity needs to be understood from a previously mentioned strategic, not merely technical, perspective and addressed by an enterprise wide team – not just the IT department.  

The Economics of Cybersecurity 

These publications argue that technology is the only avenue in which cyber-attacks occur. Yet there is a vast amount of data that documents the reasoning  — the why of cyber-attacks —  is primarily economic. While there is almost constant debate and legislation focused on cyber technologies; there has been virtually no public policy work on the economics of cybersecurity.   

Looking at the issue from an economics perspective it becomes obvious that the reason there are so many cyber-attacks is that all the economic incentives massively favor the attacker community over the defender community. The perspective from the attacker community is that cyber-attacks are comparatively cheap (amazingly cheap) and easy to acquire. Cyber-attacks are incredibly  profitable. The business model is excellent – you can use the same methods over and over on a world-wide target base. For the defender community (both government and industry), we need to defend an inherently vulnerable system. The Internet was built to be an open landscape and is becoming more vulnerable all the time. The defenders get virtually no help from law enforcement, successfully prosecuting less than one percent of cyber criminals. 

Rebalancing the Equation 

Despite the fact that the techno-centric approach hasn’t worked at all, and the economic perspective might yield actual improvements, there has been almost no public policy work on rebalancing the economics of the digital age. Blame often falls to the victims of the attacks, passing the responsibilities of national defense and crime prevention to the private sector. 

In subsequent posts I’d like to offer some thoughts as to how we, going forward, might pragmatically redirect our approach to address the sorts of major issues that could offer progress in cybersecurity. Before launching into these posts I’d like to address the elephant in the room. That is the question, can this really be done? Can we begin to truly bring industry and government to behave as if they are on the same side and let go of old suspicions? Can we re-think this issue and break out of the old paradigm and create a new one.  My answer to this is yes we can, and Europe has proved it can be done. 

Europe Rebalanced 

Western Europe has faced worse problems. After all, for literally thousands of years Europe was at almost constant war with itself. Europe measures its wars in centuries. There was the 100 years war as well as the 300 years war. There was the First Crusade and then the Second Crusade. Just last century there were two “World Wars” fought primarily on the European Continent.  

And yet, for the past 76 years Europe has known almost constant peace. Sure, there is Brexit in the UK and Basques in Spain, but Germany is not invading Belgium or Norway. Italy is not invading France. Even the Irish and the Brits aren’t shooting at each other. 

How did that happen? Did the European countries go to their borders and patch up all the vulnerabilities? No, the European countries decided, notwithstanding centuries of animosity, that they could work together and form a Common Market and the European Union. They remade the economics of their relationships, and although there are ripples, there has been virtually constant peace for 76 years. 

If that can be done on the scale of nation states and world wars, it can be done in cybersecurity. We can rethink the relationship between industry and government and work in common bond and common interest. We can rethink the economics of cybersecurity and come up with a more effective way to address the issue.