THE CASE FOR A NATIONAL CYBERSECURITY ACADEMY: A NATIONAL DEFENSE IMPERATIVE Part 1 of 3

By Larry Clinton, Skytop Contributor / January 7th, 2023 

Larry Clinton is President of the Internet Security Alliance (ISA). The ISA is a multi-sector trade association that focuses on thought leadership, policy advocacy and developing best practices for cyber security. Mr. Clinton holds a certification on Cyber Risk management for Corporate Boards from Carnegie Mellon University, He is on the faculty of the Wharton School where he teaches a graduate Executive Education course in cyber security. 

The National Association of Corporate Directors has twice named Mr. Clinton as one of the 100 most influential people in the field of corporate governance. He is a two term Chair of the IT Sector Coordinating Council and serves on the Cybersecurity Advisory Board for the Center for Audit Quality and the Cyber Advisory Board for the Better Business Bureau. He is widely published and has been a featured spokesman in virtually all major media outlets from WSJ, USA Today Fox News, NBC, CBS, NYT, PBS Morning Edition CNN & even MTV in India. He testifies often before Congress. He has briefed industry and governments world-wide including NATO and the OAS. ISA was also the only trade association to be part of the official cyber security briefing for the Republican National Convention in Cleveland. 

ISA recently published the Cyber Social Contract (Vol. 3), which outlines 106 recommendations for the President and Congress. The previous editions of the ISA Social Contract were endorsed by the House GOP Task Force on Cyber Security and were the basis for President Obama’s Executive Order 13636 on Cyber Security. He is the industry co-chair – DHS is the government co-chair– of the Policy Leadership Working Group on Cyber Security Collective Defense featured at the National Cyber Security Summit in New York in July. 

He literally “wrote the book” — the Cyber Risk Handbook for corporate boards which is the only private sector publication endorsed by both DHS and DOJ. PWC has independently evaluated the Cyber Risk Handbook and found it substantially changed how corporate director’s address cyber risk management leading to higher budgets, better risk management, closer alignment of cyber security with business goals and helping to create a culture of security. In 2017 ISA adapted the Handbook for the UK and Germany. As in the US, the German edition has been endorsed by the German government. ISA is now working with the OAS on a Latin American version of the handbook; as well as an edition for India and Japan, in partnerships with industry groups. 

National Imperative 

We need to stop talking about the issue of cybersecurity workforce development,and instead  properly frame the issue as an imperative for national defense digital mobilization.  

Just as World War II made it apparent that the skies were a unique domain of warfare resulting in the creation of the US Air Force Academy in the 1950s, so too have recent events made it clear beyond doubt that cyberspace is now a unique domain of warfare. As such, cybersecurity must be properly understood not just as privacy, consumer, and business issues with an adjunct military aspect, but for what it truly is – the most dominant element of national defense in the 21st century. This is because all the other domains of warfare are ultimately dependent on cyber technology. 

It is axiomatic that it is impossible to have an effective national defense without properly trained personnel to implement that defense. The Russian army’s failure in Ukraine is a stunning example of how even a massive superpower can have its apparent strength undermined by poor training and strategy.  

Lessons from Russia 

The U.S. should take a lesson from the current Russian experience, albeit in a differing context. However, a major part of the Russian failure has been a mischaracterization of modern conflict – in short, they didn’t understand what they were up against — and an inadequately trained army.  

When considering these concepts from a U.S. cybersecurity perspective, we may have very similar issues we are not addressing.  

Risk Assessment 

To begin with, we need to better understand what we are up against. Cyber technology has changed the nature of national defense, which can no longer be considered in strictly military terms. The defining characteristic of the Internet is ubiquitous interconnection. In 21st century America our national defense must be understood as coequally dependent on a cybersecure private sector as a capable cyber ready military force. Although there are rhetorical allusions to this fact, our public policy has not been redirected to this modern reality.  

In the 1940s steel plants in Pennsylvania were not expected to erect radar and deploy anti-aircraft weapons to ward off a possible Japanese or German attack on the U.S. critical infrastructure. However, we have heretofore taken that posture with respect to cybersecurity.  

To the contrary, we expect the private sector to defend itself against sophisticated cyberattacks, including those directly tied to nation-states and their affiliates.  

Private Institutions Face State Affiliated Attacks 

It is an established fact that present day private institutions are faced increasingly with cyberattacks, often by nation-states, state affiliated or state trained assailants. These attacks not only threaten consumer and corporate interests but the overall national interest. 

It is also a widely accepted fact that neither the U.S. government nor the private sector has adequately trained personnel to defend itself against cyberattacks. The estimates vary somewhat but there is virtual unanimity in the cybersecurity community that the adequately cyber-trained personnel shortage is hundreds and hundreds of thousands and growing rapidly.  

The federal government has been trying for years to compete with the private sector for scarce cyber personnel resources and has had only marginal success. This situation is unlikely to get appreciably better so long as the demand for adequate personnel outstrips supply, and all evidence suggests the trends are moving in the opposite direction.  

The situation is far worse at the state and local levels, which don’t have the economic elasticity of the federal government.  

Without a dramatic increase in the supply of appropriate personnel, it is almost impossible to see how financially strapped states and localities will ever be able to compete in the market for cybersecurity personnel. It bears repeating that due to the extensive interconnection between states and the federal governments, not only are the states and their citizens going to continually suffer from attacks they can’t possibly defend themselves from but they will provide massive pathways to federal systems creating an ever-present systemic risk to the nation.  

Global Talent Shortage 

To be fair, the U.S. is not alone in this personnel shortage. In the rest of the world the need for appropriately trained personnel is even greater. However, that fact is of little solace when the U.S. is being attacked. And we are already under constant attack. Time is not running out to build an adequately mobilized and trained cyber community. It has run out. We have massive ground to make up and we need to start making it up fast.  

Cyberattack methods and business models are becoming ever more sophisticated and diffused to a growing cyberattack community. Attack methods considered highly advanced and capable only from nation-states a few years ago are now widely practiced by criminals. Cyberattacks as a service are growing, which will increasingly make sophisticated attack methods available to ever more dangerous and less manageable entities than traditional nation-states. 

Preparedness is a Top Priority 

It is true that we have not yet faced “the big one.” Fears that Russia may attack U.S. critical infrastructure have not materialized – or at least not yet. However, I suspect there may have been an element of invincibility in the Russian command before Ukraine. We would do well not to underestimate our vulnerability and at the very least develop, train and mobilize our defenses against cyberattacks.  

In part two of this series, we will consider possibly the only practical way to address this problem in a proficient, speedy, and cost-effective fashion – a national, virtual cybersecurity academy.