What Football and Cyber Share: Understanding the Opponent
By Larry Clinton, Skytop Contributor / March 14th, 2022
Larry Clinton is President of the Internet Security Alliance (ISA). The ISA is a multi-sector trade association that focuses on thought leadership, policy advocacy and developing best practices for cyber security. Mr. Clinton holds a certification on Cyber Risk management for Corporate Boards from Carnegie Mellon University, He is on the faculty of the Wharton School where he teaches a graduate Executive Education course in cyber security.
The National Association of Corporate Directors has twice named Mr. Clinton as one of the 100 most influential people in the field of corporate governance. He is a two term Chair of the IT Sector Coordinating Council and serves on the Cybersecurity Advisory Board for the Center for Audit Quality and the Cyber Advisory Board for the Better Business Bureau. He is widely published and has been a featured spokesman in virtually all major media outlets from WSJ, USA Today Fox News, NBC, CBS, NYT, PBS Morning Edition CNN & even MTV in India. He testifies often before Congress. He has briefed industry and governments world-wide including NATO and the OAS. ISA was also the only trade association to be part of the official cyber security briefing for the Republican National Convention in Cleveland.
ISA recently published the Cyber Social Contract (Vol. 3), which outlines 106 recommendations for the President and Congress. The previous editions of the ISA Social Contract were endorsed by the House GOP Task Force on Cyber Security and were the basis for President Obama’s Executive Order 13636 on Cyber Security. He is the industry co-chair – DHS is the government co-chair– of the Policy Leadership Working Group on Cyber Security Collective Defense featured at the National Cyber Security Summit in New York in July.
He literally “wrote the book” — the Cyber Risk Handbook for corporate boards which is the only private sector publication endorsed by both DHS and DOJ. PWC has independently evaluated the Cyber Risk Handbook and found it substantially changed how corporate director’s address cyber risk management leading to higher budgets, better risk management, closer alignment of cyber security with business goals and helping to create a culture of security. In 2017 ISA adapted the Handbook for the UK and Germany. As in the US, the German edition has been endorsed by the German government. ISA is now working with the OAS on a Latin American version of the handbook; as well as an edition for India and Japan, in partnerships with industry groups.
Ineffective Current Cyber Policies
This blog series began by asserting that in the new year, given the obvious ineffectiveness of our current cyber policies, it’s time for policy makers to begin to focus on issues that might really matter in terms of creating a sustainably secure system. We then moved forward to identify two major areas where the government could really make a difference but have spent comparatively little time and resources in addressing them — specifically workforce development and enhanced law enforcement. These posts suggested a range of directions the government could take in these areas to address these deficiencies both in the short and longer terms.
Policy Makers Are Ignoring Issues
However, many in government, while largely ignoring issues like improved law enforcement and workforce development, instead focus on government regulation of industry as the answer. So, before proceeding with outlining a plethora of more practical and effective policies government could peruse, it is probably prudent to focus on why the default solution to cybersecurity, i.e., regulation, is (at least in its traditional form) inappropriate to successfully addressing the cybersecurity threat we currently face – and will continue to face in ever more dire circumstances, unless we fundamentally rethink our approach.
Future Discussions
In successive series of blogs we will discuss the following:
The long history of cybersecurity regulation and the face that it has never been shown to actually enhance cyber security.
The core mythological assumptions of cybersecurity regulation, why they are inappropriate to the realities of the digital age, and the cyber threats raised by digitization.
The fact that government regulation, in addition to not having a record of success, actually is often anti-security – yes, that means that the current regulatory structure is more harmful than helpful in terms of actual security.
There are more modern and appropriate methods to create regulations that, where appropriate (and regulation is appropriate in some instances), hold the promise of actually enhancing security.
The Digital Age and Aging Policy Makers
Before getting into these admittedly wonky discussions, it might be helpful to start with the broader, basic discussion. Specifically, we need to be clear what exactly we are talking about. Because the reality is that most cyber policy makers are – I’m sorry – old. Our cyber policy makers are, for the most part, digital immigrants who weren’t born into the digital age they currently live in. So, it may well be understandable that they really don’t “get” cybersecurity and why it’s actually pretty different than traditional security discussions and why the fundamental changes brought on by the digital age require a fundamental rethinking of core issues such as the relationship between the public and private sectors.
Given the digital immigrant status of many, if not most, policy makers, it is not surprising that they would go to the default answer of government regulation and assume that model, created in the 18th century, would be sufficient for 21st century threats, including cybersecurity.
On a personal note, I myself am, ah, well … old. – 70. Ok, 70 and a half – well really 70 and 3/4 – I’m dealing with it. Maybe age itself isn’t that much of an excuse. Hopefully you can teach some old dogs some new tricks. But I digress.
Good Cyber “Hygiene” is Not Enough
Most cyber regulatory structures are comprised of a list of government directives. The essential model is for industry to go through the government determined list of requirements and check them off as they comply. In earlier eras, cyber checklists were state of the art. In the early days, say at the turn of the century, these modalities were the best we could do. Early cyber-attacks may have been fairly generic in nature, and hence generalized procedures could be expected to mitigate them. However, the attack community has long ago moved on to uniquely designed attack methods often using “designer malware” crafted for a specific attack. While generalized frameworks might be helpful to fend off unsophisticated attacks, and can provide the basis for more sophisticated structures, simply following good “hygiene” (usually an undefined term) will not be sufficient to address the attacks we really need to focus on within a risk management structure.
It’s Not Just About Corporate Malfeasance Anymore
For this reason (as well as several others), designing an effective cyber risk management design cannot be expected to determine from a generic set of federal or state regulatory mandates. That 20th century variation of the model was designed to regulate more stable issues such as product safety. For example, once you had determined the correct amount of lead to allow in the paint for children’s toys, or the proper degree of friction to make car breaks effective, you were good to go. So long as the industry followed the specified requirements, we were safe. The purpose of government oversight was to police bad actors who were not complying with the proper design requirements. Essentially, the targets of the regulations were those engaged in corporate malfeasance.
Following Outdated Guidelines Does Not Make You Safe
However, in the cybersecurity domain, simply following the guidelines does not mean you, or the public, are safe. The issue is not that the products the companies are making are unsafe, it is that the companies are under attack, often by very sophisticated attackers. In fact, the government itself is attacked just as readily as industry, and presumably the government follows their own guidelines (actually they often don’t – a separate discussion for later).
We Need to Evolve a New Model
In the cyber world we cannot rely on the outdated consumer product safety model because we are dealing with an entirely different problem. We need to evolve a new model wherein defensive strategies have to be aligned to unique threat perspectives of the targets, understanding that these may well change. By analogy, traditional cyber defense conceives the defensive structure sort of like a dam. If properly maintained, the dam will prevent compromise and we will be safe.
Cyber Defense is Like Defense on the Gridiron
Cyber defense is actually much more like a football game. In football, the offense comes to the target with a carefully designed plan of attack. When it is ready to engage, the first thing it does is observe the target’s defense. At that point it often alters the attack to account for the specific defenses it sees. The attack then proceeds in conjunction with numerous fakes and false indications. The casual fan might think this is just the quarterback faking a handoff before throwing a pass, but actually the faints and false fronts are happening all over the field. The linemen are engaged in various “stunts” to fool those who are blocking them, and the defensive backs are disguising “man” coverage with complicated zones. Meanwhile the offense is running “fades” and crossing patterns only sophisticated players in the system can detect, all designed very carefully to mislead the defender away from the real attack.
And all of that is just football. In the field of cyber-attacks, the stakes are far higher, and the sophistication of the attacks is much more complicated. In the cyber security world, the goals are far more than reaching the Super Bowl. The goals of cyber attackers are to steal trillions of dollars. Or, in the case of Russia, the undermining of the entire democratic system (not just in the US, but everywhere). Or China, where the goal of the multi-trillion dollar “Digital Silk Road” program is to fundamentally change the world order from the US/Western European dominated system that has existed since the two world wars and to replace it with a Sinocentric system – and they are making real progress.
A Relentless Offense Needs a Good Defensive Plan
And much like the cyber world, that attacker in football (the offense) almost always succeeds. It is unusual for an offensive play not to gain yardage. It is also unusual for an offensive team (think attacker) not to reach their goal and score. Of course, they don’t do it on every play. But they don’t have to succeed on every attack, just like in cyberspace.
All this is pretty comparable to cybersecurity. The attackers will almost invariably score because defense against them is so hard. The defense needs to mitigate these losses as best as possible and attempt to win the broader contest with a grander overall strategy. Sadly, we in the US/West don’t have such a strategy, and our policy makers seem more interested in discussing the hours between an attack and report (to undetermined benefit) than in creating a sophisticated defense.
Shaking Off the Rust
In their recently published book, The Fifth Domain, Dick Clarke and Robert Kanake – two people who would know – comment that we essentially haven’t changed our cybersecurity strategy since the Clinton Administration. I have to agree with Clarke and Kanske. Our current cybersecurity strategy needs to change. Putting more focus on improving law enforcement and developing a capable cyber workforce are good first steps. Stepping away from the default regulatory approach to cybersecurity is another move in the right direction. Subsequent posts will detail specific design flaws in cyber regulation. It’s time to kick-off a new direction in cybersecurity.