The attack surface of company networks is as expansive and porous as ever.
Related: Preparing for ‘quantum’ hacks
That being so, a new book, Fixing American Cybersecurity, could be a long overdue stake in the ground.
This is a well-reasoned treatise collaboratively assembled by board members of the Internet Security Alliance (ISA.) Laid out in two parts, Fixing American Cybersecurity dissects the drivers that got us here and spells out explicitly what’s at stake. It also advocates a smarter, more concerted public-private partnership as the core solution.
Part one of the book catalogues how cyber criminals and US adversaries have taken full advantage of systemic flaws in how we’ve come to defend business and government networks. Part two is comprised of essays by CISOs from leading enterprises outlining what needs to get done.
I had the chance to query Larry Clinton, ISA’s president and CEO, about the main themes laid out in Fixing American Cybersecurity. ISA is a multi-sector trade group focused on policy advocacy and developing best practices for cybersecurity.
We discussed this book’s core theme: a fresh set of inspired public-private strategies absolutely must arise and gain full traction, going forward, or America’s strategic standing will never get healed. Below are highlights of our discussion, edited for clarity and length.
LW: Your juxtaposition of China’s approach to cyber strategy vs. the U.S. is chilling. How does China’s deployment of spy balloons tie in?
Clinton: The balloons are simply the latest “shiny thing” that captures our attention – much like Tic-Toc. The US needs to be more aware of China’s broader, surreptitious digital strategy.
China has aggressively assembled a vast and growing technology base to expand its influence, and, when needed, spy on the rest of the world. Until a few years ago Huawei was a little-known vendor of phone switches. Today it is the world’s largest manufacturer of telecom equipment, including critical 5-G equipment.
China funneled tens of billions of dollars of direct and indirect assistance to Huawei. These subsidies have enabled Huawei to literally make offers too good to refuse to governments in Asia, Africa, Europe and Latin America – and even in rural portions of the US.
Huawei is just one example of the breadth and depth of China’s digital strategy. Alibaba controls the world’s largest money market fund and handles more payments than Mastercard. Baidu is extending into deep- learning markets, such as brain-inspired neural chips – all under China’s state-run umbrella. And Tencent combines the functionality of Facebook, iMessage, PayPal, UberEATS, Instagram, Expedia, Skype, WebMD, GroupMe and many others into a single ecosystem.
China’s strategy isn’t just playing in entertainment venues, it plays in terms of enhancing their military readiness, altering the basis for US oriented international allies, creating sustainable pathways to intercept our communications, replacing the dollar as the world’s dominant currency and even changing the way technical standards will be written.
It’s a lot more than balloons and cute Tik Tok dances.
LW: Given our cultural/political divergence, how can the US hope to match China’s cyber strategy?
Clinton: The sad reality is that the US and Europe have nothing in comparison to the comprehensive, integrated digital strategies of the Chinese Communist Party. The same is true, in a different sense, with Russia and the massive cybercriminal eco-system it has instigated.
Ironically, the western values of free markets and private enterprise are probably a better match for the dynamic parameters of the digital age. However, we need to better leverage the advantages of the free market system more effectively to win in this highly competitive struggle.
Certainly, our technical systems are vulnerable, but all critical infrastructure are vulnerable, yet we hardly ever hear of these physical systems being attacked. On the other hand, our cyber systems are attacked all day, every day.
The Chinese understood from this the beginning . . . We will need to match our adversaries by creating a modern, more sophisticated public-private partnership consistent with democratic ideals.
LW: Nightmare breaches keep happening. How can we tell that the paradigm has shifted, for the better; what will that look like in the corporate sector?
Clinton: In the corporate world the paradigm is already beginning to switch toward a more productive approach to cybersecurity. We’re seeing corporate boards address cybersecurity as a strategic business function as opposed to the traditional tech-centric model.
This innovative approach has been led by the National Association of Corporate Directors, which has published a series of Cyber Risk Oversight Handbooks in partnership with the Internet Security Alliance. There are now a dozen of these handbooks available in six languages across five continents.
These handbooks, together with their companion book Cybersecurity for Business, provide both principles and tool-kits that can be used to implement this novel model of cyber risk oversight and management.
The adoption of these principles and toolkits has been stimulated by research that indicates that use of the handbooks actually improves cybersecurity.
LW: One could argue digital Pearl Harbor has occurred several times already. Must we still hope for a massive digital disruption to be a catalyst?
Clinton: The notion that there would be some 9/11 style event that would shock the Congress into action was always a myth. The founder of my organization was a former Chairman of the House Intelligence Committee, Dave McCurdy, who used to say Congress does two things well, nothing and over-react.
Arguably we are still in the do-nothing – or comparatively little — stage but that is much better than over-reacting. Progress is being made, albeit too slowly. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has shown some real promise, starting with the securing of our elector process.
The creation of an Office for the National Cyber Director is also a step in the right direction –although that, too, is brand new with too limited a perspective and not nearly enough funding – but these are steps down a very long road.
The most progress is being shown in the private sector. Corporate boards are leaving behind their antiquated techno-centric models and restructuring to address cybersecurity from a strategic perspective.
LW: What will redirecting the trajectory of cybersecurity in the US look like?
Clinton: The most optimistic new initiative is the creation of a new national, virtual service academy for cybersecurity, which was included in the most recent National Defense Authorization Act (NDAA). This, if properly funded, is the most promising vehicle to finally address the massive cyber-workforce issue.
Nothing can work unless we have enough trained people. This is an economics issue – supply and demand. To solve this problem, we need to stimulate demand. A virtual service academy would operate much as the traditional service academies except it would use digital and distance learning techniques.
Once properly up and running, we estimate we can generate up to 10,000 new students a year which would solve the federal government’s workforce issue in less than four years.
Upon completing their government service obligation, the graduates would likely go into cybersecurity in the private sector – where they will still be serving the country — by defending cyber-attacks and thereby continuing to help resolve the workforce problem.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
Read MoreThe Last Watchdog