Last summer, the Internet Security Alliance (ISA) delivered a book, The Cybersecurity Social Contract, to legislators, policymakers and the two major political parties, that made 106 cybersecurity policy recommendations, as well as a 12-step program of high-level recommendations for the incoming Administration. In a recent interview, ISA President and CEO told SC Media that he's optimistic cybersecurity will continue to gain prominence and additional budget dollars will be spent on cybercrime going forward.
Larry Clinton: New administration could get tough on cybercrime
Last summer, the Internet Security Alliance (ISA) delivered a book, The Cybersecurity Social Contract, to legislators, policymakers and the two major political parties, that made 106 cybersecurity policy recommendations, as well as a 12-step program of high-level recommendations for the incoming Administration. In a recent interview, ISA President and CEO told SC Media that he's optimistic cybersecurity will continue to gain prominence and additional budget dollars will be spent on cybercrime going forward.
SC: Cybercrime certainly is on the docket at the Justice Department, but an imbalance still exists in the number of budget dollars allotted to fight cybercrime. Could you speak to that please?
Clinton: We are not spending nearly enough to fight cybercrime. Depending on which estimate you use (and how you value intangibles like Intellectual Property) we may be losing between $500 billion and one trillion dollars (President Obama's figure in his Cyber Space Policy Review) a year to cybercriminals. Yet best estimates are that we are successfully prosecuting maybe one or two percent of cybercriminals.
There are many reasons for this. To begin with all the incentives favor the cybercriminal. The reality is cybercrime techniques are comparatively easy to access (you can buy them readily on the Internet), they are cheap to acquire (couple of hundred bucks) there is a great business model (you use the same techniques over and over on a world-wide basis) and you virtually never get caught. The legal structures have not been updated to adequately address international crime, attribution is pretty difficult and we do not provide law enforcement with adequate resources –we spend maybe $5 billion to combat cybercrime and the losses are 500 to a thousand times that amount.
There may be reason to believe that with the Trump Administration the emphasis on fighting cybercrime could increase. Rudy Giuliani has been mentioned as a potential Attorney General and he is known to both understand the nature of the cybercriminal world and have a much more aggressive posture toward fighting it. President-elect Trump has already declared that one of his initiatives will be a full Justice Department review of the cybercrime fight and hopefully that will lead to better resource allocation.
SC: Is cyber firmly in the mainstream (it was brought up for the first time on the debate stage) and what does that mean in terms of improving cybersecurity or the challenges it might face going forward?
Clinton: Back in the Bush Admiration they declared October “Cyber Awareness Month.” I think we can say mission accomplished. I think the general public is now pretty much aware we have a cyber problem.
What we need now is more than awareness, we need understanding. Most people, including most policy makers don't understand the problem. Most still think this is an IT problem. It is far more complicated than simply IT. Many still think that cyberbreaches are basically the fault of selfish corporations who won't spend on security. In fact cybersecurity spending is up nearly 25 percent this year and the private sector spends nearly $100 billion on cybersecurity (USG non-defense spending on cyber is less than $10 billion)
The reality is that the cybersecurity issue is not like the Enron and WorldCom malfeasance of the 90s. In cyber the criminals and nation state attackers are targeting all of us – consumers, government and industry -- the same. Most seem not to understand that in this fight we are all on the same side and we need to pull together in unity because the cyberattack community is far more unified than we are and they are using our disorganization against us.
SC: Can Congress really be expected to create relevant and strong legislation if their own knowledge of cybersecurity – and tech – isn't well-developed?
Clinton: The Government, including Congress, needs to be trained about cybersecurity. Two years ago the National Association of Corporate Directors published a handbook (ISA prepared for them) on cyber risk management for corporate boards and initiated a training program for them in conjunction with it. Last year PWC independently assessed that effort and determined that it had resulted in a fundamental change in how corporate boards are viewing cybersecurity leading to massive increases in budget for cyber, better risk management, better alignment of cybersecurity with business goals, creating a culture of security throughout the organization and better communication about cyberthreats.
We need to adapt this program to senior members of the government. We need a training program for the government equivalents of the corporate board members –not the IT people and the staff – the Members of Congress, the Cabinet Secretaries, the Agency heads –the government equivalents of the corporate boards. If we can make this work for corporate boards we ought to get similar results from their government counterparts.
SC: What do members of Congress need to do to get up to speed?
Clinton: The need to understand this is not just an IT issue. IT is just HOW attacks occur. To solve the problem we also need to understand WHY the attacks occur – which is largely economic. They need to understand the economics of cybersecurity and why until we re-balance the economic incentives for cybersecurity and appreciate how the inherent interconnectedness of the system undermines traditional economic thought we will not solve the problem
They also need to get over their interminable turf fights over cyber so we can begin to enact cyberpolicy at something approaching 21st century speed.
SC: You recently released The Cybersecurity Social Contract, could you tell us why and go over some of the recommendations (as well as why they are important)?
Clinton: Our book, The Cybersecurity Social Contract, (available on Amazon) was written by the board members of the ISA – people for whom cybersecurity is the day job. Each board member wrote about the unique challenges in cybersecurity in their industry sector and provided pragmatic policy recommendations (106 of them) for the incoming Administration based on the unique needs of their sectors.
We also addressed 6 cross cutting issues that need to be address such as the evolving nature of corporate boards, how cyberauditing needs to be reformed, use of cyberinsurance, resolving the tensions between the privacy, security and intelligence interests, setting up a digitally sensitive organization and how to manage public-private partnerships.
We also offered a 12-step program of high level recommendations for the next Administration:
1.We need to attack this problem with far greater urgency
2. We need to recognize temperance of the economics of cybersecurity
3.Governmetn needs to drastically increase its funding for cybersecurity
4.Government needs to be reorganized to reflect the digital world we live in
5. Cybersecurity needs to be addressed far more as a criminal issue (not just military and critical infrastructure)
6.WE need to test the NIST Framework for effectiveness and cost effectiveness
7. We need to prioritize the need to reach small companies far more
8. We need to dramatically reform our workface development program for cybersecurity (we need to make cybersecurity cool)
9. We need to modernize and streamline cybersecurity regulation
10.. We need to develop market incentives to help rebalance the cybersecurity incentive structure
11. We need to clearly articulate the role of government in protecting private industry from nation state cyberattacks
12. Government needs to fundamentally rethink the cybersecurity compliance model
SC: You delivered a copy of the Cybersecurity Social Contract to the RNC at the convention in July, what was the response?
Clinton: Excellent. The review of the book have been wonderful and we are already hearing many of the themes we advocated being – about law enforcement, regulation, workforce development, reorganizing government and others being “Trumpeted” by prospective members of the incoming Administration.
SC: What did the recent presidential election reveal about cybersecurity in government and in this country in general?
Clinton: Many things, but to me one of the most interesting was how the use of digital technology has usurped traditional media. Virtually all the traditional media missed the Trump wave. How did he get all these people to turn out and vote for him without the traditional “ground game” Clinton had in place. I think it was twitter. For nearly a year Trump was using this unique media which is both a mass media and an intensely personal media to reach millions of people with who he sent personal and genuine messages –much more effective than a TV ad or handbill. In the end he established a personal relationship far beyond the general politicos who go to conventions and meetings. Finally he asked for one thing in return – to vote for him – and they did. Genius.
