April 2023
Christopher Clark conducts interviews with leading corporate directors and subject matter experts for Stuart Levine & Associates, a global consulting and leadership development company. The Planet Governance™ interview series features the views of corporate directors, chief executives, and governance experts on timely issues from succession planning to cyber-resiliency to stakeholder activism.
This well-respected expert says we must figure out the economics of cybersecurity…
Mr. Clinton is President and CEO of the Internet Security Alliance. He was twice listed in the “NACD Directorship 100″, which recognizes the most influential individuals in corporate governance. He is also the primary author and editor of the Director’s Handbook on Cyber-Risk Oversight published by the National Association of Corporate Directors, which is endorsed by the Department of Homeland Security and the Department of Justice. Of note, Mr. Clinton regularly testifies before Congress. He has also briefed NATO, the G-20 Summit, and the Federal Reserve.
Larry Clinton
Chris: Larry, I’m going to cut to the chase. What are the two or three most important messages that ISA conveys in the just published book, Fixing American Cybersecurity.
Larry: Chris, it’s a pleasure to be here and I appreciate the opportunity. I think the most important message is that we are losing. We have been doing a lot of things in cybersecurity for several years, but we are not making any progress. In fact, things are getting worse, things are getting much worse. Cyber events are ubiquitous against industry, against government.
According to the World Economic Forum, the world-wide damage from cybercrime will total roughly $10.5 trillion by 2025. Some of the criminals are as effective as the rogue nation-states, so the first message is that we are losing. I think the second message is that our adversaries are being much more assertive and aggressive as well as being more conscientious and sophisticated about how they are attacking us, than we are on the security side.
One of the major chapters in the book is about China’s Digital Silk Road, which is part of its massive belt and road initiative (a.k.a. “BRI”). It’s a program that the Chinese are implementing with great success, which will reach $1.3 trillion in investments by 2027. It is fully integrated with their technology industry as well as their banking industry, their military, diplomatic and even technical standards operations. They are making tremendous inroads all around the world.
Getting Chinese technology placed into our infrastructure, complete with obligations from these companies to report back to the Chinese Communist Party (CCP) was and is a part of Chinese law. Their investment over five years is about six times what we intend to spend in the United States on cybersecurity. That’s just China. There’s Russia, Iran, North Korea, and the criminal syndicates — and we are not responding in kind. These players have a very sophisticated strategy; we don’t even really have a strategy – we have a collection of disjointed tactics.
Larry: The financial harm is gargantuan, but it is not just the financial harm, it’s the geopolitical fallout. We are losing allies. There are the contracts in Europe, Asia, Latin America that are going to the Chinese because they are massively cross subsidizing their industries, so our competitive position is beyond weak.
The point that I’m really trying to emphasize here, Chris, is that we’re not being responsive. This is a competition, and we are playing minor league ball and they are playing major league baseball. Not that we’re not trying hard but we’re not doing enough. In fact, as I started to say, we don’t really have a cyber strategy. We have a collection of tactics, information sharing, standards, development, reporting requirements, nice things, but not on the strategic scale of China’s Digital Silk Road.
The third message – we are thinking about the problem in too narrow terms. Virtually all the activity in cybersecurity over the last 20 years has been focused on the technology. There’s a real and important technological component to cybersecurity, but it’s not just an IT issue. It’s an enterprise-wide risk management issue that needs to be addressed on a strategic level.
Chris: Speaking of strategy, what should directors be hashing out in the boardroom?
Larry: First, your cybersecurity function within a corporation should not be managed by the IT team. To a hammer everything looks like a nail. If you have the IT guys in charge, then you’re going to get nothing but IT solutions. You need more than that… you need the human resources people involved because the “people factor” is the biggest threat. You need to involve the supply chain people as compliance issues are part of this mosaic — same with public relations, incident response, audit, and legal.
You need to look at cyber from a broader perspective within a corporate environment. The cybersecurity operation should be an enterprise-wide risk management team led by someone with enterprise-wide authority. A chief risk officer, chief operations officer, chief financial officer, somebody like that manages the team so that everybody has buy-in and thinks of cybersecurity holistically. As you’re evolving this initiative, the budget should not be part of the IT budget. It should be a cybersecurity budget.
Chris, you know this as well as anybody, no board makes important decisions without consulting finance or legal. In the 21st century, you need to add a cybersecurity touchstone. Strategic decisions from mergers, acquisitions, strategic partners, developing new products, and new supply chains all have major cybersecurity components that need to be woven in at the front of the process, not at the end of the process.
There’s another important element that needs to be brought to light, which is the board’s responsibility to assure that they are looking at cybersecurity from an ecosystem point of view, a kind of an ESG approach to cybersecurity.
It is the board’s affirmative responsibility to be sharing information with their colleagues, to be sharing information with the government and getting it back. You cannot secure your own little plant. You can’t build walls and put-up guards in cyber. You need to have a whole ecosystem approach, and we have not had that to this point with everything entity by entity.
Chris: At Stuart Levine & Associates, we believe the CEO and the board must own cyber, which unfortunately is generally not the case.
Larry: That has historically not been the case. There are leading organizations that are doing that. We are seeing the data show us that leading organizations are moving towards a different model for cybersecurity, and the board is taking a much more aggressive oversight function over the management of cybersecurity. We are seeing movement in that direction, but it’s far from ubiquitous.
Chris: How does the ISA work with CISA?
Larry: We work collaboratively with them. For example, CISA and DHS have always been partners in the creative process of the Cyber-Risk Oversight Handbook, including the latest edition.In fact, Jen Easterly wrote the foreword in the fourth edition of the handbook. Our collaboration really extends throughout the entire CISA environment.
Chris: You say we have been monumentally losing the cyber war for years and years. Why?
Larry: Yes, the problem is not thatourtechnology is bad – the problem is our technology is under constant attack. That’s a very different problem. The reason it’s under attack is because all the incentives favor the attacker, and their tools are incredibly cheap. You can get cyber hacking as a service on the dark web, and there is a low price of entry, enormous profits, no law enforcement, and we successfully prosecute less than 1% of cyber criminals.
On the defender side, we’re defending a porous perimeter. Cyber thieves always have a first mover advantage. It’s hard to show return on investment to things you’ve prevented. As I said, we have no law enforcement. The incentives are widely out of balance. We need to shift the focus away from the victims of cyberattacks to the people who are creating the technology and assure that the incentives favor long term investment. President Biden’s new national cybersecurity strategy, for the first time acknowledges we need to go in that direction. Now we must do it.
The outdated/failed approach of penalizing the victims and to send CISOs to jail because their company was attacked is absurd. There is no private sector entity in the world that can adequately defend itself against the Chinese military. We need to face the reality of the cybersecurity problem which is a misaligned incentive model.
Chris: There is more to it, yes?
Larry: The private sector, of course, has a responsibility for security but that responsibility is to the commercial level. Everybody knows that 10% of the inventory is walking out the back door every month. Why don’t they hire more guards? Because it would cost them 11%. For the private sector security is understood at a commercial level.
Now the government also has commercial and economic issues, but they also have uneconomic issues. They’ve got national security. They’ve got social safety nets. They’ve got to run elections. There’s a huge gap between commercial security and national security. The problem is on the internet, we’re all using the same system. Private infrastructure is now inheriting national security level responsibilities to fend off nation states and they can’t do it funding security at the commercial level.
We must find a way to work with government to fill in that economic gap, between commercial security and national security. We need to create a secure infrastructure, while maintaining the economic viability of those companies because we need those companies to attract investment, innovate, and continue to spur our economy.
Larry: To accomplish this we need to take a clear-eyed look at the economics of the digital age. One of the great myths of the cybersecurity world is that cybersecurity is so good for business that its ROI will generate adequate security investment. If that were true, we would’ve solved the problem 20 years ago.
Cybersecurity is a cost and when you are dealing with sophisticated adversaries – it’s a large cost. We must figure out the economics of cybersecurity, and as I said at the outset, we need to be doing it quickly because we are losing this fight.
Chris: We have been preparing our clients regarding the proposed SEC cyber rules, which pertain to more fulsome disclosure, more details regarding the qualifications of the board’s cyber expert, and several other key provisions.
To the layperson, it looks like a much-needed catalyst. It may stress out some boards because they may not be able to fully meet the standards. Do you think it will help be a positive for cybersecurity and for the average investor?
Larry: No, I don’t think it will help. I think it may well hurt for several reasons. First, in the SEC’s notice of proposed rulemaking, they themselves say that there’s no evidence that this program is going to work. Rather than another extensive, untested, disclosure regime we would suggest the SEC simply require companies to follow the principles and tool kits in the NACD-ISA Cyber Risk handbook (endorsed by CISA and the FBI) which both PWC and MIT have studied and found generates significant security improvements.
Moreover, the detailed sophisticated disclosures that they’re asking for are not the things that the typical investors are even going to understand, let alone understand how they work within the intricacies of a particular company’s technology system. You know who will understand that? The criminals. These disclosures are liable to write an attack map for the criminals.
The SEC appears to be thinking about cybersecurity as though this were financial disclosure, it’s not. Financial disclosure is essentially a backward-looking check the box pass-fail exercise. Did you file the form? Did you file it on time? If you did you are compliant. But compliance is not security.
Cybersecurity is a forward-looking risk management issue. Who is going to attack me? How are they going to attack me? How can I figure out how to mitigate or transfer that future risk? It’s an entirely different model than the traditional regulatory compliance model. By the way, in Fixing American Cybersecurity we go through a detailed explanation of why the traditional regulatory model is just a bad fit for cybersecurity. It’s too slow and the jurisdiction’s inadequate. The NACD-ISA model is a far better fit for the dynamism of the digital age and would give investors an understandable basis to make judgments.
Chris: Are there two or three recommendations that really capture your heart and brain?
Larry: The best thing that we could do is to establish a “National Virtual Cybersecurity Academy”. By academy, I mean we would provide free tuition for people who go into cybersecurity. They would follow a prescribed course. Upon graduation, they would be required to do several years of cybersecurity government service.
One of the most persistent problems and ubiquitous problems we have in cybersecurity is the workforce. We simply don’t have enough people. Chris, it is axiomatic that nothing else works unless we have a workforce. The regulations don’t work, the standards don’t work. The technology won’t work unless we have enough adequately trained people to implement them.
What we’re talking about is a virtual academy. You would go to the school of your choice, and you would take the approved Cybersecurity Academy Program., You can also take poetry and go to the football games and everything else, but it’s like ROTC, except it’s all cybersecurity. You get the full college experience. Instead of building a new campus we would use distance learning and digital teaching techniques which dramatically cuts the cost leverages our limited faculty to serve many more people.
Unlike say, securing AI, training a workforce, is something we know how to do. It’s a simple economic issue — supply and demand. When I started working in ISA, I was complaining that there were 100,000 cybersecurity jobs we couldn’t fill. Now there are 750,000 in the United States. There are 35,000 jobs in the federal government, cybersecurity jobs we can’t fill.
Right now, the government is paying through the nose to find cybersecurity people, and they can’t keep them. The private sector steals them away. The academy would provide us with enough people to secure our government the same way we assure we have enough soldiers and sailors – free tuition in return for government service. They would also serve their years at regular government salaries, so government makes money on the other side.
This is something that should be funded by the government. Our problem is not truly a cyber workforce problem. This is a national defense mobilization issue. We’re under attack by nation-states and we don’t have enough trained cyber soldiers to protect us.
Chris: In the world of corporate directors – how can they further support this idea?
Larry: Everybody knows the cybersecurity economics are upside down. Everybody knows that we’re not prosecuting enough criminals. Everybody knows we don’t have enough workforce. There’s nothing controversial about what I’m saying here. This is a matter of political will and understanding. Often government looks to the private sector for direction on issues like digitalization. We must educate our government colleagues, our partners, in the right way.
Corporate boards can be a model for the federal government. Corporate boards are way ahead of our government in terms of how they’re structured. Our government is still structured like it was in World War II. We need a much flatter, more agile structure. We have cybersecurity efforts happening in every single government agency, all a little bit different. They’re all making the corporations comply with essentially the same stuff, but all a little bit different, which means we dramatically magnify the cost without any improvement in security. We need a unified model.
Conflict in the digital age is not solely the province of the traditional armed forces. In the digital world, the private sector is often far more sophisticated than most of government. The private sector is much bigger. It’s got more people; it’s got more money than the federal government. Not any one company, but all taken together, the private sector can do much more – but government needs to be open to a modern, digital-age style partnership.
Government needs to be operating more closely in partnership with private industry as opposed to the existing model. The government would tell you that they are in partnership, but their notion of partnership is like a parent-child partnership or a bad marriage. Those marriages, they don’t work.
It should be a good marriage where two independent partners with differing perspectives, but similar goals need to find a way to work more closely together in a more egalitarian fashion. That’s what our opponents are doing now. They’re doing it in an authoritarian and central economy-oriented process.
To close, I would argue that our free market system, which exudes innovation and entrepreneurship, is a much better model for competing in the digital age. We simply have not activated it; we need to bring substantive digital transformation to our government that is commonplace in virtually every private sector entity.
Chris: Larry, thank you for your time, insights, and dedication to cyber risk education.
Mr. Clinton is President and CEO of the Internet Security Alliance. He is also the primary author and editor of the Director’s Handbook on Cyber-Risk Oversight published by the National Association of Corporate Directors, which is endorsed by the Department of Homeland Security and the Department of Justice.
Chris Clark joined Stuart Levine & Associates as a senior consultant after a distinguished career at the National Association of Corporate Directors. His expertise ranges across a variety of disciplines including corporate governance (with data-driven board assessments as a cornerstone), strategic communications, leadership development and assessment, and digital content creation.