On December 1st, the President’s Commission on Enhancing National Cybersecurity (PCENC) released their final report. The commission gave 16 recommendations and 52 action items. A new path is necessary for leaders to effectively reduce U.S. cyber risk. A strategic shift toward reducing risk is emerging from focusing on cybersecurity to cyber risk management. The reasons for the shift are epitomized in 2016 as the year of the data breach. The current IT focused approach to securing networks and reducing cyber risk is failing. Reducing U.S. cyber risk requires developing a strategy beyond a single discipline security perspective, to a multi-discipline organizational cyber risk management approach. It is absolutely essential to move U.S. cyber strategy beyond the CIO in order to reduce U.S. cyber risk. A more comprehensive approach in developing a U.S. cyber risk reduction strategy during President Trump’s first 100 days should be considered as an evolutionary step in the PCENC and CSIS reports.
An effective U.S. cyber risk reduction strategy requires the willingness necessary to embrace the enormous challenges, but without the authority to do it all…and still get it done anyway.
-
Reports by the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity advocate a more comprehensive approach to cyber security. In 2009, the Commission found: 1) Cybersecurity is now a major national security problem for the United States; 2) Decisions and actions must respect privacy and civil liberties; 3) Only a comprehensive national security strategy that embraces both domestic and international aspects of cybersecurity will make us more secure. Source
“The 2009 CSIS Report advocated a comprehensive approach to international cybersecurity using all the tools of national power. The central points included developing norms and confidence building measures and finding ways to make deterrence effective. There has been progress in implementing these recommendations, but while the goals underpinning recommendations remain sound, the world is a very different place than it was in 2009, much more conflictual and much more dependent on cyberspace” Source
This last finding in the 2009 report specifically applied to a cyber risk governance model with the appropriate emphasis discussed in their 2017, rightly transitions from awareness to action. The new administration must face major issues: “1) It must decide on a new international strategy to account for a very different and dangerous global security environment. 2) It must make a greater effort to reduce and control cyber crime. 3) It must accelerate efforts to secure critical infrastructures and services and improve “cyber hygiene” across economic sectors. Source Without using the term, with a list of very specific measures, a cyber risk governance and cyber risk management model begins to form from the report.
The 2017 report has outstanding insights and specific recommendations for the path ahead. The 2009 report necessarily places its priority on leadership and strategic thinking using a proliferation/counter proliferation model and the 2017 emphasizes (again) solutions will not be found in an Information Technology-centric approach, “There is no technological solution to the problem of cybersecurity, at least any time soon, so turning to technologists was unproductive.” Source The CSIS report advocates a unified cybersecurity strategy across all risk sectors by leveraging all elements of national power. A U.S. cyber strategy “beyond the CIO” embracing the challenges of both information, data, and communications, and operationally-focused technologies will be far more effective in reducing America’s cyber risk.
U.S. cybersecurity efforts are constrained by an Industrial Era IT strategy, using Information Age security tools, against Digital Age network threats.
-
Industrial Era IT strategy challenges corporate and federal leaders. Those challenges in thinking and problem-solving will likely plague the PCENC report’s recommendations. Industrial Era IT strategy is plagued by fractured implementation with an over-reliance on authority-based changes rather than leadership driven transformation. Cultural transformation requires leaders to assert their influence through unity of effort and action, while compliance-driven transformation often fails. Industrial Era IT strategy emphasizes technology driven non-solutions. Corporate and Federal CIO’s and CISO’s battle three realities: 1) Technology is only part of effective cyber risk reduction; 2) Admitting technology investments are expensive and still insufficient, but necessary, relegates them to a perpetual inadequate “cost center” seat at the table; 3) Organizational cyber vulnerabilities beyond their control, undermine their efforts to defend the network. The U.S. Air Force has begun the in “operationalizing cyber security.” Peter Kim, USAF Chief Information Security Officer articulated the reality driving this shift, “We need to focus on cyber defense and cybersecurity beyond what we have traditionally done. Threats are changing, and this is not the environment we grew up in. How do we approach the domain of cyberspace beyond what we are thinking about with IT?” The need to manage and reduce cyber risk beyond IT is clear. Enduring transformation and solutions are always leadership driven. A new approach is required.
US Cyber Risk Governance: Ubiquitous Cyber Threat + Ubiquitous Cyber Vulnerability + Ubiquitous Cyber Risk
= Cyber Organizational Risk Management
-
Using a cyber governance and cyber organizational risk management approach to organize and prioritize the PCENC and CSIS reports should be an effective framework to evaluate and integrate the recommendations and actions into a comprehensive strategy. Restoring U.S. digital integrity and mobilizing a sustainable cyber defense will take a coherent assessment of all the recommendations and juxtapose them against all the elements of our national power. The path forward is through cyber governance and cyber organizational risk management on a national scale.
Cyber risk spans across private, public, industry, government and defense. The impediments to transformation are the competing needs, concerns, agendas, risks, capabilities, legalities and other potentially overwhelming challenges. An effective U.S. cyber risk reduction strategy requires the vision and willingness necessary to embrace these enormous challenges, but without the authority to do it all… and still get it done anyway. It’s the job few desire, but must still be done.
We must abandon an Industrial age IT strategy and rewrite the U.S. cyber risk reduction strategy against the digital reality we work, live, govern, and defend… Digital ubiquity and digital integrity are the challenges of our time.
-
Cyber risk is substantially influenced by culture, policies, procedures, compliance, technology, and people. Recognizing the powerful interdependence is paramount to substantially reducing U.S. cyber risk. We must abandon an Industrial era IT strategy and rewrite the U.S. cyber risk reduction strategy against the digital reality we work, live, and defend… Digital ubiquity and digital integrity are the challenges of our time. We must understand our cyber risks and opportunities, develop a plan, mobilize resources, choose agile and decisive leaders who embrace accountability, and begin.
It’s already happening. The shift from a myopic focus on security to a strategic organizational risk management approach can be seen in a recent Advance Notice of Proposed Rulemaking (ANPR) jointly issued by the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) that seeks to improve leadership and visibility of cyber risks in banking and financial institutions beyond the CIO. Cyber Governance: Cyber Risk Management Beyond the CIO details this new approach for industry.
Below integrates and organizes cyber governance of financial institutions with assets over $50 Billion and applies with the proposed framework in ANPR, then asks the larger strategic questions that must be addressed in the President’s national cyber strategy:.
- Cyber risk governance (How does the US govern, manage, and reduce cyber risk across risk all sectors?)
- Cyber risk management (How does the US manage and reduce cyber risk organizationally across risk sectors?)
- Internal dependency management (How does the US manage and reduce risk through a common framework for internal assets, plans, practices, training, technologies, procedures, etc. that create or reduce cyber risk?)
- External dependency management (How does the US manage and reduce cyber risk in external assets [Ecosystem risk], governance, policies, plans, training, structures, 3rd Parties, etc. that create or reduce cyber risk?)
- Incident Response, cyber resilience, and situational awareness (What are the CIO and CISO’s plans to identify, defend, mitigate, and recover from threats across risk sectors? How do risk sectors maintain organizational visibility on emerging cyber threats, and how does that reduce cyber risk in operations and continuity?)
U.S. cyber risk is a Presidential issue requiring oversight to ensure a unified and integrated effort reduces that risk across the crossroads of U.S. national power. Cyber security is the nexus of U.S. national security, economic power and global geo-politics, whereas cyber risk permeates our nation far beyond traditional network risk. A cyber risk mitigation strategy needs to be developed, implemented and sustained across all risk sectors. Digital integrity is the nexus of modern American sovereignty. Without digital integrity there is no national security, no enduring economic viability, and no ability to defend our prosperity, in short, no national sovereignty. The Internet for the United States of America is the modern version of the Brandenburg Gate, St. Louis Arch, Panama Canal and Thermopylae. Digital integrity and security is paramount to our nation’s continued prosperity and global dominance, or our demise.
The Internet for the United States of America is the modern version of the Brandenburg Gate, St. Louis Arch, Panama Canal, Statue of Liberty, and Thermopylae... COMBINED. Digital integrity and security is paramount to our nation’s continued prosperity and global dominance, or our demise.
-
An effective U.S. cyber risk reduction strategy must look at the matrix of organizational risks and vulnerabilities driving insecurity through people, processes, technologies, and products at a scale that is intimidating, but possible. The President must choose leaders who embrace a comprehensive approach, develop a roadmap, and engage these challenges. The PCENC and 2017 CSIS report recommendations are credible, thoughtful, and will be meaningful with effective leadership and a strong implementation strategy.
Adapting and adopting a cyber risk governance approach beyond the CIO will enable a stronger and more comprehensive reach for PCENC and CSIS recommendations to shape organizations across “all” risk sectors. US cyber risk governance should be reflected in principles, standards, practices, compliance, and accountability, which are embodied in culture and manifested in behavior. Just as reducing cyber risk is far broader than increasing cyber security, it cannot be ignored. That compliance alone misplaces emphasis on the downside risk of cyber insecurity. Attackers need credible downside risk for denial, disruption, and pursuit in order to reinforce an effective US cyber risk reduction strategy. The 2017 CSIS report emphasizes this early and unambiguously:
“The creation of consequences for cyber crime, espionage, and cyber attack and making these consequences clear to malicious actors is the most effective ways to reduce cyber risk (especially if done in partnerships with likeminded nations). Since risk cannot be completely eliminated, better cybersecurity also requires holding key critical infrastructures to high standards while incentivizing basic improvements in the general population of online actors. These tasks will require some additional resources, but resources are not the major obstacle to better cybersecurity; the major obstacle has been and remains confusion over the role of government and a lack of will.” Source
In Scientific American, Dorothy Denning discusses attacker deterrence and the necessity for credible risk in the future of U.S. cyber security. Including deterrence is an absolute necessity in a comprehensive risk reduction strategy integrated within the cyber risk governance framework below:
- Cyber risk governance (How does the US manage and reduce cyber risk in across risk sectors?
- Cyber risk management (How does the US manage and reduce cyber risk organizationally across risk sectors?
- Internal dependency management (How does the US manage and reduce risk through a common framework for internal assets, plans, practices, training, technologies, procedures, etc. that create or reduce cyber risk?)
- External dependency management (How does the US manage and reduce cyber risk in external assets, plans, training, structures, 3rd Parties, etc. that create or reduce cyber risk?)
- Incident Response, cyber resilience, and situational awareness (What are the CIO and CISO’s plans to identify, defend, mitigate, and recover from threats across risk sectors? How do risk sectors maintain organizational visibility on emerging cyber threats, and how does that reduce cyber risk in operations and continuity?)
- Deterrence: Disrupt, Defend, & Pursue (What presents a credible threat and increases risks to attacker through effective attacker deterrence across risk sectors?)
Active Defense role in deterrence
Th 2017 CSIS report specifically calls out the somewhat contentious topic of “Active Defense.” Recognizing the challenges, a stronger approach is needed in dealing with cyber crime. The 2017 CSIS report recognizes both the need and angst. “The term itself has become associated with vigilantism, hackback, and cyber privateers, things that threaten to create a destabilizing global free-for-all in cyberspace.” Source A thoughtful and deliberate approach to studying and refining methods, tools, and standards for active defense can and should be considered.
The 2017 CSIS report recognizes, “Ultimately, progress requires stronger procedures for law enforcement cooperation, greater acceptance by all nations of their responsibilities, and, since that recognition may not be forthcoming anytime soon, penalties and incentivize to encourage better law enforcement cooperation among countries.” Source
“In the interim, the next administration should look for ways to assist companies to move beyond their traditional perimeter defenses. This would focus on identifying federal actions that could disrupt cyber criminals’ business model or expanding the work of the Department of Justice (DOJ), Federal Communications Commission (FCC), and service providers against “botnets.” Additionally, the administration could consider measures, carried out with the prior approval of federal law enforcement agencies (most likely requiring a warrant to enter a third-party network) to recover or delete stolen data stored on servers or networks under U.S. jurisdiction.” Source
Recommendation towards developing standards for better deterrence through Active Defense
Essential to the integrity, growth, and sustainable economic strength of the United States of America is the development, evaluation, and authorization of private industry lawful means and methods to protect itself from criminal cyber adversaries breaching, compromising, and stealing intellectual property, personal private data, and other sensitive data beyond the network boundary. A two year study is recommended under the supervision of the Department of Homeland Security in order to assess the lawful means and methods private entities might use to protect their own privacy, private property, security, and sensitive data, under the supervision to develop, evaluate, and assess means and methods to protect privacy, private property, and private sensitive data under current law and to consider and recommend additional or revised legal frameworks for using such means and methods. Source
Study participants would be authorized to develop, assess, demonstrate, and evaluate threat mitigation, monitoring, and defensive means and measures for protecting private entity rights and property that do not destroy, render permanently unusable, or substantially harm computer networks, hardware, data, and software. Study participants would develop for consideration methods, products, and standards for cybersecurity threat monitoring, cybersecurity threat attribution, and cybersecurity threat mitigation consistent with the National Institute of Standards and Technology Cybersecurity Framework. The study participants could also identify and appoint an advisory panel of key industry executive level information security representatives to review, consider, and comment on the studies progress, summary findings, and recommendations. Source
Conclusion
In conclusion, more boxes, more people, and next generation technology with harsher penalties will not reduce cyber risks or bring better security within a company or across our nation. As cyber risk is an organizational threat in corporate America, it also threatens U.S. national security, economic prosperity, and our global dominance. Without digital integrity, there is no national sovereignty. It needs to be said that defending the network is likely the most difficult technical challenge in the digital age. Valiant efforts by CIO’s and CISO’s, their network admins, and security analysts are simply overwhelmed technically, operationally, and strategically. An over-reliance on technology or compliance to compensate for an absence of a comprehensive national risk reduction strategy has and will fail. Leadership matters most. Digital ubiquity and digital integrity are the challenges of our time and we cannot fail.