A National Cybersecurity Action Plan is a Serious Priority

We cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them.

Expectedly, our cybersecurity issues are growing.  We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.

What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.

The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering.

The Realities of Cybersecurity

The reality is, cybersecurity is a tax. For only a very few of us is “cybersecurity” a revenue generator and that group is more or less limited to vendors, researchers, developers, contractors, consultants, and some academics. For everybody else, it is a cost that brings us no return. Yet, just as other costs, such as insurance, a necessary operating cost and an ever-increasingly expensive one.

Cybersecurity is also a liability. Unless you are in the “business of cybersecurity” the only conceivable way that “cybersecurity” is an asset for you is if you can demonstrate to your stakeholders that your cybersecurity posture makes you better than a competitor. Therefore, your “asset” in this case is more of an intangible one, such as in the form of trust or confidence to conduct transactions, the very bedrocks of properly functioning market economies.  As a result, for most of us, cybersecurity is an item on both your income statement and a balance sheet that costs you and puts you in jeopardy.  And when this is the case, what are the prudent courses of action? Minimize the cost while reducing exposure to liability. But these adjustments need to be concurrent and tied, not independent of each other. And you need to find the right balance for you and your operations.

To elaborate, minimizing your cybersecurity costs by not doing as much as you should saves you money upfront, but you may also be increasing your exposure to liability as you pile on additional vulnerabilities that need to be resolved in the future. Translation, this route potentially costs you more later. The flip side is maximizing your cybersecurity expenditure, specifically in the form of bells and whistles, that lead to the cybersecurity promised land.  This route, which costs most now, not only fails to guarantee a decrease in liability, but potentially adds to a different type of liability burning through your hard-earned assets.

In either case, we are not doing a good job quantifying our efforts.  And while both approaches are being used, we see the latter one as the predominant mindset in industry, and that is worrisome to us for the following reason: If we continue down this current strategy, there is only one inevitability – over time, cybersecurity budgets will become the single greatest cost to your operations to the point that they will become so cumbersome that they will force you out of business, even if you are at peak business. Non-profit organizations and yes, countries too, are no different and not immune to this trajectory, prone to suffer the same fate as our dependence on bits, bytes, and potentially qubits rise in the future. Even individuals are vulnerable to this model as personal monitoring services cost money but do not provide total prevention of fraud. And of course, buried in service fees are the passed down costs from large corporations as a means to self-insure. Do not think for one moment that if you are “covered” for fraud you have not paid for that coverage in some other form already.

Therefore, if you view cybersecurity through this lens, you will begin to understand that throwing money at more gadgetry that tacks onto overstressed and inherently vulnerable systems is not only a foolish strategy but one that will run you straight out of business and in the long run ruin your country’s economy.

The Challenge of Eliminating Cybersecurity’s Gray Areas

If these were our only problems we would still have a herculean task ahead of us. But we do have more issues that compound the cybersecurity challenge. If money is the first of our concerns, the second would be lack of international norms. It is a challenge that is influenced more by culture than technology and driven almost exclusively by interest. It would be easy to say “the rules have changed” but we suggest instead that no rules for this domain were ever established in the first place. How else can we explain nation-state involvement in breaches and espionage? How do we allow our supply chain to be so vulnerable? How can we explain that we have, effectively, normalized a type of theft?

The envelope of this gray area is being pushed so far that there is a legitimate reason to worry about who blinks first. There simply is nothing to compare to, particularly when the stakes have never been higher. And if we are to be blunt, who has the most to lose? The United States, of course, which is yet another reason so many actors are pushing the thus-far unestablished limit.

We kindly ask those who say “we’re at war” in public with bravado fashion to stop. Yes, we are challenged and challenged severely by foreign actors, but the “this is an act of war” talk fails to appreciate a delicate nuance; if indeed “this is an act of war” then what exactly is the response? By definition, an “act of war” should elicit a response, but being in the uncharted territory that we are (along with everybody else), particularly when attribution still is so incredibly difficult, a miscalculated response will lead us to down a dark path and fast.

Back to why we say there is nothing to compare to, we simply cannot estimate the costs of such action because not only are there no models for us to run or historical examples for us to compare to, but also because the loss will not be linear when the potential catastrophe will impact so many.  This is why calculating the aftershocks of a response are so incredibly difficult.

To be clear, we are not saying do nothing. We are saying don’t burn the farm you rely on to live in order to save the house.  And we regrettably see a lot of fires being started unnecessarily because even those tasked with “cybersecurity” responsibilities are failing to both understand and implement the basics.  When decision makers do not know the difference between “steal” and “copy” we have a problem. These words do not mean the same thing, even more so in the cyber domain.

We have enjoyed the benefits of a digitized world but never took the care to clean up after ourselves, which is why we sit in this accumulated mess. There is only so much we can sweep under the carpet and in a world where data is everything – literally, everything – we need to do a better job if we are to maintain and expand on the living standards we have inherited. If you accept that data is the richest form of currency today, you will appreciate our concerns. Therefore, whether it is personally identifiable information or intellectual property, we simply cannot allow this continued drain and loss of our most valuable resource, whether by accident, malicious intent or natural disaster. It simply costs us too much.