Expert: U.S. Must “Modernize” Cyber Defense Strategy

By John Wagley

In order to effectively combat today’s cyber threats, the U.S. needs to focus more on creating new market-based incentives--allowing companies to develop their own cyber defenses--rather than creating new kinds of security regulations that can sometimes be burdensome and ineffective, according to Larry Clinton, president of the Internet Security Alliance.

The private sector is already being “extremely responsive” to cyber threats, said Clinton, speaking at a House Energy and Commerce subcommittee hearing Wednesday. He noted one estimate that the private sector will spend $80 billion on cyber security in 2011; by comparison, the Department of Homeland Security’s entire spending request for 2012 is just $57 billion.

But the current sophistication and frequency of ongoing cyber attacks has become overwhelming to many private sector organizations, he said. Attacks including Advanced Persistent Threats are carried out by highly sophisticated attackers. And, “[p]erhaps most indicative of these attacks, is that if they target a system, they will invariably compromise, or ‘breach’ it.” Clinton gave his testimony at a time when Congress is increasingly debating several major bills aimed at strengthening the country’s cyber security.

Companies presently have many sophisticated technologies and best practices to strengthen their defenses, Clinton said. The main challenge to cyber security is, in fact, more about economics than technology, he said. Many of these tools and strategies “are not…used because of cost and complexity.”

But creating new security requirements can be expensive and challenging to apply across diverse industries and organizations, he said. They can also be too slow to keep pace with the rapidly-evolving cyber threat.

The government could more effectively assist the private sector by creating new types of market incentives that could help companies take advantage of existing tools and best practices, he said. Incentives could come in the form of tax breaks, grants, and liability reforms that could help private sector organizations take greater advantage of security practices including information sharing, he said.

One existing House bill, from the Intelligence Committee, aims to increase public-private information sharing and create new market incentives for security. Another bill, from the Homeland Security Committee, aims to strengthen information sharing and to clarify the government’s authority over cyber security. 

♦ Photo by congresscheck/Flickr


Dynamic Cyber Defense Strategy

I have three points.
  1. Many talk of "strategy", but few actually have a true strategy.  I have reviewed many cyber strategies and most are tactical plans or high-level to do lists of security improvements and the vast majority fail to identify measures that track progress on implementing the strategy.  Fact is, most fall way short.
  2. Given the dynamics and magnitude of change in the cyber threat environment a "dynamic" strategy is not an option.  It is a critical imperative!  The right-once read-never approach that commonly follows “strategies” would spell disaster in this domain.
  3. Finally, the Defense Department and our Government have not known for their agility needed to address this rapidly evolving domain.  This is a challenge that must be overcome quickly to reduce our ever increasing risk.

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.