Why Better Cybersecurity Can Put “America First”
- Simon Crosby reflects on the day’s events as President Trump in inaugurated.
- Red tape, bureaucracy, apparently things in a swamp – all slow down the government’s ability to move quickly.
- A presidential mandate for change could make a substantial difference.
I have recently been fortunate to have the opportunity to advise key leaders in the U.S. government who are seeking to improve government and even national cyber-resilience.
Sadly, many of those with enough clout to mandate fundamental changes (e.g. my recommendation to move to the cloud) are unable to grasp the fundamental technological advantages of infrastructure that is massively more secure “by design.”
“Security concerns” are often barriers to progress, but invariably most are thinly veiled excuses offered by an IT leadership threatened by new technologies and rooted in anxieties about job security. Worse, many of those who do have the skills and technical abilities are not empowered to deliver change. They are dedicated, patient and capable, but frustrated by layers of red tape. In the cyber-domain a mandate for change needs to come from the top.
So I thought I’d change my approach. Instead of arguing that new IT architectures (like cloud) with security “built in” are more secure, and assuming that “more secure” is a clear value proposition, I want to emphasize the value of better cybersecurity, and align it with key themes I’ve heard echoed by team members of the incoming Trump administration. So here goes:
“Bad cybersecurity imposes a significant drag on US business and the economy as a whole. By contrast, making the USG and US companies resilient to cyber-attacks will boost our competitiveness in today’s global digital economy.”
The goal is to “put America first.” We are currently failing at cybersecurity, and will continue to fail unless we make fundamental changes – which is why a presidential mandate for change could make a substantial difference.
- The US economy is bigger, more open, and more digitized than those of Russia, China, North Korea and other cyber adversaries. That often makes the US government, businesses and even citizens more vulnerable to attack than their counterparts other countries. The asymmetry favors the attacker: We expose many easy targets to a few, highly skilled adversaries. At the same time our ability to respond in kind is limited by the smaller attack surface of our competitors, even though we have world-class offensive cyber capabilities.
- Embracing innovation and growth, US companies have taken their businesses on-line as fast as tech and the Internet would allow, but despite the advantages of new markets and economic growth there are downsides: Much of today’s computing infrastructure is manually managed, but humans operating distributed IT systems just can’t keep pace: Users and admins are forgetful, don’t keep systems up to date, and are easy to trick. Human defenders need to sleep. Computerized “bot” adversaries don’t.
- Our global business competitors are poised to leap frog legacy US-style computer and network infrastructure by adopting the latest tech (that we have even made freely available through open source licenses). They have an opportunity to be more secure from the get-go (again making it harder for the US to respond or gain an advantage, while continuing to blast holes in our leaky systems.
- Attribution is at best imperfect, and it is costly to do and its reports easy to de-fang: Was it a state-sponsored adversary or a spotty-faced teenager out for the “lulz”? Nation-state adversaries are skilled at covering their tracks and spreading misinformation. Once again, the defenders bear the cost, and the adversaries, unafraid of the consequences, shrug off “baseless allegations”
- The market will solve the problem badly: Facing a battle against skilled adversaries that they will surely lose, US enterprises will choose a sub-optimal way out: Insurance. Protecting shareholders from loss is a rational tactical response, but it is the loss of critical IP and PII that renders the US vulnerable to foreign adversaries. In the medium term, as US enterprises are stripped of their competitive edge, this will definitely be bad news for America.
- Look at it from our adversaries’ perspective: US commitments to an open internet and promotion of free speech online are seen by our adversaries as direct threats to their governments. Their response – cyber-attacks on the US – are as far as they are concerned, legitimate reactions to US provocation.
There are many more reasons why we fail, but the technology that underlies failure is old, creaky and in need of replacement. We urgently need to act, to build security into the devices and infrastructure of our economy. I’ve advocated for cloud and virtualization as a start, because they will massively shift the balance of power in our favor.
And that’s putting America First.