KREBS TELLS BLACK HAT ‘TIME TO RETHINK CYBERSECURITY.’ HE IS RIGHT!

At Black Hat last week, former CISA Director Chris Krebs said out loud what virtually everyone in the cybersecurity world already knows.?He said:

“The digital environment around us has changed so dramatically in the last 25 years, while our government hasn't kept up," "It's time to rethink the way government interacts with technology."

Even the so-called person-in-the-street knows digitization has changed the world in the last 25 years and suspects that government has lagged behind.

What is far less well understood is that our major cyber adversaries have adapted strategically to the digital world and the USA – notwithstanding recent increases in structures and funding – has already fallen well behind our adversities in many critical areas. Unless we dramatically change course, our adversaries will change the course of future world events for us.

China, as just one example, has spent the past decade developing an extremely sophisticated, integrated, and multi-faceted digital strategy called the Digital Silk Road which it is funding at $1.4 trillion dollars over the next five years. The funding for this digital strategy is increasing more than their defense budget.

The strategy, which is already being massively implemented around the world, leverage’s China’s economic power to cross-subsidize its domestic industry – especially, but not only its technology industry – to compete unfairly against western organizations. The result is massive investments and partnerships that China coordinates with its geo-political and military goals and is having discernable impact.

Many are familiar with how Huawei has been transformed from a small telecommunications switch company into the world’s largest telecommunications provider in just a few years and now provides the dominate 5-G platforms in Europe, Asia and Latin American.?And Huawei is just the tip of the spear.?Similar and more dangerous case studies can be done with Tencent, Alibaba and China Telecom.

The Digital Silk Road strategy integrates what we in the US think of as cybersecurity with China’s military, geo-political, economic, and totalitarian philosophy and is already successfully creating fissures in the foundation of the post-World War II US/Western European world order – which is China’s stated goal.

The US has nothing remotely similar to this sort of modern digital strategy. In their recent book the Fifth Domain Dick Clarke and Rob Knake noted US Cyberpolicy hasn’t basically changed since the Clinton Administration and, as Krebs pointed out at Black Hat, our outdated structures actually prevent us from even beginning to understand and address digital issues in the modern integrated way that the reality of the digital age --- that the threats to our nation – demand.

Krebs advocated for what he termed a heavy package of establishing a US digital agency “that could take elements of CISA, elements of NIST and NTIA, the DOE, and the National Labs, maybe bits and pieces of the FTC and the FCC," Krebs said. This risk-management agency's scope would extend beyond cybersecurity, "I'm not just talking about cyber,” Krebs said. "We're not where we need to be. We're falling behind and Americans are suffering as a result."

As readers in this space are aware for the past year, the ISA has been promoting a very similar approach calling for the creation of an Office of Digital Strategy and Security (ODSS) in nearly 100 blogs as part of the “RE-Think Cybersecurity Campaign (now available at www.isalliance.org).

?These blogs have been compiled into a book called Fixing American Cybersecurity (Georgetown University Press) with its release timed to the incoming Congress in February 2023.?

?This extensive blog series and the upcoming book argue, similarly to Krebs, that ?US policy needs a thoughtful, comprehensive, and truly collaborative digital security strategy competitive with that of the Chinese government and other adversaries. This digital strategy would encompass cybersecurity, but not be limited to it. Just as cybersecurity is not the sole province of IT, so, too, a digital strategy cannot confine to traditional conceptions and structures for national defense.

This will require a permanent and far more collaborative structure more fully integrating the private sector – not just the IT sector-- with government in digital defense located in the Executive Branch. This entity would be charged with analyzing digital issues from a multi-dimensional and holistic fashion.?Although the U.S. strategy needs to be as sophisticated as China’s Digital Silk Road, it need not, and should not, be a mirror of the Chinese strategy. Rather than mimicking the model of centralized government control and mandates, the US needs to instead leverage the unique and powerful advantages western democratic norms and market incentives to accomplish this policy reform.

?The ODSS would be charged with proactively crafting, assisting in implementing, and evaluating a sophisticated and integrated national digital transformation strategy. This strategy would seek to leverage U.S. democratic and economic traditions and enhance our competitive posture relative to our adversaries. The new strategy will describe how digital technology has changed the world and how the U.S. will utilize modern market-based methods to respond to these changes and enhance its own national and economic security placing the U.S. in position to maximize Western democratic goals in the 21st century.?The strategy would be to take a holistic view of how the government in partnership with the private sector, needs to address major issues created by modern digitalization and leverage them to better achieve national goals.

?To create this adequately competitive integrated digital strategy structural reform is required such as the creation of a new White House Office of Digital Strategy and Security (ODSS).