“The U.S. military is very, very concerned that some of its weapons systems have been compromised. When the Chinese roll out what looks a lot like the F-35 fighter jet, it’s curious how they were able to manufacture that so quickly. And no one innovates at 8 to 12 percent a year as the Chinese have – that can only happen through intellectual property theft.” –Larry Clinton
“A reformed academic” is how longtime Washington insider and cybersecurity expert Larry Clinton describes himself. Clinton is president and CEO of the Internet Security Alliance (ISA), which advocates a “pro market” rather than a traditional regulatory approach to cybersecurity. This approach requires government and industry to work together on mutually beneficial solutions. Clinton authored the National Association of Corporate Directors handbook on cyber-risk oversight. The handbook was the first private-sector resource to be featured on the Department of Homeland Security’s so-called U.S.-CERT C3 Voluntary Program website.
In this interview with Jeffrey M. Cunningham, professor of Business and Journalism at Arizona State University, Clinton elaborates on his vision for a more secure world and ways to approach China and Russia in order to reach some agreement on the nonproliferation of cyber attacks.
You describe cybersecurity not as a technology problem but as an economic problem.
Multiple large-scale studies indicate that the number one problem with respect to cybersecurity is cost.
Some people would be shocked to hear that, because we think we spend too much money on it already.
I’m sure we do spend a lot of money on it. In fact, we spend a lot of money on security generally. But security is historically viewed as a cost center. One of the problems is that if you look at the economics of cybersecurity, the incentives all favor the attacker. Cyber attacks are comparatively cheap and easy to access and launch. The profit margins for digital crime are enormous. Estimates on dollars lost to cybercrime range from hundreds of billions to trillions of dollars a year. So cyber crime is cheap, easy, and profitable.
On the other hand, digital defense is always after the fact, so we are at least a generation behind the attacker. And frankly, there’s virtually no law enforcement. We successfully prosecute maybe 1 or 2 percent of cybercriminals. So long as the economics of cybersecurity are this unbalanced, we are going to have a major problem, and we are going to have to spend money to counteract.
Cybersecurity is a global issue. Where does the United States stand with regard to Russia and China?
We need a much better working relationship with Russia and China, who many see as a source of many cyber problems. The U.S. military, for example is very, very concerned that some of its weapons systems have been compromised. When the Chinese roll out what looks a lot like the F-35 fighter jet, it’s curious how they were able to manufacture that so quickly. And no one innovates at 8 to 12 percent a year as the Chinese have until recently. That can only happen through intellectual property theft.
We need to find common ground to work with these nations on cybersecurity. In the nuclear era, we had massive mistrust and fear of the Russians yet we still negotiated non-proliferation pacts and international standards and inspection systems. The Chinese are our business partners, and we have none of this with them on cybersecurity. I would like to see us sweep politics off the table and discuss protections against cyber theft and disruption.
Is business naïve about the problem, or simply trying to contain it?
Cybersecurity issues are not solvable but they are manageable. With respect to what the C suite is doing, there has been a learning curve that the upper ranks have historically been slow to react in terms of their awareness and understanding of the problem. Now that has changed and we have reached the proper awareness of the threat. Now there is a need to learn how to address cyber as an inherent part of the core business sustainability process.
How do competition and the drive to innovate play into this?
Many of the technologies and business practices that drive productivity, competitiveness, innovation, can actually undermine cybersecurity. The use of cloud computing, for example, can save enormous amounts of money and at the same time undermine security. One study indicated that 62 percent of IT professionals who were surveyed put little or no faith in data they had put in the cloud, including 48 percent who had already put their data in the cloud. Why would they do that? Because it’s so cost-effective. Of course, there are more secure cloud configurations, but they will generally cost more. So security needs to be an inherent part of the business decision.
What about social media?
The use of social media is a similar irresistible force. In many cases, it’s very difficult to hire a modern workforce that doesn’t expect to bring their own device to work so they can stay active on social media. And again, this can dramatically undermine security. These policies can create great productivity and efficiency, but your data is now being placed in the hands of potentially hundreds or thousands of employees on their own devices which may not be secure or tracked.
My point is that all of these things are needed to drive a company’s effectiveness, profitability, and growth, but they have a negative security aspect to them. Current research tells us boards are very keen on using these technologies and business practices for their substantial economic upsides but have not yet fully thought through the negative security aspects. Boards have not yet placed cybersecurity in that context when they are making the decision to launch a new product or service or effect a merger or acquisition. That’s the level of understanding that we need to be moving to.
If you were to gather the key people into a room, who would they be?
Clearly, we need leadership from the top of the government, at the White House level we need the president; and his lead advisor, Michael Daniel, who’s our cyber czar. We need our congressional leadership to engage in this. And then industry needs to come together and find a vehicle to promote an approach to cybersecurity.