With the resignation of Melissa Hathaway this week, the U.S. has entered a darker era in cyberspace. Ms Hathaway was correct, in my eyes, to resign. That the position of Cyber Coordinator has gone unfilled for over 8 weeks speaks volumes about the job that the job description never could.
Stuck between a rock (General Jim Jones at the National Security Council) and a hard place (Larry Summers at the National Economic Council ), the Cyber Coordinator role is a dream job for someone that would like to accomplish little and massacre their career in the process. At least, that is what one might infer from so many candidates declining the position.
Of particular interest in this scenario however is the resistance from the National Economic Council. According to a ComputerWorld article, the NEC has “taken the stance that too much emphasis on cybersecurity will hamper economic growth…The argument appears to be that too many security requirements will result in new operational costs, hurt growth, and limit efficiency…” Ironically, this was the argument posed by the Clinton Administration during the Internet boom in the late 1990s (A Framework For Global Electronic Commerce). Boom or bust, cybersecurity just doesn’t seem to fit in. And there is reason for this.
Wearing my economics hat, I am compelled to agree with Mr. Summers. The current approach to cybersecurity - requiring burdensome compliance mandates with a mind-boggling number of moving parts – is immensely expensive and thus economically inopportune even in the best of times.
More importantly, the cybersecurity community has not established that a majority of what we do, or recommend, actually makes cyberspace more secure. In our defense, we mumble something about risk and then go on to assert assumptions; that if you do A, B, C, D, E, F, G, H, I, J, K and implement technologies L, M, N, O, P, Q, R, S and T, then maybe organizations will have a degree of protection, maybe. This is hardly the foundation from which to argue convincingly that cybersecurity is worth the expense and can deliver meaningful outcomes. It is also not an equation for economic vibrancy even if we could unequivocally justify our current approach.
But, of course, a leader would recognize this incongruence and determine that we need to change course as an industry. But we haven’t. Instead, there seem to be many within the cybersecurity community that continue to insist that “we know better,” that the “right” thing to do is A, B, C, D, E, F, G, H, I, J, and K, and that if only the nation would commit to the “right” path, invest in it, national cybersecurity might indeed improve. I argue this is not the case. Like World War I generals, this is simply arguing for more of the same, while we continue to spend exorbitantly on losing the fight.
We should use Ms. Hathaway’s resignation as a chance to reflect on and re-adjust our approach to cybersecurity; to listen to General Jim Jones, Larry Summers, our executives, and customers and take their feedback to heart. They are not fools for ignoring our message. We are fools to keep repeating it. Stop discounting their viewpoint as unaware, their outlook as backwards, or their mindset as uninformed. We need an approach to cybersecurity that recognizes and incorporates market realities, economic fundamentals, and human propensities (both rational and irrational). We need a better, more efficient way of securing our infrastructure that National Security and National Economic Advisors can agree with and support. The National Advisors are big boys; they know their stuff. The onus is on us, not them, to “get it.”
Ms. Hathaway will be missed. With her departure, we need a leader now more than ever before.
Comments