By Dan Lohrmann, Michigan Chief Security Officer (CSO); Deputy Director for Cybersecurity and Infrastructure Protection
Ever since I became Michigan’s first Chief Information Security Officer (CISO) in 2002, I have noticed a disturbing gap between front line users, security technologists and many senior policy makers. What can I suggest in the way of a solution? Enter: “The International Cybersecurity Dialogue (ICD).”
Ever since I became Michigan’s first Chief Information Security Officer (CISO) in 2002, I have noticed a disturbing gap between front line users, security technologists and many senior policy makers. While both public and private sector executives around the globe readily acknowledge the need for various cybersecurity actions in order to safeguard sensitive information and protect critical infrastructure under their control, many misunderstandings still exist between those on the front lines who use or run the networks and those who allocate the resources and/or set policies. This disunity is being exploited by those who are attacking us in cyberspace.
In my opinion, this cyber gap has been more pronounced in some companies, states and national governments than in others. For example, our Michigan Governor Rick Snyder has a background as CEO of Gateway Computers and he clearly “gets it” when it comes to technology innovation and the cybersecurity risks we face. He has taken strong action to address technology infrastructure improvements as well as improve cyber-awareness and defense. Yes, we still have a long, long way to go here; nevertheless, security colleagues around the country tell me that Michigan tends to be an exception in 2012. And we are not an island.
I believe that this global cyber gap is one of the reasons for the lack of action in Washington D.C. (and elsewhere around the world) regarding cybersecurity legislation or other cyberdefense actions. To be sure, partisan politics are a part of our challenge. However, I have talked with many experts (off the record) who say that they quietly fear that no real change will occur in cyber defense in the USA (or any other nation) until some major incident occurs. Really? Are we just waiting for an inevitable “Cyber Pearl Harbor?” Do we need losses on cyber crime to reach a higher percentage of GDP before we say “enough.” I hope not.
No doubt, there have been numerous “cybersecurity call to action” decrees from various authors, state government associations, cyber summits, international student groups, various commissions, and more. Indeed, we now have a cyber summit (or two) every week. This has become the new normal, and few in society even pay attention to urgent Internet decrees or cyber proclamations. At a local level, some companies and governments have responded aggressively after a major cyber breach, and there is an overall sense of cooperation amongst various Information Sharing & Analysis Centers and public / private partnerships with law enforcement leaders.
However, we continue to be outgunned and losing more cyber battles every day. Clearly, other issues such as health care and global debt crowd-out cybersecurity on the political agenda, but why the constant lack of significant progress? More than that, our weaknesses go beyond legislation or government action and require every business and home in America to pay attention – which seems almost impossible. Even in places where things are going well, the task of protecting data and individuals in cyberspace seems daunting.
While I am an optimist who believes that we will eventually get through this lull in significant cyber action, I do sense quite a bit of discouragement and denial in our professional ranks right now. I speak with CSOs, CISOs and security experts all around the world who feel like we are treading water and not progressing. We’re dealing with attitudes and stereotypes of our profession that somehow prevent progress for fear of either “Big Brother,” a loss of customers, too much security or too little privacy or something else.
What new steps can to be taken? Is there a “pragmatic middle” in our space? Are there small steps we can all agree on? How can we truly build more trust? I know that there are global cybersecurity agendas and United Nations groups that are meeting on standards and a level of cooperation on cyber crimes. Still, there is a growing group of people that believe that bottom-up change needs to occur that encourages dialogue amongst industry executives, academics and IT pragmatists in a trusted setting.
What can I suggest in the way of a solution?
Enter: “The International Cybersecurity Dialogue (ICD).” This is a new non-profit group which is lead by two people who I respect and trust in our profession: Anne Bader and Richard Stiennon. Over the past year, I have been very impressed with the approach taken by Anne and Richard, and I have participated in several international discussions with other experts in the security field who are also involved. Both of these experienced professionals want to dedicate the next few years to advancing our public and private protections via trusted relationships that can cut through traditional barriers. Events and meetings will encourage dialogue around the world regarding core issues that must be addressed and steps to help make conversations meaningful.
Here’s an excerpt from the ICD website:
“The International Cybersecurity Dialogue program includes roundtables, expert briefings, assessment visits, a closing forum and two reports. Meetings and interviews will be off the record as appropriate. Reports, commentary and assessments will be presented through the ICD Forum. Our leadership core group comprises public and private experts in defense, law, finance, energy, telecommunications, transport, insurance, ethics and legislation from US, UK, Estonia, Singapore and Israel. Towards the end of this period, we will expand to other international partners such as Hungary, India, Brazil, Panama, Germany, France, and Australia.”
There is more I will report on this topic, along with opportunities to engage in the coming year, but I wanted to get this topic out into the public and hear feedback on this new group. As an advisor to this group, I look forward to new opportunities to exchange ideas and learn from others in different settings. We need to engage the entire ecosystem to come up with new answers moving forward.
As Richard Stiennon and Anne C. Bader say on the new website: “We believe that national policies and laws governing the new cyber domain must be made with the public and private sector technologists who create and manage the networks and systems.”
No, this will not solve all our problems. Yes, this is another group to engage with at a time that most of us our too busy. Nevertheless, I am encouraged by my interactions with these colleagues from around the world. The group is planning interactive events that truly encourage dialogue, idea sharing and action. The website offers opportunities to partner and engage others who care about cybersecurity from other cultures. There is also contact information for those who want to learn more.
I believe we need this new international cybersecurity dialogue.
Do you agree?
Originally posted July 2, 2012 on CSO Security and Risk Blogs by Dan Lohrmann on Lohrmann on GovSpace.