Fixing American Cybersecurity

Advocates a cybersecurity “social contract” between government and business in seven key economic sectors

Cybersecurity vulnerabilities in the United States are extensive, affecting everything from national security and democratic elections to critical infrastructure and economy. In the past decade, the number of cyberattacks against American targets has increased exponentially, and their impact has been more costly than ever before. A successful cyber-defense can only be mounted with the cooperation of both the government and the private sector, and only when individual corporate leaders integrate cybersecurity strategy throughout their organizations.

A collaborative effort of the Board of Directors of the Internet Security Alliance, Fixing American Cybersecurity is divided into two parts. Part One analyzes why the US approach to cybersecurity has been inadequate and ineffective for decades and shows how it must be transformed to counter the heightened systemic risks that the nation faces today. Part Two explains in detail the cybersecurity strategies that should be pursued by each major sector of the American economy: health, defense, financial services, utilities and energy, retail, telecommunications, and information technology.

Fixing American Cybersecurity will benefit industry leaders, policymakers, and business students. This book is essential reading to prepare for the future of American cybersecurity.

Table of Contents

Foreword by Kiersten Todt

Introduction


PART ONE: Rethinking Cybersecurity

1 The Economics of Cybersecurity: Advantage Attackers
By Larry Clinton

2 Dangerous and Effective: China’s Digital Strategy
By Larry Clinton and Carter (Yingzhou) Zheng

3 The Solar Winds of Change: The Threat of Systemic Cyber Risk
By Anthony Shapella

4 Outdated and Ineffective: Why Our Current Cybersecurity Programs Fail to Keep Us Safe
By Larry Clinton and Alexander T. Green

5 Reinventing Cybersecurity: A Strategic Partnership Approach
By Larry Clinton and Alexander T. Green

6 The Cybersecurity Policy We Need: Incentivize, Modernize, Economize
By Larry Clinton

PART TWO: Sectors of Cybersecurity

7 Health: Cybersecurity as a Core Element of Patient Care
By Lou DeSorbo and Jamison Gardner

8 Defense: Leveraging the Dual Economies of the Defense Industrial Base
By Jeffrey C. Brown, J. R. Williamson, Michael Gordon, Michael Higgins, and Josh Higgins

9 Financial Services: Regulation Isn’t Enough
By Greg Montana, Gary McAlum, Kenneth Huh, and Tarun Krishnakumar

10 Energy: Protecting the Smart Grid
By Ryan Boulais and Jamison Gardner

11 Retail: Serving Consumers and Keeping Them Secure
By Andy Kirkland and Alexander T. Green

12 Telecommunications: Managing International Risk in a Post-COVID-19 World
By Richard Spearman

13 Information Technology: Defining How to Govern IT
By Larry Clinton, Carter (Yingzhou) Zheng), and Tarun Krishnakumar

Conclusion
By Larry Clinton

Notes
About the Contributors
Index

Reviews

"In this thoughtful work, an interdisciplinary team led by Larry Clinton provides their expertise across a broad range of critical infrastructure sectors to propose a new course for public and private sector partnership to better secure our critical infrastructure from cyber incidents."—Brig. Gen. (Ret.) Gregory Touhill, director of the CERT Software Engineering Institute at Carnegie Mellon University, former chief information security officer for the US government, and former deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security, 2014-16

"A must read for policy makers, operators, thought leaders and business leaders. Incremental change within the cybersecurity ecosystem has been mostly ineffective."—Rear Adm. (Ret.) Mike Brown, president of Spinnaker Security LLC, and former deputy assistant secretary of cybersecurity and communications, US Department of Homeland Security, 2008-10

"Over the last decade, corporate boards have increasingly understood [cybersecurity] as a strategic issue blending technology & economics into the organizational mission. Fixing American Cybersecurity translates many of the lessons learned for use in government."—Erin Essenmacher, former president and chief strategy officer,the National Association of Corporate Directors

"Anyone interested in creating effective cybersecurity policy should pay attention to this book. Fixing American Cybersecurity provides a wide range of policy proposals for improving our cybersecurity [and] convincingly argues for alternatives that go beyond the purely technical."—Michael Daniel, President and CEO of Cyber Threat Alliance, president and former cybersecurity coordinator, Executive Office of the President, 2012-17

"If your goal is to gain real insights from well-known experts such as Larry Clinton into some of America's most serious looming cybersecurity challenges, then this new book is a must read."—Edward Amoroso, founder and CEO, TAG Cyber and research professor, New York University's Tandon School of Engineering

"Economic incentives are one of the most powerful forces. Fixing American Cybersecurity brings this often-overlooked economic perspective to the fore to enable better management of cyber threats, risks, and programs. Building starfish-style networks to enhance deterrence and resilience is also covered in the collaboration sections."—Rod Beckstrom, first director of the US National Cybersecurity Center, former president and CEO, ICANN, and coauthor of The Starfish and the Spider,

"Larry Clinton’s timely and important book should be required reading for anyone seeking to learn how the United States can modernize its governance structure to favor innovative, risk-based approaches to protecting our data, networks, and devices."—Matthew J. Eggers, vice president for cybersecurity policy in the Cyber, Intelligence, and Security Division at the US Chamber of Commerce,

"Rethinking cybersecurity requires reframing the cybersecurity challenge as a strategic imperative for both government and business. Larry Clinton and the Internet Security Alliance are the right people to lead that change, balancing opportunity and risk in digital transformation."—Bob Kolasky, senior vice president for critical infrastructure, Exiger, and former director, US Cybersecurity and Infrastructure Agency’s National Risk Management Center,

"Winston Churchill famously observed, ‘You can always count on the Americans to do the right thing, after they have exhausted all the other possibilities.’ Unfortunately, in cybersecurity we have followed this mantra, exhausting ourselves in a disjointed pursuit of what amounts to ‘other possibilities.’ This book maps a path for progress to a strategy that unifies industry and government efforts, accentuates and expands our collective capabilities, and leverages weaknesses of our adversaries—which they certainly do have—to enable us ‘to do the right thing’ and to do it well."—Thomas Farmer, assistant vice president of security, Association of American Railroads, former chair, US Critical Infrastructure Cross Sector Council, and chair of the Surface Transportation Security Advisory Committee,

"One of the uniquely important aspects of Fixing American Cybersecurity is its attention not only to the larger players, but also to the crucial role that smaller entities have in protecting our nation’s supply chain and the unique challenges—cultural, technical, and economic—that US policy needs to address. The authors argue for much-needed sustained support for smaller entities and offer bold ideas and thought-provoking recommendations to incentivize smaller companies to initiate, mature, and optimize their internal cybersecurity."—Ola Sage, president, CyberRx, and former chair of the Information Technology Sector Coordinating Council,

"This book explains precisely why our nation must make significant changes in how we think about cybersecurity from an economic, geopolitical, policy, and systemic risk perspective. Failing to address the foundational issues presented will result in continued loss of ground to our adversaries who leverage state control and resources to their maximum advantage. The book is a timely and critical national call to action."—Robert Mayer, senior vice president of cybersecurity and innovation, USTelecom Association, and chair of the Telecommunications Sector Coordinating Council,

"The Internet Security Alliance under Larry Clinton’s leadership has pioneered long-term policy making in cybersecurity. Fixing American Cybersecurity comes equipped with practical advice from seasoned professionals defending our nation in cyberspace. It promises to be an invaluable resource for advancing our nation’s cyber capabilities and expanding our cyber workforce."—Valmiki Mukherjee, founder and chairman, Cyber Future Foundation, and founder and CEO, Cybrize,

"Cybersecurity is a national security imperative. Fixing American Cybersecurity summarizes the potential challenges and threats to our economy if we do not take cybersecurity policy seriously. It provides a good framework based on lessons learned to help address some of the country’s immediate priorities."—Alberto Yépez, cofounder and managing director, ForgePoint Capital,

"[Fixing American Cybersecurity] would be an ideal text for a course in cybersecurity and a great read for anyone seeking a deeper understanding of today’s cyber vulnerabilities."—The Cipher Brief

"While the book paints a sobering picture of our current cybersecurity landscape, it offers valuable recommendations for improving our defenses and mitigating future risks. This book is essential for security professionals, policymakers, and concerned citizens alike."—Brilliance Security Magazine

"Essential reading to prepare for the future of American cybersecurity, especially in light of contemporary and all to often successful efforts by criminals and hostile nations to breach and manipulate American internet and computer databases, "Fixing American Cybersecurity" must have the widest possible readership and considered an essential addition to personal, professional, community, governmental, corporate, and academic library Cybersecurity & Database protection collections and supplemental curriculum studies lists."—Midwest Book Review

"The content of this volume is up-to-date throughout, and will provide an excellent overview for readers at all levels."—CHOICE connect

Contributors

Ryan Boulais,Jeffrey C. Brown,Lou DeSorbo,Jamison Gardner,Michael Gordon,Alex Green,Josh Higgins,Michael Higgins,Kenneth Huh,Andy Kirkland,Tarun Krishnakumar,Gary McAlum,Greg Montana,Anthony Shapella,Richard Spearman,J.R. Williamson,Carter Zheng

Supplemental Materials

Awards

Choice Outstanding Academic Book of the Year 2023

About the Author

Larry Clinton is the president and CEO of the Internet Security Alliance, a multi-sector trade association that focuses on thought leadership, policy advocacy and developing best practices for cyber security. The National Association of Corporate Directors has twice named Clinton as one of the 100 most influential people in the field of corporate governance. Clinton is the author of numerous publications in the cybersecurity space.