Fixing American Cybersecurity is Harder than it Looks

BOOK REVIEWFixing American Cybersecurity: Creating a Strategic Public-Private Partnership

by Larry Clinton, Editor / Georgetown University Press

Reviewed by Glenn S. Gerstell

The Reviewer – Glenn S. Gerstell is a Cipher Brief Expert and Senior Adviser at the Center for Strategic & International Studies.  He served as the General Counsel of the National Security Agency and Central Security Service from 2015 to 2020 and writes and speaks about the intersection of technology and national security and privacy.

REVIEW — A book describing the difficulty of keeping up with the pace of digital innovation can itself fall victim to that very problem.

This isn’t to say that Fixing American Cybersecurity isn’t an excellent and useful book. It is just that – a thoughtful, well-researched, crisply organized, carefully resourced and insightful description of our current state of cyber insecurity.

Edited and partly co-authored by Larry Clinton, the highly regarded head of the Internet Security Alliance, the book comprises two parts.

The first is a perceptive and intelligent analysis of the American approach to cybersecurity, contrasting it with that of the People’s Republic of China; the second (written mostly by top-notch corporate CISO’s) is a sector-by-sector discussion of the state of cyber vulnerabilities and the mitigations employed in the health, defense, financial services, energy, retail, telecommunications and information technology industries.

Clinton’s starting observation is “[w]e are losing the fight to secure cyberspace, and losing it badly.”  He blames this on our historical approach to cybersecurity:

“The US cybersecurity effort over the past thirty years largely comes down to a series of modest, disjointed, incremental tactics. Unlike the Chinese, we have not operated from a thoughtful, comprehensive strategy that appreciates the extent of the impact digitalization has on everything and leverages our economic advantages, technical expertise and political philosophy in a pragmatic effort to secure our nation.”


Stay on top of what’s top of mind for cyber experts from the public and private sectors by subscribing to The Cyber Initiatives Group Digital Magazine


The chapter explaining how China’s approach differs from that of the US is particularly compelling and forms the basis for the book’s fundamental argument that America must “rethink” or “reinvent” cybersecurity though a “strategic partnership” between government and the private sector. Clinton summarizes what in his opinion is required:

  • “We need to devote far greater resources to addressing the digital threat.”
  • “Needed efficiencies can be generated by systematically evaluating and reorganizing a number of current cyber programs.”
  • “We need to modernize our approach to cyber defense.”

In other words, as Clinton says, “incentivize, modernize and economize.” He correctly and constantly reminds the reader of the economic underpinnings of all aspects of cybersecurity – simply put, money is the reason for cybercrime, money is the reason many apps and hardware aren’t secure by design and money is the reason government and businesses underinvest in cyber defense and resilience. The book’s solution is predictably multifaceted but focuses on federal government structure and strategy and economic policy.

Among Clinton’s more salient suggestions for the federal government is a proposal for a new White House “Office of Digital Strategy and Security,” which could “coordinate easily with the National Cyber Director and the National Economic Council and access the interests of Commerce, Defense, Homeland Security and other department perspectives while overcoming turf issues that have up until now plagued the implementation of effective cyber policy.”

Sound familiar?

Even a casual follower of cybersecurity policy today would recognize all the foregoing thoughts, which, prior to, say, the Solar Winds intrusion of 2019, were more confined to a small group of experts and policymakers – the same ones who wrote study after study calling for enhanced public-private partnership. But in mid-2023, the book’s observations about cybersecurity are neither prescient nor novel; the recognition that our county needs to do much more to defend the cyber domain is now widely accepted across the Executive Branch and both parties in Congress as well as the business community.


It’s not just for the President anymore. Are you getting your daily national security briefing? Subscriber+Members have exclusive access to the Open Source Collection Daily Brief that keeps you up to date on global events impacting national security. It pays to be a Subscriber+Member.


To be fair, a book that describes the current state of play in the cyber world will inevitably seem outdated because of the very point the authors make – “in cyber, the technology is constantly changing, as are the attack methods, and new vulnerabilities are continuously being introduced or resurfacing. In other words, the target state for security is always moving.” Clinton and his co-authors wrote the book mostly in 2021, before Russia’s invasion of Ukraine and CISA’s “Shields Up” program, before the promulgation of the Biden Administration’s National Cyber Strategy (which not only aligns with but goes further than the book’s recommendations), before a massive increase in CISA’s budget, and before a greatly heighted level of attention by Congress and the general public to digital insecurity in all forms. So, it’s not surprising, given the fast pace of cyber developments, that some of the key assessments and recommendations offered in the book are not the right ones for today.

Contrary to the authors’ uniformly bleak depiction, a decent argument can be made that we are indeed making some progress in cybersecurity – for example, almost every CISO in the country is hyper-aware (perhaps prompted by the Russian cyberthreat) of the need to improve defenses and is doing something about it; despite fears to the contrary, our recent national elections haven’t been blemished by cyber maliciousness; and the FBI has been surprisingly successful in disrupting international cyber-criminal gangs and even recapturing ransom payments. No one’s saying we’ve won the war; but the fact is that our nation has taken some big steps compared to the situation as recently as a few years ago. And, after watching the growing pains of the National Cyber Director and the ongoing debate about whether centralized or sector-specific regulation is better, creating yet another cyber office in the White House hardly seems like the right bureaucratic approach.

But apart from simply being outdated in a fast-moving field, the book fails to apply the same level of insight that it dedicates to the historical and current description of our cyber world to the possibilities of the future. The authors offer some general recommendations, albeit with notable specificity around topics such as economic incentives for cybersecurity, but they do not paint a picture of how the security of our digital lives will be affected by, for example, advances in artificial intelligence or encryption or quantum computing. Those potentially profound developments are barely mentioned, if at all; a key concept such as zero trust architecture warrants only a small box.

Notwithstanding these significant shortcomings, the book is still a valuable addition to a field that isn’t distinguished by astute and rich analysis of the sort provided by the authors. Consequently, it would be an ideal text for a course in cybersecurity and a great read for anyone seeking a deeper understanding of today’s cyber vulnerabilities. But not of tomorrow’s solutions.

Fixing American Cybersecurity earns a four for describing the current situation and a two for telling me what to do about it, so I’m awarding it a solid three out of four trench coats.

The Cipher Brief participates in the Amazon Affiliate program and may make a small commission from purchases made via links.

Read more expert national security perspectives and analysis in The Cipher Brief


More Book Reviews

Search

Close