David Lawrence and Jay Clayton discuss a plan to deal with cyber threats.
On January 4, President-elect Donald Trump’s transition team announced that Jay Clayton, co-managing partner of the general practice group at Sullivan & Cromwell, a New York City law firm that works closely with Wall Street investment banks, would be nominated to become the next chairman of the Securities and Exchange Commission (SEC). In a statement, Trump noted that Clayton is “a highly talented expert on many aspects of financial and regulatory law, and he will ensure our financial institutions can thrive and create jobs while playing by the rules at the same time.”
Clayton is no stranger to [email protected] readers. In June 2015 he co-authored this opinion piece with David Lawrence, founder of the Risk Assistance Network and Exchange, Frances Townsend, executive vice president of McAndrews & Forbes, and several other associates. The article lays out a plan for companies and governments to collaborate to deal with cyber threats.
The [email protected] show, part of Wharton Business Radio on SiriusXM channel 111, also interviewed Clayton and Lawrence in 2015 about what is needed to combat cyber threats and other security risks. Listen to the podcast using the player at the top of this page.
Socrates is known to have declared, “The only true wisdom is in knowing that you know nothing.” This became a starting point for his pursuit of knowledge.
On the issue of cybersecurity, the world is in the early stages of the Socratic process. Throughout the private and public sectors, there is justifiable apprehension about how little we understand and how much more needs to be done.
Now is the time to become wiser for this admission.
There is complexity and nuance to the subject of cybersecurity. There is also more than enough common ground for everyone to grasp the magnitude and ubiquity of the threats and our limited means of response. Whether natural or man-made, virtually every catastrophic threat reinforces at least four lessons about risk-management. The cyber threat is no different.
- The best time to prepare for a disaster is before it occurs.
- Crises are preceded by opportunities — often missed — to explain the risks, both local and systemic — and adopt measures for prevention, mitigation and recovery.
- If history doesn’t always repeat itself exactly, it rhymes closely enough that our mistakes need not be repeated.
- Together, our expertise and resources can be formidable. Apart, we are highly vulnerable.
Cybersecurity is a multidimensional problem that transcends the risk management and response capabilities of any single community — technology, defense, law enforcement, public policy and business. No group has an answer or even a claim to superiority. All share in the exposure.
With so much at stake, why has there been so little collective progress?
Fifty years ago, Bob Dylan offered this utilitarian insight about risk management from “Subterranean Homesick Blues”: “You don’t need a weatherman to know which way the wind blows.” It is obvious which way the wind is blowing, and it is time to take collective action.
Ten years ago, the 9-11 Commission shared one of its principal findings about the “attacks that changed everything”: Just because events come as a shock, [this] doesn’t mean they arrive as a surprise.
With recognition that any comparison to 9-11 must be undertaken cautiously and respectfully, we recently re-read the 9-11 Commission report. We did so because so many security experts believe that the world is at a similar inflection point with respect to our collective state of preparedness for digital exposures. The Commission reached an overarching conclusion about exposure to terrorism: Even our most consequential threats can be prevented or mitigated with the benefit of shared recognition, shared intelligence and shared action.
On the issue of cybersecurity, the world is in the early stages of the Socratic process.
As reflected in the Commission’s findings and recommendations, our approaches to complex risk must offer transparency, utility and resiliency to be effective.
Here then is a proposal with respect to cybersecurity efforts for the U.S., offered in the hope that other countries will benefit from the effort and can develop their own versions of the same solution. Within this moment of relative calm, we have the opportunity to provide foresight, not hindsight; a biopsy, not an autopsy; a blueprint, not a Code Blue.
The U.S. President and Congress should appoint a 9-11-type Cyber Threat Commission. This Commission should:
- Convene the best minds and intents from all sectors and political parties –divorced from self-interest and outside influences — with sufficient power and authority to move quickly and effectively.
- Recruit beyond national borders — reaching the leading authorities from around the world.
- Produce a report on the state of the digital union, including an assessment of the risks and a plan for addressing them in plain language that all can understand.
- Follow the lead of the 9-11 Commission and communications experts in offering the narrative — not a typical government report — that all will want to read and follow.
- Utilize social media to continue to communicate and gain feedback.
No “big bang” event is required. The Commission must answer these questions:
- Why do we have a problem? Why does it matter?
- What is the extent of the problem? What needs to be done?
- Who are behind the threats? Who should respond and own the effort?
- How will solutions be executed?
- When will this happen?
- Where can we turn for help?
Cybersecurity is like a “black elephant“?Twitter — a dangerous crossbreed between the “black swan” risk (capable of producing unexpected outcomes with enormous consequences) and the “elephant in the room” (a large problem that is in plain sight).
Every day brings new cyber threats. And the coming waves of attacks promise to be more than any one enterprise, sector or even country will be able to handle.
- Globally we are experiencing unprecedented thefts of money, information, intellectual property and state secrets — much of it to fund foreign regimes and criminal organizations.
- Unpredictable security costs imposed upon public and private enterprises — solely to stay in business — that effectively represent a “protection tax.”
- Possibly, the early acts of a highly asymmetrical and multi-front war that threaten national security, economy, vital infrastructure and personal safety — in which ground troops, tanks, aircraft and ships will be of little defense.
The Internet was constructed for universal connectivity and accessibility — not with an eye toward containing the darker sides of human behavior. The Internet has delivered on its promise of social and economic progress. Unfortunately, it has also delivered unparalleled opportunities to those seeking to scale global conflict, terrorism, criminal activity, state and industrial espionage and vandalism.
As reflected in the [9-11] Commission’s findings and recommendations, our approaches to complex risk must offer transparency, utility and resiliency to be effective.
Highlighting our worldwide exposures, the Global Commission on Internet Governance explained that in the packet-switched networks and data clouds of the Internet, the communications and data of all parties are mixed together. Put in context, we drive on the same information super-highway to work, school and play, as those seeking to drive home a