We need a cybersecurity paradigm change
Whether one looks at Colonial Pipeline as an example of recent multitudinous cyber ransomware attacks; the Microsoft Exchange attack as a further exemplar of widespread vulnerability; or the SolarWinds supply chain debacle potentially threatening thousands of companies, the vulnerability of the United States private sector to cyber intrusions particularly from China and Russia is all too clear. The current system of cybersecurity is simply failing to meet the most alarming threats.
As FBI Director Christopher Wray has stated, “[T]hey’re well-resourced . . . [and] [n]o company is armed to defend against that kind of multi-avenue threat alone.” But a paradigm change that leads to the establishment of an industry of integrated cybersecurity providers utilizing cloud capabilities and incentivized by cybersecurity tax credits would entirely change the cybersecurity landscape and provide the basis for a resilient cyberspace.
Cybersecurity has evolved in recent years from a perimeter security concept — “keep the bad guys out” — to a “zero trust” approach that assumes attackers have breached the perimeter but provides resilient protection nonetheless. Zero trust (ZT) works when it is supported by effective threat hunting and operated by expert providers complemented by tools such as artificial intelligence. Zero trust plus threat hunting plus expert providers is not, however, a set of capabilities that most private sector entities can undertake on their own, as even a quick review of the key elements demonstrates.
As the Massachusetts Institute of Technology’s Lincoln Laboratory has described:
“The core principles behind ZT are: 1) universal authentication of all users, devices, and services; 2) access segmentation, allowing no single entity access to more than a small portion of the organization’s resources; 3) minimal trust authorization, keeping access to resources only to those entities that “need-to-know” and can be trusted; 4) encryption everywhere to protect information in flight and at rest, whether inside or outside the organization’s networks; and 5) continuous monitoring and adjustment to detect issues early and adjust access accordingly.”
These are not the kinds of capabilities that a non-expert team can implement. Rather, as the National Security Telecommunications Advisory Committee has stated that many enterprises will need to rely on outside providers to better assure their security, including cloud service, “which can provide multiple network security functions, including firewalls, intrusion prevention systems, secure web and email gateways, remote access tools, routing, and Wide Area Networking (WAN) connectivity.”
The required capabilities for zero trust do exist among companies in the private sector, but for the most part are not presented as an integrated whole. The cybersecurity industry could, however, shift generally to providing such integrated offerings if there were appropriate incentives. In doing so, the industry would be acting similarly to integrated providers in other sectors — such as the automobile industry in which customer facing entities build their overall offering by engaging many specialized companies that provide various components or services. As with the automobile and many other industries, there would be no “one size fits all,” but rather competing, yet comprehensive capabilities built around a core set of requirements.
The cybersecurity industry is relatively new and as yet there have not been sufficient incentives to provide such integrated capabilities across the board, and costs to customers have also been a factor. Both Congress and recent administrations have struggled to find the right ways to generate more effective cybersecurity, generally with an emphasis on the desirability of public-private coordination. Questions of the need for regulation have been raised, and in a few instances, regulation has begun.
To pick one example, Defense Department efforts to help protect the defense industrial base have not been very successful — in large part because the thousands of the companies in the base have been tasked to provide their own security — a task largely beyond their capability when faced with a Russian or Chinese threat.
An integrated provider with zero trust and threat hunting capabilities run by experts providing security as a service through the cloud would be much more effective. The establishment of cybersecurity investment tax credits that could be transferable would provide the necessary financial impetus for integrated cybersecurity.
As we describe in a recent report, “Congress regularly relies on investment tax credits and other so-called tax expenditures to spur desired investment in specified industrial sectors. The federal government incentivizes R&D investment across all sectors through the federal R&D credit that is available to eligible companies in connection with the development of new products, manufacturing processes, and software . . . Specific sectors likewise receive support. [such as] the energy sector [through] the energy investment credit.”
Cybersecurity investment tax credits similarly should be enacted by Congress. Congress would need to decide on the scope of such credits — perhaps beginning with credits limited to key critical infrastructures such as the electric grid, pipelines, water or transportation or, as we have suggested, enacting credits for innovative small and medium businesses and academia engaged in advancing selected emerging and advanced technologies. The amount of the credit could be equal to the price charged by the integrated cybersecurity provider.
A key requirement would be that the cybersecurity investment tax credits would be available only when the service received implemented a zero-trust architecture and effective threat-hunting program, essentially equivalent to what the federal government is currently undertaking for itself in accord with the executive orders on cybersecurity.
For the investment tax credit to apply, integrated cybersecurity providers would need to be certified as demonstrating the required capabilities. Such “certification could be accomplished by the federal government — most likely by CISA [the Cybersecurity and Infrastructure Security Agency] — or through the use of a private-sector capability such as a nonprofit along the lines of the Underwriters Laboratory or potentially by providing additional authorities to an Information Sharing and Analysis Organization.”
Finally, if the private sector entity receiving the integrated cybersecurity service could not use the tax credit, then the authorizing legislation could provide that the credit could be transferred to the integrated provider in payment of the cost of the service. Since credits can reduce taxes on a dollar-for-dollar basis, that generally would have the same value to the provider as monetary payment.
In sum, cybersecurity requires the most capable private sector entities to be fully engaged in its provision. Incentivizing the establishment of an industry of private sector integrated service providers through the use of cybersecurity investment tax credits would transform the United States cyber landscape and lead to the establishment of a resilient cyberspace.
Franklin D. Kramer is a distinguished fellow at and serves on the board of the Atlantic Council. He is a former assistant secretary of defense for international security affairs.
Melanie J. Teplinsky is a senior fellow in the Technology, Law and Security Program at American University (AU), Washington College of Law and faculty fellow at AU’s Internet Governance Lab.
Robert J. Butler is the co-founder and managing director of Cyber Strategies LLC, and he served as the first deputy assistant secretary of defense for space and cyber policy.
Kramer, Teplinsky and Butler are coauthors of the recent report “Cybersecurity for Innovative Small and Medium Enterprises and Academia.”
Gloss