By Phil Reitinger
As I was reflecting on last week’s RSA conference, I was thinking about suggestions from Megan Stifel and Rob Knake that there should be a “B Corps” model for cybersecurity, where corporations promise that they will donate a portion of their revenue to cybersecurity nonprofit organizations, for the greater good. Of course I’m a fan – I work at the Global Cyber Alliance, a nonprofit that could be a recipient of these funds. Where you stand depends on where you sit, and all that.
Nevertheless, Megan and Rob have a point. There are nonprofits doing super good work but are resource-poor. The level of resources nonprofits have, compared to the array of criminal and state-sponsored bad cyber actors, reminds me of the movie “Stripes.” If you are as old as I, you will remember that in the second half of the movie, the “heroes,” Peter Winger and Russell Ziskey, go behind enemy lines to rescue their captured platoon in an armed motor home. Winger describes the challenge they face as follows:
Winger: “They got one big gun. They got a couple of tanks. They got a hundred [armed soldiers].”
Russell: ”Yeah, what do we got?”
Winger: “We got? What do we got? What are you talking about? We got one heavily armed recreational vehicle here, man.”
Of course, the mission is successful, because (1) it’s a movie, and (2) the RV is very capable and managed by committed, if offbeat people – so it’s actually a pretty good analogy to more than one nonprofit. Of course, rescuing a platoon is different than winning a battle or a larger conflict, which is what we face in cybercrime.
The Global Cyber Alliance is blessed to have awesome funders: public bodies, founders, partners, foundations and sponsors. Other nonprofits would say the same. But I’d agree with others that the global level of funding falls short of the need.
There are many requirements to secure the Internet ecosystem, including the companies, governments, people and devices connected to it. The primary way of meeting these requirements is the market, especially organizations like companies and governments spending money to secure themselves or their customers. There are also organizations that work to secure their members (such as the ISACs and ISAOs mentioned by Rob) or help those members accomplish a noble purpose that also benefits business objectives (threat sharing organizations, advocacy groups like associations, and standards bodies are all good examples). And there are the charities, that work for the public good where the market and government activity falls short. I’d put GCA in the last category, and I hope you would agree.
This “charity” category concerns me the most, in part because GCA operates as a charity and does not charge dues or fees to its partners. (As I mentioned above, although we do not charge dues, we get great support from our partners and friends.) Systemically, however, across the entire ecosystem, funding falls short, and even where it is sufficient sustainability is an ever-present concern.
I wrote a year ago that there is a gap of about $2 trillion between what was spent comparatively on the Apollo Program and what is spent on cybersecurity. The moonshot analogy is of course not a perfect fit, and it’s also true that we could get a lot more bangs for the cybersecurity bucks already spent. What I would say is this – if there is some gap in corporate and government spending to secure themselves, and I think there is, what do you think is the situation for small businesses, local governments, nonprofits, NGOs, and individuals?
Here is what I said last year, and it remains true: “Closing this gap, even a little, will take extensive investment from both the public and private sectors. Governments and companies need to spend up to the level required by the cybersecurity risk they face to solve their own problems. And investment must be focused not only on making government and big companies more secure, but the entire Internet community more secure. It is possible to buy very good security, but the majority of companies and people are below the cybersecurity poverty line and can’t afford effective cybersecurity. While moving these companies and people to cloud services will help significantly, it won’t solve the problem. That will take a different type of investment, one in entities that make solutions available to anyone – nonprofits and NGOs.”
I hope you enjoyed RSA. Thanks for listening, and have a great year.