#83 – Zero Cost Pathway to American Cybersecurity

AI is reshaping data governance—and raising big compliance questions. David W. Schropfer and Anthony Woodward unpack risks, silos, and solutions on DIY Cyber Guy.

EFFECTED USERS: Everyone interested in Cybersecurity, especially people who want to work in the industry.

Hair on fire 3 out of 5

SUMMARY:

The discussion centered on the Internet Security Alliance (ISA) and its mission to enhance cybersecurity through advocacy and thought leadership, as articulated by Larry Clinton. He highlighted the coalition’s focus on integrating economic considerations into cybersecurity, noting that the current landscape favors cybercriminals, resulting in significant economic losses. The conversation included a proposal under consideration to streamline cybersecurity regulations, with support from key congressional committees and the endorsement of the new director of the Cyber Director’s Office. The proposal aims to eliminate duplicative regulations, which could lead to substantial savings in personnel time and capital costs while maintaining high cybersecurity standards.

Larry proposed the establishment of a national virtual cybersecurity academy to address the workforce shortage and modernize existing legislation, such as the Cybersecurity Information Sharing Act. This initiative would train 10,000 new cybersecurity professionals annually in exchange for government service, ultimately saving the government significant costs. The discussion also emphasized the importance of public involvement in cybersecurity initiatives, encouraging citizens to advocate for supportive policies and improve their own cybersecurity practices. The conversation concluded with a focus on the need for better education in cybersecurity and the potential impact of emerging technologies like quantum computing on future proposals.

TRANSCRIPT

1:15 – David W. Schropfer
Welcome back, everybody to DIY cyber guy.

1:20 – David W. Schropfer
This is Episode 83 zero cost pathways to a American cybersecurity. Now, this is a hair on fire three out of five higher than usual for an informational podcast episode. But wow, think about the title and think about what that could possibly mean for you and me and everybody that is responsible in any way for a network for a system for for any number of servers for keeping something safe, keep information safe electronically. That’s why we’re all here. That’s why we’re all curious about AI and quantum computing. And of course, cybersecurity underneath it all. What is it? How does it change? And what could a zero cost pathway possibly look like, So I’m excited today to have Mr. Larry Clinton on the show. Larry is the head of the International Security Alliance, also known as the ISA. And he’s been that for over 20 years. And larry, I’d like to welcome you to the show.

2:28 – larry
David, thank you for having me.

2:30 – David W. Schropfer
Thank you for being here. Let’s just start with a very brief discussion of what the ISA is. What is the organization? What does it do for those of my listeners who don’t already know?

2:44 – larry
The Internet Security Alliance is a coalition of mostly larger companies who have pulled together. We don’t sell anything, no products, no services, our major goals are thought leadership, public policy advocacy, and creating effective standards and practices. And as I say, we give them away for free. The mission of the Internet Security Alliance is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. And the two words in that mission statement that are important really are economics and sustainable. Most of the work that has been done on cybersecurity has been primarily technical. And obviously, cyber has a technical component. But the real problem is that the economics of the digital age are upside down. All the incentives favor the bad guys. Taxes are cheap, easy, profitable, defense is hard after the fact, expensive, etc. So we have to rebalance the economics.

3:44 – David W. Schropfer
And ransomware has earned real money and real dollars and cents for the same threat actors that were just trying to delete data 20 years ago are now making real money and a real living.

3:58 – larry
Trillions of dollars. We are losing nearly $20 trillion in economic value every year. To put that in context, the GDP of China is a little less than $8 trillion. So we’re losing massive amounts of money. And it’s the fact that cybercrime is so profitable that is what drives it. All of our critical infrastructures, our surface transportation system, our agriculture system, they’re all vulnerable, so is the IT system. But there’s no money in attacking them. There’s gobs of money to be made by attacking our cyber systems. That’s the problem we have to deal with. We have to change the economics so that we can create a sustainable system of cybersecurity. Excellent, excellent.

4:41 – David W. Schropfer
So let’s talk about the zero cost pathway to American cybersecurity. My understanding from your recent press release, from the recent ISA press release, and our conversation just before we started recording was that there are five major components and that this is not law yet. This is still in the process of becoming the policy of the United States government. Are those two things correct? Yes, it is not law.

5:06 – larry
This is a proposal. However, I will say that there’s already some substantial traction for a number of the elements of this proposal. In the current Congress and with the current administration. But yes, this is a proposal.

5:20 – David W. Schropfer
And could you describe what those elements are? The elements of the proposal or the…

5:25 – larry
You said there are…

5:26 – David W. Schropfer
I thought I heard you say there are elements within the U.S. Government and within Congress… That are indicating that they’d be supportive of this kind of thing.

5:36 – larry
So sure. So, as I say, there are a number of different elements of it. But for example, The chairs of the House Homeland Security Committee and the Oversight Committee and several other committees in Congress earlier this year wrote a letter to the administration saying that they wanted them to adopt one of the principal elements of the zero-cost proposal, which is to eliminate cybersecurity’s duplicative regulations, not all the regulations, just the ones that are redundant. And so there’s already support for that just this morning. The new director of the office, Cyber Director’s Office in the White House, gave a speech, his first speech, in which he endorsed basically the same thing. You’ll need to streamline the regulatory process in cybersecurity. So there’s a lot of support for that, we believe in the Congress and the administration. And there’s similar support with other elements, which we can go into. That’s great.

6:32 – David W. Schropfer
That’s great. So let’s talk about what the proposal is. And then maybe at the end, we can talk about how our listeners could lend a hand in supporting it for whatever that’s worth on the American citizen basis, as opposed to the American politician basis. So we talked about that there are five different components. I’d like to focus on two of those, but would you mind just listing all five before we jump in?

7:01 – larry
Sure. So the first proposal is to eliminate the duplication in current cybersecurity regulation, which is massive. Is to take whatever remaining regulation there is and put it on a cost-benefit basis. We currently don’t know whether or not any of these regulations work or if they’re cost-effective. We need to be doing that. The third element of the plan is to establish essentially a national virtual cybersecurity academy, a virtual version of West Point or Annapolis, but geared to cybersecurity. Security. We have a massive shortage of cybersecurity workers, somewhere between 500 to 750,000. Obviously, nothing works unless you have a trained workforce. So we need to accomplish that. The fourth element of the proposal is to modernize the Cybersecurity Information Sharing Act of 2015, which is expiring this month, so that we deal with a really complicated cyber problem of systemic cyber risk that occurs because the system itself has grown so complicated that a single point of failure can bring everything down. Everybody’s familiar with this. We went through it all with CrowdStrike, Eurozone. That’s an example of a systemic risk that, by the way, has nothing to do with a cyber attack. The system is so vulnerable now that even without an attack, we can all go down. And then the fifth, which is a little bit wonky, I have to say, is to create the first background macroeconomic cybersecurity model. So virtually every other area of risk that we have, geopolitical risk, financial risk, environmental risk, weather, we analyze these things through macroeconomic models. We don’t have one of those in cybersecurity. So although we’re spending hundreds of billions of dollars on cybersecurity, we don’t have a systematic way to measure whether it works or not. So we need to be developing that kind of systemic macroeconomic model. Fascinating.

9:04 – David W. Schropfer
I started my career as a business analyst just after I got my MBA. And I would love to spend this and seven more episodes jumping into the macroeconomics topic. But for the benefit of my listeners, where this might be a little more applicable, let’s start with the obvious, removing the duplication. When there are multiple regulations, and anybody listening to this podcast has probably had to deal with regulatory compliance in one way or another. But when there are multiple regulations that are issued from different branches of the government, you know, Treasury has some, other departments have some. And in the event of an attack, you have to, you know, as we were saying before we recorded, have to comply with all of them on the fly. And if it’s your first time doing it as a big corporation, you know, that actually slows you down. So removing the redundancy in that, in those regulatory requirements, sounds like a huge time saver. Can you talk more about that? Absolutely.

10:08 – larry
And by the way, just to link these two things together, remember, we don’t have enough people either. We have like 500,000, we’re short 500,000 people. So we’re under attack. And you have to comply with these regulations on very tight timelines. And it’s a similar but not identical regulation can come from a less So, you know, frankly, the attackers work this into the attack model. They already know that you’re going to have to comply with all these different things. So they’ll wage the attack that way. So you’re busy with compliance, and you have to do all this redundant compliance work. So all we’re doing is we’re saying, let’s take AI. Now, this would have been hard to do a few years ago, but we now have good models that we can use, that we can apply to the regulatory system, that we can apply to the regulatory system. Systems and simply strip out the redundancies in them. If we strip out the redundancies in them, we will wind up saving between 40% to 70% of our available cybersecurity personnel, which is, again, we don’t have enough of At the same time, this generates massive savings. We are spending nearly 40% to 50% of our money in cyber on these duplicative regulations. This is not the regulation. This is the duplications of the regulation. So we would have an immediate 40 to 50% savings in money and an immediate savings of useful personnel. So this would dramatically improve things. I mentioned earlier that the government, there’s some government support for this. The chairs of several different congressional committees wrote a letter to the administration earlier and they said that doing this one thing would be the single most cost effective step that the Congress could take to measurably improve our nation’s cybersecurity.

11:57 – Unidentified Speaker
And David, an important part of this, it doesn’t cost a dime.

12:02 – larry
We don’t have to hire anybody. We don’t have to hire anybody. We are eliminating redundancies, saving money, improving security all at the same time. That sounds fantastic.

12:13 – David W. Schropfer
And just to repeat some of those figures. So you’re saying that removing the redundancy is estimated to save 40 to 70% of personnel time and effort as an addition 40 to 50% in just capital outlay cost to companies. Right.

12:30 – Unidentified Speaker
And there are those ranges because it varies from sector to sector. Some sectors are more regulated than others, so they’d have greater savings.

12:41 – David W. Schropfer
Sure. That sounds astounding. Are there any concerns about something getting missed or is there any discussion in this proposal that would lower cybersecurity regulations overall? Or is this specifically looking at telling the same thing to two different agencies as opposed to telling one thing to one central authority that manages the response to that requirement?

13:07 – larry
It would not eliminate any core regulation. It just eliminates the redundancies. And there are many, many studies, government studies, industry study, academic studies, international studies, Everybody agrees that we do have this massive redundancy in the regulation. And as you said, it’s because different agencies come up with their own regulation and they don’t cross-check with each other. So no, we would not eliminate the core regulation. We would simply eliminate the redundancies. This is good government.

13:40 – David W. Schropfer
And how does AI play to that, or help bring that to be, is that the thing as saying, look, we could put 10,000 government employees on this task for two years, and they could sift through everything and figure out one set of regulations that would replace the redundant set of regulations. Or is AI playing a different kind of role in this process?

14:05 – larry
Well, so first of all, we’re not talking about big, scary AI. We’re not talking about macrogenerative models and stuff like that. This is baby AI. It is simply language and there are many different tools that can already do this. We’ve done it with several different tools. So we’re not eliminating the regulation. Also, all the AI does is identify where the redundancies are. There’s a second step to our proposal where the sector risk management agency, that’s the agency that creates the regulation, would be required to sit down with the people who they regulate, and by date certain come up with what they all agree would be the most effective way regulation. And again, in the second version or a second element of the zero cost plan that we’re proposing, that new regulation would then be subject to cost benefit analysis, as most things in private sector are subject to cost benefit analysis, but not in government.

14:59 – Unidentified Speaker
So we would apply that here.

15:01 – larry
So it’s an improved regulatory process. Gotcha.

15:03 – David W. Schropfer
And for my listeners, just to tie that in, we had an episode, 10-ish episodes ago, where we had an AI expert come on to talk about ways that we could walk before we run with AI and just use it in our everyday lives. And one of the examples was taking an email that is either long or tedious or something that you’re not quite sure reads well, and giving that to AI and say, here, make this more professional, make this shorter, make this half the length, make it more persuasive, simple commands like that, and seeing what AI spits back. That’s the type of AI that you’re talking about using, just identifying the keywords, and not trying to reinvent, not trying to do the big scary stuff that, you know, AI is… Right.

15:52 – Unidentified Speaker
Does not write the remaining regulation. It simply identifies the redundancies.

15:57 – larry
We do more than keywords, actually, but we don’t have to get into kind of the… Sure, yeah. But yes, but AI is not taking over the regulatory process. It’s simply doing that simple stuff that we all know it can do and can do without any harm being taken place. It simply identifies where the redundancies are. And then we have a human process to kind of figure out what’s the best way to do this together moving forward.

16:27 – David W. Schropfer
Yeah. Excellent. And you mentioned the Sector Risk Management Agency. Is the general idea that the Sector Risk Management Agency alone would be the only agency that has that is issuing cybersecurity related regulations and the only agency that would need to be reported to in the event of a breach or in the event of regulatory compliance?

16:48 – larry
Or did I miss that? Well, so all the regulation operates within individual sectors. So there’s healthcare regulation, there’s defense regulation, there’s energy regulation. So this operates within a sector. So each of these sectors has a regulatory agency. And that agency would work with its private sector component to come up with the streamlined regulation. And they would do this under the auspices of the Office of Management and Budget, which ensures that they would do this by a date cert. So they have to come up with a regulation that will work. And there would need to be some cross-pollination above that. But by stripping out all of the redundancies, we make that process much more practical. Gotcha. Okay.

17:29 – David W. Schropfer
For a second there, I thought you might, there might’ve been talk of creating either a new agency or finding just one central body, but that makes perfect sense.

17:38 – larry
No, there’s no idea.

17:40 – David W. Schropfer
There’s no plan to have one central body. That is an oversimplification of the problem.

17:46 – larry
We’re not quite there yet.

17:48 – David W. Schropfer
No, no. Exactly. And most of the listeners would have reached that exact same conclusion.

17:53 – larry
So that’s good news. That’s good news.

17:54 – David W. Schropfer
So let’s talk about the cybersecurity workforce. So what you described to me before we started recording was having military incentive type of model where you are giving cash incentives or other types of incentives to people to come into the military, there’s that same idea of giving some sort of incentives to people to come into the world of cybersecurity, to get trained in cybersecurity. And I think what I heard you saying is sort of akin to a national academy of cybersecurity professionals or something along those lines. So please tell me all about that because I think every single listener on this on this podcast might be interested in being a part of that.

18:38 – larry
So everybody who has a child between the ages of 6 and 16 is apoplectic about how they’re going to send their kid to college. This is a big problem. And what we would do here is we would simply take the model of free tuition in return for government service. We would not build a new economy. This would be a virtual academy. We would use technology, distance learning, which is actually old technology, to knit together the various cybersecurity education and training programs, college, university, community college, certification program, and they would simply be able to offer free tuition paid by the federal government for students who came in and went into cybersecurity. This is a massive incentive to get a free tuition education. The return would be the same as if you go into West Point. After you graduate from West Point, you have a certain number of years of government service. Same is true with this, and it would vary depending on what kind of degree you got. So if you went to a certification program and you got one year of training, you would have one year of government service. If you went to a four-year college, you’d have a four-year service. There are two important points about this. Number one, this actually is is cost neutral. Currently, what the federal government does in order to fill its gap, and by the way, the gap is enormous. We have 35,000 jobs in the federal government. Cybersecurity jobs can’t fill. 35,000 in the federal government runs a massive attack all day, every day, thousands of times a day. So what we do now is we hire independent contractors who are really expensive. What this would do, we would eliminate the independent contractors because they would be replaced by academy graduates. They would get paid basically the same way we pay a West Point graduate. And the difference between what you have to pay an independent contractor and what you would pay an academy graduate is about a billion dollars a year. Our proposal costs a billion dollars a year. So actually, this is free cybersecurity for the federal government. We don’t spend any more money. We now solve our workforce development problem. Now, second point. After people finish their government service, they would naturally go into the private sector, probably in cybersecurity, where they are also defending our nation against cyberattacks. So it creates a pipeline. And this is the most aggressive proposal on cybersecurity and workforce development ever introduced in the Congress. It has already been passed by the House Homeland Security Committee. We have bipartisan support for it in the Senate. So this is, again, something that can happen. It’s cost neutral and actually solves the problem of workforce development.

21:21 – David W. Schropfer
And like the military, they would still get paid a salary during the years of government service.

21:28 – larry
They’re not asked to work for free, you know, teachers, military, okay.

21:33 – David W. Schropfer
Of course.

21:33 – Unidentified Speaker
So that’s fascinating.

21:35 – David W. Schropfer
So the cost that the US spends every year of a billion dollars on contractors is roughly the same as the cost to pay for the cybersecurity education, roughly how many people a year would that pay for? This would be ramped up, of course.

21:54 – larry
Okay, you start smaller.

21:55 – David W. Schropfer
Naturally.

21:56 – larry
The goal in the proposal is to get to 10,000 new people a year. If we got 10,000 new people a year, in four years, we would solve the federal government cybersecurity workforce problem. The rest of the problem. Because we need 35,000 people.

22:15 – Unidentified Speaker
And in four years, we’d have 40,000 people. We would have solved that problem. And we would begin to establish a regular pipeline to the rest of the private sector at 10,000 a year.

22:27 – David W. Schropfer
And then as the first year’s 10,000 matriculate out of government service and into the private sector, they’re replaced by the next class and so on.

22:36 – larry
Interesting.

22:36 – David W. Schropfer
And of course, maybe one of those people who graduated would have solved that the problem of the update and the CrowdStrike software that precipitated into what looked like a massive attack but wasn’t about a year ago, that really affected us all, including the federal government, just by virtue of being a customer of CrowdStrike, right?

22:55 – larry
Absolutely. That’s a very important point because, you know, in solving the workforce problem, what we’re actually doing is dramatically enhancing our nation’s cybersecurity. So I can’t guarantee you that they would solve the a systemic risk problem that CrowdStrike created. But there’d be a much greater chance that they would because we have more people on it. And we would establish the first national coherent training program based on a needs assessment. We don’t have that now. Right now, all the colleges and universities, whoever, they just have courses based on who can teach the course. There’s no national needs assessment for cybersecurity. And remember, David, we’re under attack all day, every day, thousands of times. Millions of times a day, and we’re losing trillions of dollars, and we don’t have a plan about what do we need in terms of workforce.

23:47 – David W. Schropfer
This would solve that problem also. For the country, not just the federal government.

23:53 – larry
Right. We would start with the federal government, and then that would grow into the nation.

23:59 – Unidentified Speaker
Sure.

24:00 – David W. Schropfer
So, in a second, I’m going to ask you about how people could lend their support to the plan, but I generally have a curious set of listeners. So where would they go? Would they go to isa.org to find out more about the plan or just Google zero cost pathway to American cybersecurity?

24:24 – larry
What’s the best way for them to find that? So our website is not ISA, it’s isalliance.org. Okay. There’s another firm that had ISA.

24:34 – Unidentified Speaker
I knew that. So it’s isalliance.org. S-a-l-l-i-a-n-c-e-i-s alliance.org. That’ll take you to our website. But of course, you can find us, you know, through Googling us. I’m on LinkedIn. We’re generally pretty easy to find.

24:47 – larry
And you probably could just Google zero cost pathway to American cybersecurity. You’ll see it there, too. All right, great.

24:54 – David W. Schropfer
And if a listener were to do some research, find out the other three major components, we’ve only talked about two here, and they decide that they wanted to support it. They think it’s a great idea. What kind of things could an individual citizen who’s not a politician or an elected official do to support this product or this project?

25:13 – larry
Well, so this particular problem, ISA does a lot of things that deal with improving corporate cybersecurity that, you know, we’re not discussing today. This particular aspect of what we do at the Internet Security Alliance is a proposal of the government. So you would write your Congressman. You would write to Sean Caroncross, who is in the White House. He’s the National Cyber Director. Or you could write to members of Congress who might be on the Homeland Security or the Government Reform Committee. In truth, this is really not the kind of thing that we’re going to anticipate that we’re going to get a grassroots effort building on. This is a fairly sophisticated policy proposal that most you know, usual citizens, you know, don’t get involved in. Certainly people can Read all about it. You know, we would love people to, you know, get their kids interested in cybersecurity, have them sign up for the programs. I mean, that’s really where the average citizen can help on this public policy stuff. There’s a whole lot of things that the average citizen can do to enhance their own cybersecurity. We’re not talking about that today. We’re just talking about the public policy. Aspect of this. But, you know, we need tons more people. You know, we need massive numbers of individuals to get involved in cybersecurity, to learn more about cybersecurity so that you don’t become part of the problem by, you know, misbehaving, you know, using bad passwords and going on sketchy websites, et cetera, et cetera. You know, all the horrible things that a lot of people do.

26:54 – David W. Schropfer
Exactly. That is so on point for exactly what my group of listeners is all about. So thank you for that. And I hope all my listeners do Google Zero Cross Pathway, find out more about it, and certainly find out more about the ISA. I could talk to you, larry, all day about the standards that you have to help corporate America or help people train in a way that can explain what they’re certified in more readily because everybody uses a of the standards that you have set over the years. And I would love to see this proposal that we’ve been talking about today come to fruition and have some of the policies and plans to educate more people in the world of cybersecurity and make the life of a cybersecurity professional a little easier with a little less redundancy in the compliance. So it’s been a thrill to have you on. I could do seven episodes with you. I’m going to choose to end it here rather than have my listeners listen to a five hour podcast. But larry, where can people find out more about what you do at the ISA?

27:59 – larry
Go to the website, isalliance.org. That’s I-S-A-L-L-I-A-N-C-E.org. That’s probably the best way to do it. I’m on LinkedIn also, and you can find me at larry Clinton on LinkedIn. Very good. Larry, it’s been tremendous having you here.

28:14 – David W. Schropfer
Thanks so much for being on the show.

28:20 – larry
It’s been my pleasure, David. I really appreciate you giving me this opportunity.

28:23 – David W. Schropfer
Thank you very much.

Published by

Unknown's avatar

David W. Schropfer

David W. Schropfer is a technology executive, author, and speaker with deep expertise in cybersecurity, artificial intelligence, and quantum computing. He currently serves as Executive Vice President of Operations at DomainSkate, where he leads growth for an AI-driven cybersecurity threat intelligence platform. As host of the DIY Cyber Guy podcast, David has conducted hundreds of interviews with global experts, making complex topics like ransomware, AI, and quantum risk accessible to business leaders and consumers. He has also moderated panels and delivered keynotes at major industry events, known for translating emerging technologies into actionable insights. David’s entrepreneurial track record includes founding AnchorID (SAFE), a patented zero-trust mobile security platform. He previously launched one of the first SaaS cloud products at SoftZoo.com, grew global telecom revenue at IDT, and advised Fortune 500 companies on mobile commerce and payments with The Luciano Group. He is the author of several books, including Digital Habits and The SmartPhone Wallet, which became an Amazon #1 bestseller in its category. David holds a Master of Business Administration from the University of Miami and a Bachelor of Arts from Boston College.

One thought on “#83 – Zero Cost Pathway to American Cybersecurity

  1. Pingback: President of the Internet Security Alliance, Larry Clinton on DIY Cyber Guy – DIY CyberGuy with David W. Schropfer

Comments are closed.