Cybersecurity Plan: Alliance’s Zero-Cost Strategy to National security |
Internet Security Alliance (ISA) has announced that it will make a national cybersecurity program powerful, which will be implemented practically without any cost.
Internet Security Alliance (ISA) has given 5 suggestions in its 21 page document that will secure almost zero for the federal government and billions for private industry.
The title of this document is “zero cost path for American cybersecurity” which executes the government philosophy of Trump administration.
This is written in this document: This program is practical and can be executed quickly. This will bring a lot of improvements in our national cybersecurity very quickly.
This step will strengthen long-term and intermediate security and will make it economically verifiable. On the basis of which we will be able to face new threats easily.With the support of the White House, “These initiatives will not only ensure compliance with cybersecurity, but will also make us stronger and more competitively advanced. And along with digital security, they will also string together the legacy of the president.
Eliminating Redundant Rules :
One recommendation from the Internet Security Alliance (ISA) is that the federal office of management (OMB) use its exiting authority to safely eliminate duplicate cybersecurity regulation.
David Bader, director of the Institute for Data Science at the New Jersey Institute of Technology (NJIT), said, “The scope of duplicative cybersecurity regulations is at a very high-level.”
He stated that, according to a recent GAO analysis, only 4 major federal agencies directly conflict with each other on 49% to 79% of their cybersecurity requirements. The most prominent example we have before us is indicate reporting, which showed that 22 federal agencies still have 45 separate cyber indicate reporting requirements. Each agency has its own website and form.
David Bader said, This regulatory requirement is badly undermining our cybersecurity capabilities. Cyber teams in large institutes spend 70% of their time just on regulatory compliance. When we should actually spend our time on improving security. Many companies spend half their budget just on duplication compliance.
While cybersecurity professionals are too busy doing proper paperwork to defend networks, we are doing the work of the attackers.
He said, Eliminating the duplicative requirement will free up billions of dollars of profit and resources that can be invested in real threat detection, incident response, and fast security improvements.” Roger Grimes, defense evangelist for KnowBe4, also said that duplicative regulations not only waste time but are often different and contradictory.
For example, NIST recommends no minimum password size or complexity requirement, but many governmental regulations demand the exact opposite.
The problem is not just revoking OMB’s authority to regulate but coordinating their rules so they are not inconsistent or duplicative. Every company has its own rules. Every agency must revoke its own rules, and this is possible through the normal rulemaking process.
Cybersecurity Rule Cost-Benefit Study:
The Internet Security Alliance (ISA) is suggesting that cost-benefit analysis should be mandatory for every cybersecurity regulation. Even after spending billions, no study has been able to prove any improvement in security.
But Heath Renfrow, CISO and co-founder of Fenix24 (a cyber disaster recovery firm), said that while cost-benefit analysis may seem like an economic safeguard on the surface, in cybersecurity the cost side is clear while the benefit side is random.
He gave an example: “How to quantify that MFA embrace did not lead to a ransomware event, the cost of which we avoided?”
He said that traditional cost-benefit frameworks, such as OMB Circular A-4, fail here because cyberattacks are rare but have a large impact.
If we could force agencies to articulate assumptions and do proportionality testing, etc., then agencies would help improve regulation. The problem is that companies will argue that regulations are not necessary until the cost of the breach is shown.
David Bader (NJIT) also agreed that unnecessary regulations could be avoided. He thinks cybersecurity benefits are either preventive or systemic. Therefore, it is difficult to capture traditional economics in the model. Giving the example of supply chain attacks like SolarWinds, the actual cost estimate is initially incorrect but is later analyzed.
But understanding the uncertainties along with the methodology can help improve cybersecurity through cost-benefit analysis. So that the resources seem impactful.
Update Cybersecurity Information Act :
Internet Security Alliance (ISA) recommends that the Cybersecurity Information Sharing Act (CISA) of 2015 be re-authorized and updated.
The Cybersecurity Information Sharing Act—which is the legal base for cyber collaboration between the public and private sectors—will expire on 30 September 2025 and if it is not reauthorized, then according to Internet Security Alliance (ISA) if it lapses, then the ability to share thread intelligence with the government will be seriously affected. Which will disable national security.
David Bader said that there is an urgent need to update CISA, as it was made according to the threat landscape of 2015, which is now outdated.
“The 2015 law was passed when we didn’t yet understand the potential for AI-enabled attacks, advanced supply chain compromises, or the unique exposure of cloud infrastructure,” Bader said.
Fenix24’s Heath Renfrow added that private sector participation is still not adequate under the current act.
“Modernization should include liability safe harbors so that companies can share indicators without fear of compromise, and it should also be compulsory for the government to return real-time actionable intelligence,” he said.
Proper monetization will enable efficient real-time sharing and improve private sector participation.
Overcoming the Shortage in Cyber Workforce:
The Internet Security Alliance (ISA) suggests that the government’s cost of living be shifted to a cybersecurity workforce mostly through the PIVOTT act now in Congress.
PIVOTT stands for Providing Individuals Various Opportunities for Technical Training. These students can enroll in cybersecurity courses at colleges etc. and exiting certificate programs. The federal government will pay their tuition fees and the students will have to provide services to the government wherever the government specifies.
PIVOTT’s goal is to enroll 10,000 students each year so that eventually the government’s cybersecurity workforce gap can be solved in less than 4 years.
Heath Renfrow told us that PIVOTT’s novitiate and rotation model is promising as it uses cyber talent as a renewable resource. Skilled practitioners will be shifted to different agencies as each agency develops its own pipeline. He said, “Four years is a little optimistic, but without structural change, the problem will persist indefinitely.
But the government should also invest more money in the workforce development system of the Department of Labor. Ida Byrd-Hill has said that the PIVOTT concept is good, “Just getting technology training from a university or college is not enough, certification is also required,” she said.
If the government supports learning and earning programs, then why has the government not taken any significant step in this direction till now? It should not be limited to just scholarship and training.
Developing a National Cybersecurity Dashboard:
The Internet Security Alliance (ISA)’s fifth recommendation is to establish a national macroeconomic cybersecurity dashboard.
The Internet Security Alliance (ISA) stated that the federal government spends tens of billions of dollars each year on cybersecurity projects.
The Internet Security Alliance (ISA) stated that without an advanced model, policymarkers cannot determine the full economic cost of cyber risk, incentive programs, usefulness of alternative methods, system impact, and cost-effective ways to eliminate or transfer risk.
The Internet Security Alliance (ISA) suggested that the National Cyber Director work with federal government agencies to promote an advanced cyber risk assessment methodology based on the proven NACD-ISA framework.
David Bader said, “We desperately need a national cybersecurity dashboard because our current cyber risk assessment approach is fundamentally broken.”
“We now have too many agencies conducting their own separate cyber risk assessments without coordination or common methodology. It’s like trying to understand the health of the U.S. economy by looking at 22 separate and inconsistent financial reports.”
“The framework base for the NACD-ISA dashboard is independently validated by MIT and PwC research,” he added. Organizations that follow these principles have 85% fewer cyber incidents and more effective management. This is not just theoretical but a proven approach that works at the enterprise level.
Matt Renfrow has said, “You can think of it as a Cyber Dow Jones Index — one that doesn’t predict daily market movements but rather measures the structural health of the economy under cyber stress.”
“Without this visibility, policymakers are blind steering into a domain where adversaries are already treating cyber as a form of macroeconomic warfare.”
more information for AI and technology.
