A Fire Under Embers

There continues to be concern that we are not doing enough to address the problem of cyber security – even that we lack, still, a clear view of the problem, a vision or strategy to deal with it, or an investment plan that will succeed.

It is not for want of trying. Our nation’s cybersecurity issues are well-documented. Yet current efforts such as the National Cyber Security initiative, cloaked in secrecy, and limited to governments, have been critiqued as too little, too limited, and too mysterious. Others have offered sharp critiques of the critiques.

How should the United States or any reasonable nation respond? The complexity of events and response, and their dynamism, argue for vision, strategy, and investment. For the United States, the advent of a national cybersecurity czar; of a chief technology officer with “domain” over the federal IT enterprise; and of a chief privacy officer with similar purview, all point to a new level of seriousness and commitment to cybersecurity in the new Administration.

How shall we move next? As a new cyber czar takes this on, many approaches will compete for time, attention and investment.

Should we attack the problem of cybersecurity at the level of hardware or software solutions, moving first to secure servers and computers, or applications and services?

Should we perhaps approach the problem from the level of integrated management, taking up the major vulnerabilities which corporations and governments all face, such as identity management and authentication?

We could focus instead on securing critical business operations – whether power plants, financial payments systems, or next generation civil aviation. At least we’d be assured of lights on, cash available, and planes staying in the sky.

Perhaps we should focus on securing the social web. Millions of citizens use Twitter and Facebook, for example, and we’ll need those during disaster or crisis — or even for everyday “citizen engagement/web 2.0” activities. That digital device in my pocket is my friend and yours. Or, is it an enemy’s on-ramp? At the moment, there’s no saying it’s not both, and that makes the social web risky.

Should we, rather, deal with the “upstream” problem of nation states and criminal organizations who sponsor this stuff, and attack, dismember, and destroy them? Could we do that even if we wanted? Maybe we need them, too – for our own purposes.

Perhaps we should articulate a meaningful doctrine of cyber deterrence which freezes actors, not simply from fear of capture but from the threat of dire consequences to themselves, their families, and their allies. No one has, yet.

Framing the Options: The 10 Challenges We Face

A new cyber security czar will quickly face such choices. Ultimately, the czar will have to translate all into tactical, practical, and actionable options and results. Any strategy for cybersecurity would have to address – have an answer to — these ten great challenges:

1.    The boundary between nation states, rogue states, and criminal organizations is now blurred. As recent Russian-involved cyber attacks on Estonia, Georgia, and now Kyrgyzstan make clear, many groups may concentrate or coordinate attacks for strategic purpose and tactical gain. Any cyber strategy must enable us to deter, detect and thwart such complex, multipronged attacks.

2.    Key global and domestic infrastructures remain vulnerable, even unattended. Do our electronic payment systems, for example, remain exposed? Who has — owns – a clear strategy to define, let alone assure, minimum essential functioning at the retail or wholesale level in the event of attack? We need a cyber strategy that defines the minimum essential level of functioning required for key infrastructures, specifies its requirements, and assures it.

3.    The uptake and adoption of innovation is uneven, and creates risk in pockets. Yet network defense of every node is inherently more difficult than network attack on a single node– especially networks that criss-cross organizations, sectors and nations. We need a strategy that assures adoption of innovation throughout networks and which is consistent with requirements for resilience in our key sectors.

4.    The nation’s welfare is no longer a mere function of government: corporate vulnerabilities create risk for the nation and obligation for private sector initiative and investment. We need a cyber strategy that articulates an effective approach, whether by market or regulation, to secure corporate assets as vital to national security.

5.    With military R&D limited now, commercial R&D proliferates and is widely available as technology both to attackers and defenders; the race to “asymmetric” advantage is based therefore not on technical superiority but on adaptation and response. We need a cyber strategy with a strong translational “bench-to-community” research capability, to move innovation quickly from field, to lab, to field again.

6.    Federal, state and local budgets are severely constrained; the opportunities for massive new infrastructure investments are limited; the capital plant as it exists today will likely be the legacy for the next decade; adapting legacy infrastructure to current and future challenges is therefore critical. We need a cyber strategy that requires few new resources and focuses on retrofitting the existing capital plant to new capabilities

7.    Governance of the national cybersecurity enterprise can neither be czar-like and  autocratic, nor anarchic or idiosyncratic. It must balance wisdom of crowds with communities of expertise. In no sense is governance now specified. Moving to standards, proving capabilities, assuring dynamic resilience are attributes any well-governed enterprise must provide for. We need a cyber strategy whose own process balances well the need for secrecy with public engagement.

8.    Our procedures for acquiring new products and services continue to slow our responses. Our adversaries – smaller, faster, more agile, less constrained – may adapt far more quickly to opportunity, and to our innovations, that we can. We need a cyber strategy which reforms our acquisition and procurement to support requirements for asymmetric advantage in cyberspace.

9.    The move to incorporate informal citizen and user networks under the “web 2.0” banner is unstoppable. It is also highly useful – especially in managing contested or confused domains of disaster, battle, or crisis. Such moves also put information reliability and security at risk. We need a cyber strategy that permits government and industry to take advantage of citizen networks while addressing critical issues in authentication and security.

10.    We have good “point” measures of readiness and capability, but no consistent way to apply them across our extended enterprise. That enterprise is of its nature a Wild-West show; who just came on and came off the enterprise platforms and how did that change risk for all? We need a capability to measure test ever-changing risk, readiness and capability for cyber attack across extended enterprises which cross the boundaries of organizations, sectors and nations.

The Leadership Play: Fixing What’s Wrong

A cybersecurity czar faces critical questions not only of strategy, but of managing a sprawling enterprise over which the czar will have little direct authority or control. What effects will she want to achieve? What’s the right mix of government and industry action to achieve them? Will it be by regulation and enforcement, or laissez-fair market forces? None are perfect. How best to work the levers of change? As a nation, we will explore that next.

[Cross posted to the Harvard Kennedy School Leadership for a Networked World blog.]

I’m returning to blogging after a few months off. I’ve been playing with Twitter, FB, writing, making our numbers, creating some initiatives that with any luck will change the world some for the better, or at least shake it up a bit. That’s what we do, I reckon. A friend and colleague of my dad’s once called this crew “creators and disturbers”. I’ll take it.

I signal my return to blogging, then, recognizing my dad on his 90th birthday. He died somewhere in the mid-90s – I know the date – March 3 – but not the year. The day is easy – three days after my daughter’s birthday, one day after my son’s. Lord giveth, lord taketh away and such.  At graveside, my son asked, “Is that grandpa in that box?” Which, indeed, it was. Lying under a lovely elm in Princeton Cemetery, in view of Princeton Hospital, and in the shade of John Tulane and Grover Cleveland, whom he neither admired nor knew much about but would have enjoyed for their bulk, presence, and apparent orneriness. Tulane’s statue is closest to the edge bounding the University, with his backside turned to the University in some grudge now realized in perpetuity.

Melvin Marvin Tumin was born on this day – February 10, 1919.  Moshe Mordecai Tumin was known as Moishe to his mother Rose and his two brothers Israel and Eddie.  His father Robert was an ordained rabbi who left the rabbinate for an anarchist commune in New Jersey, abandoning three sons and wife in Newark NJ mid-Depression, leaving scars one can only imagine. In his farewell letters, written from a flophouse on West 23rd Street in Manhattan as he lay dying, hacking his lungs out with some ghastly consumption, Bob Tumin made not one mention of his three sons. Dead when my dad was 14, buried as a pauper on Staten Island, he stayed a man of pain and mystery for my dad, I suspect; he never visited that graveside. I weep for my dad’s pain, still. My brother and I are both named for Robert Tumin, even so. Rose insisted on it.  Robert is my first name.

I suspect that one of the reasons my father never visited his own father’s grave — aside from all the obvious things about pain — is that he resoundingly did not believe in what he would call “spooks”.  It was a remarkable transition generation, from generations of rabbis, to teachers, to radicals and rabble rousers, all learned. My dad cut his pais and left home at 15 to become a freshman at the University of Wisconsin at Madison. He was a red – but smart, and deeply read. He wrote a 150-page autobiography at 20, insufferable to a fault. He went on to his PhD at Northwestern, having done his field work in Guatemala in the 1940s and, he mentioned, spied some on Germans there. He came back with awful stomach problems, which ultimately rotted his teeth. He spent his life popping Gelusils and smoking Benson&Hedges which, of course, eventually killed him.

He was a Jew deep in every bone of his body who walked away from the rabbinate and became, instead, a professor at Princeton in 1947, one of the founding members of the sociology department there when it was still embedded in the economics department. He met my mother teaching at Wayne State in Detroit just after Northwestern. Isadore Yarost asked to learn Mel’s intentions towards his daughter Sylvia. These turned out to honorable. They married and set up home in Princeton, New Jersey in 1948.

The story progresses, of course. But the post will end here. Over the year perhaps I’ll share a story or two – and there are good ones — growing up in Princeton NJ as my brother and I did in the 1950s and 1960s.  Today is Melvin Marvin Tumin’s 90th birthday, or would have been. We loved him madly, of course. Sons being sons, wives wives, nieces and nephews, brothers- and sisters-in laws, his own Uncle Martin,  and brothers, and cousins literally too numerous to mention. After all, Rose Yawitz Tumin (later -Fishbein, and then-Gorin! boy, could she bury them!) was one of nine daughters. Wolf Yawitz, the kosher butcher, had no sons.  Rose turned around and had three.  Today and always we remember as much as we can of those three Tumin boys – Mel, Israel and Eddie.