There continues to be concern that we are not doing enough to address the problem of cyber security – even that we lack, still, a clear view of the problem, a vision or strategy to deal with it, or an investment plan that will succeed.
It is not for want of trying. Our nation’s cybersecurity issues are well-documented. Yet current efforts such as the National Cyber Security initiative, cloaked in secrecy, and limited to governments, have been critiqued as too little, too limited, and too mysterious. Others have offered sharp critiques of the critiques.
How should the United States or any reasonable nation respond? The complexity of events and response, and their dynamism, argue for vision, strategy, and investment. For the United States, the advent of a national cybersecurity czar; of a chief technology officer with “domain” over the federal IT enterprise; and of a chief privacy officer with similar purview, all point to a new level of seriousness and commitment to cybersecurity in the new Administration.
How shall we move next? As a new cyber czar takes this on, many approaches will compete for time, attention and investment.
Should we attack the problem of cybersecurity at the level of hardware or software solutions, moving first to secure servers and computers, or applications and services?
Should we perhaps approach the problem from the level of integrated management, taking up the major vulnerabilities which corporations and governments all face, such as identity management and authentication?
We could focus instead on securing critical business operations – whether power plants, financial payments systems, or next generation civil aviation. At least we’d be assured of lights on, cash available, and planes staying in the sky.
Perhaps we should focus on securing the social web. Millions of citizens use Twitter and Facebook, for example, and we’ll need those during disaster or crisis — or even for everyday “citizen engagement/web 2.0” activities. That digital device in my pocket is my friend and yours. Or, is it an enemy’s on-ramp? At the moment, there’s no saying it’s not both, and that makes the social web risky.
Should we, rather, deal with the “upstream” problem of nation states and criminal organizations who sponsor this stuff, and attack, dismember, and destroy them? Could we do that even if we wanted? Maybe we need them, too – for our own purposes.
Perhaps we should articulate a meaningful doctrine of cyber deterrence which freezes actors, not simply from fear of capture but from the threat of dire consequences to themselves, their families, and their allies. No one has, yet.
Framing the Options: The 10 Challenges We Face
A new cyber security czar will quickly face such choices. Ultimately, the czar will have to translate all into tactical, practical, and actionable options and results. Any strategy for cybersecurity would have to address – have an answer to — these ten great challenges:
1. The boundary between nation states, rogue states, and criminal organizations is now blurred. As recent Russian-involved cyber attacks on Estonia, Georgia, and now Kyrgyzstan make clear, many groups may concentrate or coordinate attacks for strategic purpose and tactical gain. Any cyber strategy must enable us to deter, detect and thwart such complex, multipronged attacks.
2. Key global and domestic infrastructures remain vulnerable, even unattended. Do our electronic payment systems, for example, remain exposed? Who has — owns – a clear strategy to define, let alone assure, minimum essential functioning at the retail or wholesale level in the event of attack? We need a cyber strategy that defines the minimum essential level of functioning required for key infrastructures, specifies its requirements, and assures it.
3. The uptake and adoption of innovation is uneven, and creates risk in pockets. Yet network defense of every node is inherently more difficult than network attack on a single node– especially networks that criss-cross organizations, sectors and nations. We need a strategy that assures adoption of innovation throughout networks and which is consistent with requirements for resilience in our key sectors.
4. The nation’s welfare is no longer a mere function of government: corporate vulnerabilities create risk for the nation and obligation for private sector initiative and investment. We need a cyber strategy that articulates an effective approach, whether by market or regulation, to secure corporate assets as vital to national security.
5. With military R&D limited now, commercial R&D proliferates and is widely available as technology both to attackers and defenders; the race to “asymmetric” advantage is based therefore not on technical superiority but on adaptation and response. We need a cyber strategy with a strong translational “bench-to-community” research capability, to move innovation quickly from field, to lab, to field again.
6. Federal, state and local budgets are severely constrained; the opportunities for massive new infrastructure investments are limited; the capital plant as it exists today will likely be the legacy for the next decade; adapting legacy infrastructure to current and future challenges is therefore critical. We need a cyber strategy that requires few new resources and focuses on retrofitting the existing capital plant to new capabilities
7. Governance of the national cybersecurity enterprise can neither be czar-like and autocratic, nor anarchic or idiosyncratic. It must balance wisdom of crowds with communities of expertise. In no sense is governance now specified. Moving to standards, proving capabilities, assuring dynamic resilience are attributes any well-governed enterprise must provide for. We need a cyber strategy whose own process balances well the need for secrecy with public engagement.
8. Our procedures for acquiring new products and services continue to slow our responses. Our adversaries – smaller, faster, more agile, less constrained – may adapt far more quickly to opportunity, and to our innovations, that we can. We need a cyber strategy which reforms our acquisition and procurement to support requirements for asymmetric advantage in cyberspace.
9. The move to incorporate informal citizen and user networks under the “web 2.0” banner is unstoppable. It is also highly useful – especially in managing contested or confused domains of disaster, battle, or crisis. Such moves also put information reliability and security at risk. We need a cyber strategy that permits government and industry to take advantage of citizen networks while addressing critical issues in authentication and security.
10. We have good “point” measures of readiness and capability, but no consistent way to apply them across our extended enterprise. That enterprise is of its nature a Wild-West show; who just came on and came off the enterprise platforms and how did that change risk for all? We need a capability to measure test ever-changing risk, readiness and capability for cyber attack across extended enterprises which cross the boundaries of organizations, sectors and nations.
The Leadership Play: Fixing What’s Wrong
A cybersecurity czar faces critical questions not only of strategy, but of managing a sprawling enterprise over which the czar will have little direct authority or control. What effects will she want to achieve? What’s the right mix of government and industry action to achieve them? Will it be by regulation and enforcement, or laissez-fair market forces? None are perfect. How best to work the levers of change? As a nation, we will explore that next.
[Cross posted to the Harvard Kennedy School Leadership for a Networked World blog.]