While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things?
A Brief History of
Efforts to secure, or in
the vernacular of the time “audit” computers, existed before the Ware Report, but it was the report that
codified principles and practices that served as the building blocks of what would
become the multi-billion-dollar cybersecurity industry. Books like Computer
Capers in the 1970s and The
in the 1980s show just how slowly the field progressed in both the commercial and
governmental spheres, and how varied and disconnected cyber defense and
crime-fighting efforts were at the time.
If the “wake-up call”
associated with both the sovereign-state and non-state-actor threats was not
ringing with the events of The Cuckoo’s Egg, the pounding on the door by
hotel security was Eligible Receiver 97 (ER97): a no-notice interoperability
exercise that had both physical and cyberspace components to it. With regards
to the latter, National Security Agency red teams used common hacker techniques
and tools freely available online to successfully compromise dozens of military
and civilian infrastructure systems.
No sooner did the dust
settle from ER97 than the events of Solar Sunrise kicked off: a series of compromises
of Department of Defense systems everyone was sure was being perpetrated by
Iraq, right up until it was proven it was the work of three teenagers. Solar
Sunrise reiterated the point that not only was the ability to apply force
online possible with disturbing ease, but that the types of potential threat
actors we needed to be concerned about was larger than originally thought, and
our ability to deal with them was inadequate.
In the same timeframe the
aforementioned events were taking place, a set of recommendations for dealing
with such problems was promulgated through the President’s Commission on
Critical Infrastructure Protection (PCCIP), which called out the need
- Better policies
- Public-Private partnerships
- Information sharing
- Central coordination and control
- New or improved organizations and
mechanisms to deal with cyber threats and vulnerabilities
- The need to adapt to this new environment
and to be agile enough to respond to emerging threats
- Legal reforms
- Improved training, awareness, and
- More research and development
recommendations were made in the National Plan for Information Systems
Protection in 2000,
the National Strategy to Secure Cyberspace in 2003, the National Infrastructure
Protection Plan in 2006, the Securing Cyberspace
for the 44th Presidency report of 2008, and the Comprehensive
National Cybersecurity Initiative, also in 2008. For those keeping score,
that is 11 years of the same advice, as hacks against commercial and
governmental systems kept growing.
It is not until 2010,
with the publication of the National Security Strategy (NSS), that some new advice is
proffered. The NSS was not exclusively focused on cybersecurity issues, but it
continued to recommend partnerships and sharing, better capabilities to deal
with threats, training and awareness, as well as R&D. It also highlighted
the need for capacity building, as well as the establishment and promotion of
“norms.” The DOD Strategy for Operating in Cyberspace (2011), the DOD Cyber
Strategy (2018), the National Cyber Strategy (2018), the DHS Cybersecurity
Strategy (2018), and the much-hyped Cyberspace Solarium Commission report
(2020) all offer a mix of both old and new advice. That’s another 10 years
of telling people what ought to be done, while attacks continued apace and their
negative impact grew (see Appendix Afor details).
Meanwhile Back at the Server
What impact has all this
good advice had on the state of cybersecurity? Well at the federal level the
answer is a mixed bag. We have a history of going through “cyber czars”  and other senior
executives responsible for cybersecurity like most people change underwear. Efforts like Einstein are highly touted, but its
effectiveness is often called into question. Every military service
has to have its own “cyber command” – not counting the actual Cyber Command –
and all sorts of efforts are underway to try and reinforce the ranks with
information-age skills in very much industrial-age
institutions, with predictable effect. It is hard to think about
events like successful attacks against government systems during Allied Force, the efforts of “patriotic
hackers” after the EP3 force down, the accidental bombing of
the Chinese embassy in Belgrade, the scope and scale of
damage associated with the OPM hack, and the loss of offensive
tools from not only the CIA but also the NSA and not wonder about the
value of this evergreen advice.
At the state, local, and
tribal level the situation is far worse. They have all the same functions of
government to execute as their counterparts at the federal level, but none of
the budget or human resources. Municipally focused ransomware attacks of the
past few years are illustrative of the problem and how difficult it is to address.
In the commercial sector
the situation is not much better. The government has an obligation to look after
the well-being of its citizens; private enterprise is driven by a profit motive
and the interests of a tiny sub-set of the citizenry: shareholders. Time and
time again we see ‘risk acceptance’ as the reason for failing to adhere to
sound security practice, and why not? The amount of money that can be made
before the inevitable compromise far exceeds the amount required to clean up
the mess and compensate the victims. No one is in the cybersecurity business,
not even cybersecurity companies, they are just in business.
What Might be Wrong?
21 years of asking people
to do the “same old” and expecting a different result calls into question the
sanity of those giving the advice, and the advice itself. The author lacks the
medical qualifications to assess anyone’s mental health, but one can examine
the advice given and formulate some reasonable theories to consider.
This may be the wrong
advice. No one who has worked in this field for any length of
time has much good to say about public-private partnerships, information
sharing schemes, or the state of security awareness training. Big “R” research
that has practical implications is rare, while little “r” research as presented
in most conferences is lost in a wilderness of wheel-reinvention and stunt
The right advice, not
always the right audiences. The number of organizations that
can actually derive benefit from following such advice is actually quite small,
though they themselves tend to be quite large. The security poverty line
is a real thing,
and maybe expecting the largest segment of the economy (small and medium sized
businesses) to carry on like they are JPMorgan Chase with its half-billion-dollar
security budget is a bridge too far.
Good advice, bad
implementation. We are free with advice but parsimonious
when it comes to things that would lead to adherence. With a few exceptions,
everything is voluntary. We suggest, we do not mandate. We cajole we do not require.
We encourage but we do not incent. Everyone is hesitant to use a stick, but we
make no effort to offer carrots. Outside of the military and certain government
circles, cybersecurity is something people are obliged to have, not anything
they want. We appeal to people’s sense of patriotism or talk of “doing the
right thing,” but the NSA is not here to save your private enterprise, and advice
from people on high horses is hard to swallow.
What Might Make Things Better?
If those in both policy
and technology circles can agree that the recommended advice is sound, then we
should be examining how we might do things differently, and how we can
If it matters measure it. At a high level, asking for “better” does not make sense if you do not define what “better” means. Not hand-wavy abstractions, but hard metrics that can be measured, communicated, and evaluated.
The most important efforts must be mandatory. No one does anything voluntary for long. Such efforts start well, and everyone participating means well, but it quickly becomes number 11 on the top 10 list of things to do. Particularly with regards to government and critical infrastructure providers, no one should be able to lobby their way out of their responsibilities, which leads us to…
Align everyone’s incentives. I am not aware of any meaningful metrics on the value of being a member of an ISAC, ISAO, or joining InfraGard (and the author has been on both sides of these relationships). In the political sphere telling someone to do something without providing resources has a name: unfunded mandate. Better security does not pay for itself. There are any number of incentives that might be offered that would drive compliance, but incentives are almost never an agenda item in panel or policy discussions.
Limited liability and full accountability. Those who provide data to help assess threats and gauge risk must be provided sufficient protection against adverse legal action (short of negligence or incompetence). The lack of such data in sufficient volume makes it hard to understand the scope of the problems we face. Likewise, we have to stop pretending that code, in the right context, is any different than concrete, steel, or silicon. You do not pick random people off the street to build a suspension bridge or pacemaker. This is not a call for a licensing scheme nor protectionism, but adherence to standards and imposing costs on those who willingly fail to do so.
More R&D only makes sense if you know the state of the art. There is no dedicated repository of cybersecurity knowledge that researchers at the academic, corporate, or independent levels can access to understand what prior art exists in any given security discipline. We cannot hope to level-up the science portion of the art-and-science that is cybersecurity without adhering to more scientific practices, of which a repository is a cornerstone.
Recognize the limitations of political approaches. No nation is giving up the advantages that operating in cyberspace affords them in a military or intelligence context. “Norms” are a double-edged sword; if you expect others to adhere to them, you are obliged to do the same. Now re-read the first sentence. What we may want to accomplish politically and what the Internet as-designed will allow are two different things. Aspiring Achesons and Kennans that improve their understanding of the technology that underpins cyberspace will develop approaches more likely to produce positive, achievable results.
The Next 10 Years
If history is any
indication, we are a few short months away from the release of another set of
policy recommendations that will encompass most of the ideas put forth
previously. It will almost certainly contain nothing novel, but it will be
received with a great deal of sound and fury, repeated over again annually, signifying
Forward progress in
cybersecurity is entirely dependent upon the will of political leadership.
Understandably blood, not bytes, takes precedence in governmental affairs, but
our willingness to be so casual about something we claim to be a priority
suggests that cybersecurity is not the issue we in cybersecurity think
it is. That is a fair point: stealing credit card numbers, social security
numbers, medical files, even taking over one’s entire identity does not equate
But the fact of the
matter is that, by and large, we only learn from death. Nothing is really a
problem until the body count is high enough, at which point it comes a national
imperative. One need only remember their last trip to the airport to realize
that this is not hyperbole. Cybersecurity is one field where we have a rare
opportunity to bring about meaningful change before we have to hold a memorial service
for those we lost.
Better security is a
three-legged stool: You need to identify the problem, you need to devise a
solution, and you need to measure the effectiveness of that solution. What has
impact stays, what does not goes back to the drawing board. For 21 years we
have been reinforcing two of those legs and wondering why we are still falling
over. Repeating the same mantra while continuing to plug random boxes into a
global network is the cyberspace equivalent of “thoughts and prayers.”
This is not a call to
declare a war on cyber insecurity, if for no other reason than the wars on
drugs and poverty have not exactly produced ideal results. It is a declaration
that if something is worth doing then we should do it properly or reprioritize
accordingly. To the extent that cybersecurity practitioners have been crying
“wolf” for the past few decades, mea culpa, but it is worth remembering
that eventually the wolf shows up.
We are, effectively, at the mercy of private security companies who choose to
publish reports on the findings they extract from the cases they are called
upon to support. While informative, such reports capture the details of a
fraction of a percentage of the total number of cases worldwide.