This month’s SIGNAL Magazine includes a focus on information security, which, these days, I can only think about in the context of the larger cybersecurity problem. There finally is a preoccupation with discussing cybersecurity on an international basis. The important question is, “How much of this dialogue is being converted to action/implementation?” This is a timely subject for me, as I have written this commentary while sitting in an international conference on Regional Collaboration in Cyber Security being held in
Widespread agreement exists on many tenets of the cybersecurity environment. First, the threat is profound, and we often do not know who is behind the threat and where they are based. We do know that the threat is increasing in complexity and capability and includes both state and non-state actors.
Another key point is that the Internet and activity on the Internet know no political or geographic boundaries. The number of users and devices on the Internet is growing exponentially. Applications and data storage on the network are growing at an equal pace. All of this steadily is increasing dependency and vulnerability.
Everyone agrees that cybersecurity is a team effort, but we need to redefine the concept of “team.” This is both a public- and a private-sector problem, and often it is international. Given that the threat will pursue the weakest link, the international community needs to account for security in developing countries. And, consistent with this team approach, a network attack requires a network response.
Another tenet is that cloud computing is a reality and its use is growing rapidly. We need to understand how to secure it. Also, trust in the network is critical. Mechanisms need to be put in place to allow the establishment of identity and attributes to support trust across enterprise boundaries.
In the long run, we must address the supply chain. We are buying hardware and software without fully knowing the source or what may be included in those products.
And, attribution is critical if we are to have reasonable accountability and a credible response to attack.
So, with those given tenets in mind, the good news is that cyberdefense has become a top priority globally. In every part of the world, solutions are being developed and implemented. I have seen some common threads in the
The bad news is that still we are not doing enough. This is partly because we are reactive to the threat collectively. One reason for this is that the use of the Internet is growing and becoming more complex at a rate we cannot get our arms around. Many people have not been educated about the problem, do not understand it and thus become the weakest link to be exploited. Nor are there enough resources to do it all, and we have not come to grips with identifying the “crown jewels” and ensuring they are secure at the expense of information and infrastructure that are less important. And, most of all, right-minded people have not agreed on governance, processes and common means to establish trust across enterprise boundaries, which makes it difficult to separate the good guys from the bad guys.
So where do we go from here? I believe it is not mostly about technology. First and foremost, national and international authorities must establish and implement trust mechanisms that will allow government, industry, academia and individuals to share information safely. Such mechanisms exist for people to move physically from country to country and for governments to make decisions to allow or not allow those people to cross our borders. Similar mechanisms must be put in place to make intelligent decisions to grant or not grant access to information and infrastructure. Agreement is needed on the standards to establish identity and attributes, as well as on the processes and infrastructure to share that information quickly enough to make real-time decisions. We do this today within enterprises. We need agreements by nations and international bodies to implement such mechanisms across enterprises.
Second, we need better situational awareness. Too much is taking place in our networks and with our information that we do not know about until it is too late to act without damage being done. We need better tools for anomaly detection in near real time so that we can identify both internal and external threats quickly.
Third, we need to educate. Every day, within organizations and by individuals, stupid things are being done that compromise information and infrastructure. Let’s get the good guys to act smartly so we can focus on the bad actors.
I noted earlier that this is a team sport. Let’s all get on the team and make a difference.