Cybersecurity Policy and Strategy Need a Dose of Reality

June 2012
By Col. Alan D. Campen, USAF (Ret.), SIGNAL Magazine

Planners need to realize it cannot be ordained, imposed or enforced.

Today’s approach to the issue of cybersecurity is totally wrong. For years, experts have been propounding similar solutions to the problem of securing the virtual realm. Yet, that realm is less safe today than it was when the first calls for improved security achieved urgent status. The changes that define cyberspace—and what cyberspace in turn has wrought on society—cry out for a new approach rather than add-on measures to the same strategies that continue to prove unsuccessful over the long term.

What was conceived in 1982 as a simple four-node network empowering a handful of U.S. Defense Department academics to exchange digital files has exploded into the commercially owned global Internet. Its open architecture is so admissive of malicious activity that it has been called one of the greatest threats to U.S. national security.

In seemingly endless headline-making hearings before congressional committees and cyberconferences, military, civilian and private-sector officials bewail that despite significant efforts and money, our information infrastructure may not be available during times of crisis.

Finding that “the energy of the national dialogue on cybersecurity has not translated into progress” and that the nation still is unprepared to meet the challenge, the Center for Strategic and International Studies issued a report titled “Cybersecurity Two Years Later.” It concludes that the United States needs to “rethink its policies and institutions for cybersecurity.”

U.S. policy and strategies have been founded on public-private partnerships, voluntary information sharing, common global standards, enforceable regulations, laws and surveillance—in short, a top-down governance strategy.

This has not sold—not to the wary self-policing and self-financing private industry that owns the information facilities and believes it can cope with the threat; nor to the vocally fearful public that sees an unacceptable threat to privacy and civil liberties. Finally—and crucially—it has not sold to the users. Because of the information tools they demand and carelessly employ, users have become the default architects of the evolving Internet.

As Jason Headley notes in his Atlantic Council brief on “The Five Futures of Cyber Conflict and Cooperation,” today’s generation of digital natives have never known a world without the Internet. Their anticipations of cyberspace—especially in terms of security, privacy and collaboration—is very different from that of previous generations.

Former Chief of Naval Operations Adm. Gary Roughead, USN (Ret.), cautions that this work force not only embraces a fundamental change in the use of information technology, but it also is one that “knows nothing else.”

Any security policy must recognize the attitudes and preferences of this new generation of impatient millennials, which some define as an indifferent technology-empowered citizenry who favor functionality over security. They are charting the course, depth and pace of securitization, and they are the reason why there is no national will to confront the risks of cyber attack.

Despite an endless drumbeat of alarmist rhetoric, no consensus exists yet on the probability, severity or consequences of catastrophic cyber attacks.

Not everyone is surprised at that lack of consensus. Paul Rosenzweig, in his essay “Cybersecurity and Public Goods,” says that, “In the end no solid data on the threat exists—so we can only measure capabilities, and then only by educated guesswork.” We lack, he adds, “a solid, quantifiable risk assessment of the cyberthreat to national security and this leaves policymakers with only a speculative guess as to the extent of our risk.”

In their essay “Loving The Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy, Jerry Brito and Tate Watkins write, “ … with the dearth of information regarding the true nature of the threat, it is quite difficult to determine whether certain government policies are warranted—or if this merely represents the latest iteration of threat inflation benefiting private and parochial political interests.”

Sen. Sheldon Whitehouse (D-RI) opined that the public lacks an accurate sense of the cyberthreat because relevant threat information either is classified by government or is collected but kept private by companies to shield themselves from competitors, customers, regulators and investors. This opinion is reinforced in the October 2011 report by the Office of the National Counterintelligence Executive, “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace.

Margaret Heffernan offers yet another excuse for user apathy. While she likely did not have cyber in mind in her book Willful Blindness—Why We Ignore the Obvious at Our Peril, her title suggests willfulness in cost-benefit assessments by those seeking to calculate their individual exposure and risk on the Internet.

RAND analyst Martin Libicki puts it bluntly: “There is, in the end, no forced entry in cyberspace … ,” and perhaps security always seems to be subordinated to functionality because “organizations are vulnerable to cyberattack only to the extent they want to be.”

The Economist newspaper concludes that “countless individuals and companies have come to find that the benefits of doing things online greatly outweigh the risks.”

More discouraging still is the report from the Government Business Council, titled “Cybersecurity in the Federal Government.” It states that officials often bypass security controls on purpose “to get things done.”

For those who would rethink cyberpolicy and strategy, several options become apparent. First, governments must make painful cost-risk-benefit decisions when their own policies collide. This painful reality was brought home to the U.S. Department of Energy by its inspector general, who found that the department’s policy of expediting funding for the nation’s new “smart energy grid” had resulted in inadequate attention to the cyber vulnerabilities of the proposed system.

The problem on which to focus national attention is not threat, but vulnerability. I addressed this point in a Viewpoint for the September 1997 issue of SIGNAL. In the lead paragraph, I wrote, “The United States can improve the security of its information systems more quickly if it forsakes pointless obsession with threat. Instead, it should apply its formidable talents and resources to fixing the vulnerabilities that make these systems such tempting and rewarding targets.” Granted, the challenges of reducing vulnerabilities of a constantly evolving and unpredictable Internet are far more complicated than 15 years ago, but that recommendation still stands.

Another option is to banish the word “war” from the cyber lexicon. Appending that to every incident from accident or misbehavior through crime, espionage and terrorism feeds unproductive hype, makes dramatic headlines and nourishes an ever-hungry cybersecurity industry. It also confounds sensible apportionment of roles, responsibilities and resources among military, government agencies, industry and users.

Few information-age challenges can be countered effectively through revision of industrial-age laws, or by crafting nation-state agreements and protocols. Eric Schmidt and Jared Cohen believe that “governments will have to build new alliances that reflect the rise in citizen power and the changing nature of the state.”

Any lingering notion that leadership and governance can play a meaningful role in cybersecurity will be frustrated further as the Internet morphs ever more deeply into the pocket and purse of the feckless user—already the weakest link in the cyberchain.

Col. Alan D. Campen, USAF (Ret.), is a SIGNAL Magazine contributing editor and the contributing editor  to four books on cyberwar. 

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.

Share Your Thoughts:

A decent summary of some of the issues and challenges. But the article lacks specifics on the (possible) solutions - something our leaders can really build, buy, edict, etc.

The four node network (ARPANet) was conceived and operational long before 1982 (Dec 1969). There were hundreds of nodes when the switch from NCP to TCP/IP occurred. The problem with threat/risk analysis is the interconnectivity of varying security implementations based on threat and defending against the weakest link.