President's Commentary: Enough Procrastination Over Cybersecurity

Government officials, academia, business leaders, policy wonks and security experts have been mulling over how to implement an effective cybersecurity strategy for years. Being in a domain that is incredibly dynamic, loosely defined and operating in a constantly shifting environment does not mean that the quest for a solution must be interminable. The adoption of thoughtful, well-crafted cybersecurity policy must quickly move from theory to practice—now. And, this move must be holistic.

The first and most significant obstacle to establishing this holistic approach is to develop and foster a culture that understands the concepts, issues and dangers inherent in failing to appropriately address the cyberthreat. This culture encompasses an understanding of the trade-offs between mission success—whether military, government or commercial—the value of investments in cybersecurity and the full value of the loss of intellectual capital to cyber events, as well as appropriately establishing and managing acceptable levels of risk. A properly inculcated culture drives all other cyber-related efforts. Until cyber is viewed, integrated and understood in the same regard as the air, maritime, space and land domains, it will fall short of achieving the emphasis it requires. Cyber and cyber-related activities exponentially raise the level of value and effectiveness of capabilities operating in the other domains.

Second, the major parties involved—the Defense Department, the Department of Homeland Security, civilian federal government, the intelligence community, industry and academia, for example—must accelerate the integration of their cybersecurity capabilities, understanding and knowledge. They need to establish an integrated approach to cybersecurity based on their collective best practices. For too long, these entities have pursued separate agendas without effectively melding together their total combined expertise. Their walls of mistrust must be eliminated. While various efforts have been made to share lessons learned, each respective group still tends to focus on its own needs and capabilities. There is a continued need for greater emphasis on a consolidated approach whereby the combined intellect and thought leadership can be integrated and united inside government and extended to the commercial sector and academia. While important, too much credit is attached to the steps that have been taken thus far.

Third, education is a key element to foster the appropriate culture. We must do a better job of educating and developing leadership across the defense government, industry, academia and the public at large to the full nature of the cyberthreat we are facing. Efforts such as the Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Program are confronting this issue, but its scope and focus are addressing too small of an audience to maximize its value. We need to expand the number of commercial and nongovernmental organizations that are brought into the cybersecurity process as well as the quality and quantity of information that is shared across these diverse elements. The reward of expanding the sharing of information outweighs the risk if properly managed. If leaders across industry, government and academia are not sufficiently educated about the threat, then they are not likely to expend the effort and the resources that are needed to meet the challenge. We need to double down on educating our senior leaders and decision makers across all domains about the cyberthreat we face.

Risk management is at the heart of any cybersecurity strategy. There is no silver bullet looming to prevent or defend against cyber attacks, so we must be able to manage the risk. An effective risk management strategy must focus on the critical mission needs of an organization and the ability to protect that mission against interruption. A definition of risk management, highlighted in 2010’s National Research Council study titled “Information Assurance for Network-Centric Naval Forces,” is that “Risk is measured by the consequences of things that go wrong and the corresponding likelihoods of occurrence. When consequences can be extreme, the likelihood of occurrence needs to be virtually eliminated. A rigorous mission risk analysis of information assurance issues is likely to lead to a better understood and more rational set of investment and system design priorities.” The more critical the mission, the closer to zero that likelihood of occurrence must be driven.

The critical and key mission architecture, rather than enterprise architecture, should be the focus for cybersecurity efforts. The network, its systems and its applications must be managed through a strong configuration management/configuration control process. Aircraft configuration changes and upgrades are managed through a structured block upgrade process. Ships adhere to a similar level of process and discipline when doing alterations and upgrades. Why not networks, systems and applications? It should not be a tedious bureaucracy, however. This would ensure that finite resources are allocated for the most highly prioritized use and that security and mission resilience is considered in design. This requires providing a high level of systems engineering to accommodate growth and security—a level of engineering that is fast becoming a lost skill.

This recommendation focuses on the military, but these activities must extend throughout all government, industry and academia. Under the holistic approach, cyberthreat information sharing across the disciplines must be emphasized. In particular, we need to understand the operational tradeoffs between the risk of failing to share information versus the risk of sharing it and having it disclosed to inappropriate or unauthorized parties.

Threats to cyberspace can come from multiple vectors. A fragmented approach to cybersecurity unnecessarily opens up gaps and seams in our overall security posture than invites exploitation. A smart holistic approach is necessary, and it must begin now.