Cyber security strategies: doubts persist, doubts multiply
When it comes to cyber security, we are in a cyber strategy crisis, short on vision and short on tactics. Reusing old strategies and shuffling management responsibilities and stale processes will not make us safe on either side of the Atlantic
Under the direction of the newly appointed Cyber Czar, the US has dusted off unclassified portions of the Comprehensive National Cybersecurity Initiative (CNCI)* from the Bush Administration. This collection of initiatives is aimed at improved detection technology, more situation aware protection operations, better hardening of selected targets, and leap-ahead innovation. Does this cyber security strategy really taste better when aged?
Somewhat more recent, the U.K. cyber security strategy of 2009 concentrates on forming new organisations, one focused on "strategy leadership for and coherence across government" and the other on consolidating existing functions associated with incident response and risk management. ** Why is this reminiscent of rearranging deck chairs?
Both strategies appear sidetracked on peripheral issues. Neither grapples with the essential analytics, tradeoffs, and tactics necessary to achieve trustworthiness, security, and resilience. The one thing the 2010 Cyber Shock Wave*** simulation has taught us is that we need to stop playing possum and formulate a game-changing cyber strategy. Participants in the simulation and those watching the proceedings quickly learned that necessary tradeoffs between security and privacy need to be anticipated and dealt with in advance. Coping with the unresolved political conflict between security and privacy in the midst of an attack promises a bad outcome.
What is a strategy? A strategy is an overarching plan to achieve a vision along with the policies and protocols that link and coordinate the tactics employed. In cyber security time matters and things move fast, at the speed of light... faster than people can close their command and control loops. So a cyber strategy must include the policy to authorize in advance time critical actions based on tradeoffs that have carefully weighed cause, effect, and consequence. It is through continuously rebalanced tradeoffs and adjustments in the policy authorizing time critical actions that a strategy retains its currency in the face of new knowledge and new threats... and new administrations.
What is the vision? What is needed is a commitment to anticipate, avoid, withstand, mitigate, and recover from the effects of adversity whether manmade or natural under all circumstances of use. However, there is little focus on anticipation and avoidance before the attack, only the need for first responders after the attack. These first responders arrive in the form of dedicated software engineers who must attend to cleanup and recovery chores... and more patching, distraught business executives who must make up for lost opportunity costs and try to overcome the impact of loss of trust in their operations,
frustrated users who must cope with loss of availability through jerrybuilt workarounds, and victimized customers who must suffer loss of privacy.
What are the tactics? Simply put we need effective cyber tactics on anticipation, detection, attribution, and counter measures. However, these cyber tactics are currently underdeveloped and insufficient as implementers of a nation's cyber strategy. Until these cyber tactics evolve to a more robust level of professional maturity, cyber strategies will continue to be framed in the political domain with its unresolved clashes of philosophy. Without a framework of cyber tactics, cyber strategy will continue to remain unhinged.
Don O'Neill, Independent Consultant, ONeillDon@aol.com, Former President (2005-2008), Center for National Software Studies, USA http://www.CNsoftware.org
*The Comprehensive National Cybersecurity Initiative, http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative
**Rush, Jonathan, "Doubts persist following appointment of US Cyber-Czar", CT Review, Jan/Feb 2010, page 6
***Cyber Shock Wave, 16 February 2010, Bipartisan Policy Center (BPC), Mandarin Oriental Hotel, Washington, D.C.
