Good Cybersecurity Requires Action From Many Players

Cybersecurity continues to be a major focus for Congress and the Administration, and a major investment area for government and industry (see prior blog summary).  Efforts to strengthen security are often based on a traditional cause and effect model – agencies do x, hoping for a result of y.  But securing the many ways that identities, transactions, and information travel across the internet requires a more complex response, in which actions of different affected parties can reinforce (or undermine) the outcome.  Stated another way, cybersecurity can be strengthened by strong links, but is security is only as strong as the weakest link in a cyber chain.

The Department of Homeland Security this week released a white paper on this subject – “Enabling Distributed Security in Cyberspace."  The DHS paper marks a significant step in how the government frames cybersecurity, using the model of an “ecosystem” in which “diverse participants … interact for multiple purposes.”  Prepared under the Direction of Philip Reitinger, Deputy Undersecretary for DHS’ National Protection and Programs Directorate, the paper envisions a path forward to a place where people and technology see and communicate in real time about how to address cyber vulnerabilities and threats, and strengthen cyber protections.  

The paper makes an analogy to other complex ecosystems, including the human immune system – where the body recognizes a virus and responds in many coordinated ways to heal – and the public health system led by the Centers for Disease Control – where information about a dangerous virus found by one facility is shared with many, who collaborate on a response.  The public health model has been cited as useful for cybersecurity in other publications, including work that I participated in with the Center for Strategic and International Studies, as well as an IBM white paper on the topic.

DHS cites 3 “building blocks” for a cyber ecosystem:

• Automation – using computers and networks to increase the speed of collective detection and response
• Interoperability – ensuring that people and technology can communicate using the same language about cyber, based on a consistent set of policies – leveraging current programs focused on security content automation (the National Institute of Standards and Technology is one of the world’s leaders in such activities). 
• Authentication – Making sure people and devices know who they’re talking to online, and trust the integrity of those communications (the Administration will soon release its National Strategy for Trusted Identities in Cyberspace, more later).  

DHS then introduces a 5-level maturity model for network security, where entities move from loose focus and little convergence with other parts of the ecosystem at Level 1 (isolated) to robust, fully connected, self-correcting convergence at Level 5 (Edge).  The paper identifies key components of a healthy ecosystem and the health of participants in the system, and closes with a short discussion of incentives and next steps toward this vision.

The ecosystem model is powerful, and may be the best long-term road for cybersecurity in a complex world.  DHS is to be commended for its thoughtful approach and engagement – comments are welcome at cyberfeedback@dhs.gov.  In that spirit, here a few additional areas for ecosystem consideration:

• Technology evolution (or revolution) – the system needs to be flexible to accommodate new ways of communicating online, in addition to new threats to that communication.  A “healthy” approach could build in a technology scan function, where the cyber actors continuously review innovations and adapt the manner of a response.
• Privacy – special consideration needs to be given to protecting personal information.  Once could envision an ecosystem that is characterized by significant monitoring, which would be a threat to individual liberties and raise significant political discussion.  Alternatively, the ecosystem could built in data protection as a core tenet.  The DHS paper makes this point in subtle ways; the issue merits explicit focus.
• Use-case rollout – For the model to be understood and incorporated by non-cyber experts, a few examples of how they should act – and the consequences of inaction – would go a long way.