Editor’s note: Greg Shannon is chief scientist for the CERT Division at Carnegie Mellon University’s Software Engineering Institute, and chair of the IEEE Cybersecurity Initiative.
Director of National Intelligence James Clapper recently testified before Congress that his fundamental concern focuses on the “moderate, iterative and constant barrage of cyber attacks on U.S. infrastructure” that will “impose cumulative costs on U.S. economic competitiveness and national security.” Whether one agrees or not, Clapper’s comment led me to consider what an economy-threatening cyber attack really means.
A long-term cyber threat or attack might be like a war of attrition and last 30 years. If that shaves 1 percent of GDP each year, do we care? Is that “economy threatening”? This may well be the sort of assessment that policymakers will have to make on our behalf.
One approach is to distinguish between, say, petty crime and larger, broader threats. We can’t make everyone secure. In terms of national policy, a steady, persistent wave of mid-level attacks may well be a relevant threat we need to focus on. But we can’t be swayed by every individual breach as “economy threatening” no matter how large the headline.
The basics
Cyberspace encompasses our national defense, critical infrastructure, industries, communications, transportation, commerce and personal lives. It’s woven throughout the fabric of our economy. These interrelationships will only deepen with time, especially with the Internet of Things. Given the nature of the threats and vulnerabilities inherent in a networked, cyber-connected world, cybersecurity will never be absolute.
Functionality and its brother, value creation, make uneasy bedfellows with security. Total security would mean zero functionality. The appropriate goals are to understand one’s interactions with cyber space, identify vulnerabilities, assess risks and mitigate them at a reasonable cost with technology and processes that minimize cost and effort. Beyond risk management, cybersecurity is also about organizational resiliency and strategies for business continuity, when (not if) an attack is successful. This is the dance – increasing functionality and value as we mitigate risk – that we are engaged in forevermore.
If most of us practice good cyber hygiene, our economy is unlikely to suffer from a breach of the weakest link.
There is no single, magic solution to cybersecurity, nor will tomorrow likely produce one. We have an array of options in our toolkit and efforts are underway to improve them, innovate new ones and assess the effectiveness of various measures to make their adoption of cybersecurity measures simple, affordable and, therefore, attractive across society. Technology can provide only part of the solution.
Therefore, I told our Congressional representatives during a hearing last week before the House Subcommittee on Oversight and Investigations, a subset of the House Committee on Energy and Commerce, that we need to make a science of cyberspace and security, a statement I’ll expand upon below. (The subcommittee’s focus was “Cyber Threats and Implications for the 21st CenturyEconomy.”) We are in the fledgling stages now, as we’re just grasping the dimensions of the challenge. And it’s going to take a lot of work, a lot of time and a lot of cooperation to meet that challenge.
Four pillars of cyberspace
To grasp the challenge in securing cyberspace and provide a foundation for selecting paths to solutions, it’s necessary to articulate the fundamental connection between cyberspace and a vibrant, innovative, growing economy. This involves the four pillars of secure cyberspace: trust, people, efficiency and measured outcomes.
People and organizations using cyberspace will trust and use cyberspace if they perceive that the balance of value versus risk is positive. Collectively, if most of us practice good cyber hygiene, our economy is unlikely to suffer from a breach of the weakest link.
Human behavior remains a mysterious variable. We must understand how adversaries think and act and why many of us remain unmotivated to use the tools at hand to protect ourselves. Richard Bejtlich, chief security strategist for FireEye, testifying alongside me, said that cyber breaches often result from sloppy security practices.
“Efficiency” means economically effective practices that produce clear value in terms of ROI to encourage adoption.
“Measured outcomes” merely echoes my point about establishing a science of cybersecurity, because determining ROI is based on measurable improvements to drive investments in security performance.
Promising technologies and time frames
Technology certainly plays a major role in improving cybersecurity. I informed our representatives that the IEEE Computer Society 2022 Report references an array of promising, emerging technologies to sustain cyber trust and impede adversaries. I’ll mention just a few:
Near-term: risk modeling and management, two-factor authentication, cyber-intelligence and analysis. The focus here is on the efficient deployment of cybersecurity measures. Risk modeling and management is the core idea behind the NIST CybersecurityFramework, which is based in part on the CERT Resiliency Management Model.
Two-factor authentication is common now in cloud-based email (e.g. Gmail and Hotmail) and is becoming more common in retail and online banking. Cyber intelligence and analysis is the technical reason for the high interest in “information sharing” and “threat analysis,” at least by the U.S. government.·
Mid-term: resilient, trustworthy ecosystems; efficient security and privacy architectures; design methods and development tool chains; human behavior modeling. These approaches are evolving. Researchers, engineers and businesses are exploring scalable ways to deliver and sustain these capabilities. The current best ecosystem example is the Apple iOS applications and deployment environment, more commonly known as the Apple App Store.
The IEEE Center for Secure Design is working on reducing or eliminating design flaws. The center’s recent report, Avoiding the Top Ten Software Security Flaws, is a first step. Modeling human behavior is key to understanding effective options for privacy control on social platforms.
Long-term: secure, privacy-preserving computing, proofs of correctness and searches for counter-examples, quantum-secured communications. These long-term approaches are focused on ongoing, basic research with fast development of prototypes for analysis, experiments and trial deployments.
One significant technological approach – not really a discrete technology per se – focuses on energy. Today, it requires only modest computing and human energy to mount an economy-threatening cyber attack, which favors adversaries by an order of magnitude. My colleagues and I are now investigating how a cyber infrastructure might require adversaries to expend exceptional energy to pose a threat to our economy.
Public policy decisions to come
Clearly, based on comments and questions from Chairman Tim Murphy (R-PA) during my hearing last week, our representatives seek to become better informed. They’re looking for answers to a pressing national need. Individuals rightly focus on the cybersecurity and data privacy in their daily lives.
Enterprises and organizations, public or private, rightly need to exert due diligence in defining their cyber interactions and vulnerabilities and cost-effectively mitigate risk. But when it comes to economy-threatening cyber attacks, that’s a different animal with complex trade-offs.
In terms of framing public policy questions and decisions, we’ll collectively have to assess systemic vulnerabilities and decide on acceptable levels of risk, as well as the levels of cooperation and investment needed to mitigate risk.
Last week’s hearing should provide a measure of optimism around the development of cybersecurity solutions that work.