"WE MUST CHANGE OUR THINKING ABOUT CYBERSECURITY"
What is "Cybersecurity", or is it "Cyber Security"? Why has the lexicon shifted, from "network security", next to "information security", and now to "cybersecurity"? Some refer to it as "data protection". Is the shifting language little more than a tautology to gain some business advantage -- or is there some important meaning for the emergence of "cybersecurity" into the lexicon?
As a Nation, the United States has national strategy documents and implementation plans on cybersecurity, international cybersecurity strategy, national defense cybersecurity strategy, and a number of other national studies and plans related to cybersecurity. Yet, the Nation has never defined cybersecurity. We are pursuing cybersecurity without a problem statement or a definition. First order of business for any study or project is to state the problem - and critically, that problem statement must be accurate and feasible.
The source of the problem begins with the Internet itself, or more specifically the intersection of the Internet with society. Much like the hostile threats to villages of centuries ago, rampaging Internet hordes today can target any sleepy hamlet as long as connectivity that facilitates the flow of electronic communication packets is available. This modern attack vector skirts the role of government that most of society has come to expect. Oceans, national borders, and civil immunity from attack norms offer no protection today. The fundamental reason for this shift in security is that the Internet was designed to connect.
Internet connectivity enables any bad actor - hacktivist, cyber criminal, state actor, or cyber terrorist - to attack any connected computer in any location in the world. This presents profound questions about the role of government in security. National security is now an inward-facing challenge.
For society, this paradigm shift means that we are all on the front lines in a new threat environment. Hacktivists will go after any organization who offends the hacktivist sensibilities or fits their attack campaign. Criminals will scan the Internet for low hanging fruit and seek high-value targets. Nation-states and terrorists will pursue strategic targets.
For Government, national security is now an inward-facing challenge.
Faced with attackers more technologically sophisticated, how should businesses respond? Oddly enough, they need to view security with an inverse methodology than the Government's need to look inward. Because the Government cannot defend corporate networks - nor is it the role of government in a Western society to systematically trespass upon private networks - businesses must implement an intelligence-based security system. Businesses must look outward. They must remain aware of the attack trends of attackers. This mindset is vastly different from the security construct traditionally held up as the information security professional's framework: Confidentiality - Integrity - Availability. It is not that this framework is wrong; rather, it is that this thinking causes information security professionals to look at their network rather than the adversary. We are now in the cybersecurity era. This is why cybersecurity differs from information security. It is not a tautology. It is a reflection of a paradigm shift brought about by advances in the Internet - speed, connectivity, ubiquitous devices, and adversaries looking to use these features to achieve illicit goals.
Through the Internet, we are all on the Front Lines
Why must we change our thinking about cybersecurity? Because we continue to use static control measures to a dynamic problem. There are attackers on the other side, who are using creative techniques to circumvent the controls we publish in the form of standards and protocols. Failing to recognize changes in the environment will lead to continued loss of money, intellectual property, national secrets, and sensitive proprietary information. Approaching cyberspace challenges with the static approaches of the former Information Security evolutionary model can be analogized as "The Maginot Line of Cyberspace". To avoid a similar demise, we must rethink cybersecurity challenges as a dynamic challenge that necessitates a whole of society defensive approach.
Douglas M. DePeppe
The views contained in this writing are somewhat evangelical, but they are core to my approach to cybersecurity and my belief that society is currently on the wrong path toward security in the Internet Age. Indeed, this belief caused me to form a consulting enterprise rather than a law firm, to better bring forward solutions that integrate law and technology and make a difference. My thinking on cybersecurity also led to the creation of the Western Cyber Exchange as the structure needed to enable cross-sector and public-private information sharing for the sake of situational awareness and delivering fused intelligence to network defenders. And finally, this website was fashioned - with a blog in development - to provide a platform for further evangelizing the message I seek to promote: That We Need to Better Define the Cyberspace Challenge, Both Government and Industry. Through my vocation (i2IS), my avocation (WCX), and my publishing and online presence I hope to carry this message forward as well as continuing to offer solutions.