Last week the Center for a New American Security (CNAS) released a new report on cybersecurity authored by Richard Danzig titled “Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies.” CNAS hosted a panel discussion featuring the author and fellow cyber luminaries from DARPA, Harvard’s Belfer Center for Science and International Affairs, and others. As Danzig says during the panel, a core issue in cybersecurity is how
“technologists themselves do not understand how their technology is going to be used and is used, and policymakers … do not understand how the technology has fundamentally changed the game.”
With one foot in the technical and policy communities, Danzig outlines why and how cyber-vulnerabilities exist in a manner that is approachable for newcomers to the field while offering deep commentary for old hands. Highly recommended for anyone with an interest in cyber policy. The report can be found at the CNAS’s website here, and the video of the panel is embedded below. The executive summary is reproduced below the fold.
EXECUTIVE SUMMARY
Digital technologies, commonly referred to as cyber systems, are a security paradox: Even as they grant unprecedented powers, they also make users less secure. Their communicative capabilities enable collaboration and networking, but in so doing they open doors to intrusion. Their concentration of data and manipulative power vastly improves the efficiency and scale of operations, but this concentration in turn exponentially increases the amount that can be stolen or subverted by a successful attack. The complexity of their hardware and software creates great capability, but this complexity spawns vulnerabilities and lowers the visibility of intrusions. Cyber systems’ responsiveness to instruction makes them invaluably flexible; but it also permits small changes in a component’s design or direction to degrade or subvert system behavior. These systems’ empowerment of users to retrieve and manipulate data democratizes capabilities, but this great benefit removes safeguards present in systems that require hierarchies of human approvals. In sum, cyber systems nourish us, but at the same time they weaken and poison us.
The first part of this paper illuminates this intertwining. The second part surveys the evolution of strategies to achieve greater cybersecurity. Disadvantaged by early design choices that paid little attention to security, these strategies provide some needed protection, especially when applied collectively as a coordinated “defense in depth.” But they do not and never can assure comprehensive protection; these strategies are typically costly, and users will commonly choose to buy less security than they could obtain because of the operational, financial or convenience costs of obtaining that security.
Three other factors, discussed in Section V, amplify cyber insecurity. First, the cyber domain is an area of conflict. Cyberspace is adversarial, contested territory. Our adversaries (including criminals, malevolent groups and opposing states) co-evolve with us. The resulting ecosystem is not static or stable. Second, the speed of cyber dissemination and change outpaces our recognition of problems and adoption of individual and societal safeguards to respond to them. Protective actions are likely to continue to lag behind security needs. Third, in cyberspace America confronts greater-than-customary limits to U.S. government power because of the global proliferation of cyber capabilities, cyber attackers’ ability to remain outside the United States even while operating within the country’s systems and our likely inability, over the long term, to avoid technological surprise. Two-thirds of a century of technological dominance in national security matters has left the United States intuitively ill-prepared for technology competitions that it probably will not continue to dominate and in which there is a high likelihood of surprise.
What then is to be done? The concluding part of this paper does not attempt to recapitulate or evaluate efforts now extensively debated or in progress. It focuses instead on recommending initiatives that deserve fresh attention from U.S. government decision-makers. These include:
- Articulate a national security standard defining what it is imperative to protect in cyberspace.
The suggested standard is: “The United States cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the United States unwilling
to make a decision or unable to act on a decision fundamental to our national security.” A more stringent standard may later be in order, but this standard can now secure a consensus, illuminate the minimum that the United States needs to do and therefore provide an anvil against which the nation can hammer out programs and priorities.- Pursue a strategy that self-consciously sacrifices some cyber benefits in order to ensure greater security for key systems on which security depends. Methods for pursuing this strategy include stripping down systems so they do less but have fewer vulnerabilities; integrating humans and other out-of-band (i.e., non-cyber) factors so the nation is not solely dependent on digital systems; integrating diverse and redundant cyber alternatives; and making investments for graceful degradation. Determining the trade-offs between operational loss and security gain through abnegating choices will require and reward the development of a new breed of civilian policymakers, managers and military officers able to understand both domains.
- Recognize that some private-sector systems fall within the national security standard. Use persuasion, federal acquisition policies, subsidy and regulation to apply the abnegating approach to these systems. While doing this, reflect an appreciation of the rapidity of cyber change by focusing on required ends while avoiding specification of means. Refrain from regulating systems that are not critical.
- Bolster cyber strategic stability between the United States and other major nation-states by seeking agreement on cyber constraints and confidence-building measures. As an early initiative of this kind, focus on buttressing the fragile norm of not using cyber as a means of physical attack between China, Russia and the United States.
- Evaluate degradation in the sought-after certainties of mutually assured destruction (MAD) as a result of uncertainties inherent in cyber foundations for nuclear command, control and attack warning. If we are moving to a regime of mutually unassured destruction (MUD), suggest to China and Russia that we are all becoming less secure. Then pursue agreements that all parties refrain from cyber intrusions into nuclear command, control and warning systems.
- Map the adversarial ecosystem of cyberspace in anthropological detail with the aim of increasing our understanding of our adversaries and our own incentives and methods of operation.
- Use the model of voluntary reporting of near-miss incidents in aviation to establish a data collection consortium that will illuminate the character and magnitude of cyber attacks against the U.S. private sector. Use this enterprise as well to help develop common terminology and metrics about cybersecurity.
- Establish a federally funded research and development center focused on providing an elite cyber workforce for the federal government. Hire that workforce by cyber competition rather than traditional credentials, and promote, train, retain and assign (including to the private sector) that workforce by standards different from those currently used in federal hiring.