{"id":30,"date":"2009-02-10T18:17:15","date_gmt":"2009-02-10T23:17:15","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/fireunderembers\/?p=30"},"modified":"2009-02-11T01:00:20","modified_gmt":"2009-02-11T06:00:20","slug":"44%e2%80%99s-cyber-challenge","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/?p=30","title":{"rendered":"44\u2019s Cyber Challenge"},"content":{"rendered":"

There continues to be concern that we are not doing enough<\/a> to address the problem of cyber security \u2013 even that we lack, still, a clear view of the problem, a vision or strategy to deal with it, or an investment plan that will succeed.<\/p>\n

It is not for want of trying. Our nation\u2019s cybersecurity issues are well-documented<\/a>. Yet current efforts such as the National Cyber Security <\/a>initiative, cloaked in secrecy, and limited to governments, have been critiqued<\/a> as too little, too limited, and too mysterious. Others have offered sharp critiques of the critiques<\/a>.<\/p>\n

How should the United States or any reasonable nation respond<\/a>? The complexity of events and response, and their dynamism, argue for vision, strategy, and investment. For the United States, the advent of a national cybersecurity czar; of a chief technology officer with \u201cdomain\u201d over the federal IT enterprise; and of a chief privacy officer with similar purview, all point to a new level of seriousness<\/a> and commitment to cybersecurity in the new Administration.<\/p>\n

How shall we move next? As a new cyber czar takes this on, many approaches will compete for time, attention and investment.<\/p>\n

Should we attack the problem of cybersecurity at the level of hardware or software solutions, moving first to secure servers and computers, or applications and services?<\/p>\n

Should we perhaps approach the problem from the level of integrated management, taking up the major vulnerabilities which corporations and governments all face, such as identity management and authentication?<\/p>\n

We could focus instead on securing critical business operations \u2013 whether power plants, financial payments systems, or next generation civil aviation. At least we\u2019d be assured of lights on, cash available, and planes staying in the sky.<\/p>\n

Perhaps we should focus on securing the social web. Millions of citizens use Twitter and Facebook, for example, and we\u2019ll need those during disaster or crisis — or even for everyday \u201ccitizen engagement\/web 2.0\u201d activities. That digital device in my pocket is my friend and yours. Or, is it an enemy\u2019s on-ramp? At the moment, there\u2019s no saying it\u2019s not both, and that makes the social web risky.<\/p>\n

Should we, rather, deal with the \u201cupstream\u201d problem of nation states and criminal organizations who sponsor this stuff, and attack, dismember, and destroy them? Could we do that even if we wanted? Maybe we need them, too \u2013 for our own purposes.<\/p>\n

Perhaps we should articulate a meaningful doctrine of cyber deterrence which freezes actors, not simply from fear of capture but from the threat of dire consequences to themselves, their families, and their allies. No one has, yet.<\/p>\n

\u00a0<\/p>\n

Framing the Options: The 10 Challenges We Face<\/strong><\/p>\n

A new cyber security czar will quickly face such choices. Ultimately, the czar will have to translate all into tactical, practical, and actionable options and results. Any strategy for cybersecurity would have to address \u2013 have an answer to<\/em> — these ten great challenges:<\/p>\n

1.\u00a0\u00a0\u00a0 The boundary between nation states, rogue states, and criminal organizations is now blurred. As recent Russian-involved cyber attacks<\/a> on Estonia, Georgia, and now Kyrgyzstan<\/a> make clear, many groups may concentrate or coordinate attacks for strategic purpose and tactical gain. Any cyber strategy must enable us to deter, detect and thwart such complex, multipronged attacks.<\/em><\/p>\n

2.\u00a0\u00a0\u00a0 Key global and domestic infrastructures remain vulnerable, even unattended. Do our electronic payment systems, for example, remain exposed? Who has — owns <\/em>— a clear strategy to define, let alone assure, minimum essential functioning at the retail or wholesale level in the event of attack? We need a cyber strategy that defines the minimum essential level of functioning required for key infrastructures, specifies its requirements, and assures it.<\/em><\/p>\n

3.\u00a0\u00a0\u00a0 The uptake and adoption of innovation is uneven, and creates risk in pockets. Yet network defense of every node is inherently more difficult than network attack on a single node\u2013 especially networks that criss-cross organizations, sectors and nations. We need a strategy that assures adoption of innovation throughout networks and which is consistent with requirements for resilience in our key sectors.<\/em><\/p>\n

4.\u00a0\u00a0\u00a0 The nation\u2019s welfare is no longer a mere function of government: corporate vulnerabilities create risk for the nation and obligation for private sector initiative and investment. We need a cyber strategy that articulates an effective approach, whether by market or regulation, to secure corporate assets as vital to national security.<\/em><\/p>\n

5.\u00a0\u00a0\u00a0 With military R&D limited now, commercial R&D proliferates and is widely available as technology both to attackers and defenders; the race to \u201casymmetric\u201d advantage is based therefore not on technical superiority but on adaptation and response. We need a cyber strategy with a strong translational \u201cbench-to-community\u201d research capability, to move innovation quickly from field, to lab, to field again.<\/em><\/p>\n

6.\u00a0\u00a0\u00a0 Federal, state and local budgets are severely constrained; the opportunities for massive new infrastructure investments are limited; the capital plant as it exists today will likely be the legacy for the next decade; adapting legacy infrastructure to current and future challenges is therefore critical. We need a cyber strategy that requires few new resources and focuses on retrofitting the existing capital plant to new capabilities<\/em><\/p>\n

7.\u00a0\u00a0\u00a0 Governance of the national cybersecurity enterprise can neither be czar-like and\u00a0 autocratic, nor anarchic or idiosyncratic. It must balance wisdom of crowds<\/em> with communities of expertise<\/em>. In no sense is governance now specified. Moving to standards, proving capabilities, assuring dynamic resilience are attributes any well-governed enterprise must provide for. We need a cyber strategy whose own process balances well the need for secrecy with public engagement.<\/em><\/p>\n

8.\u00a0\u00a0\u00a0 Our procedures for acquiring new products and services continue to slow our responses. Our adversaries \u2013 smaller, faster, more agile, less constrained – may adapt far more quickly to opportunity, and to our innovations, that we can. We need a cyber strategy which reforms our acquisition and procurement to support requirements for asymmetric advantage in cyberspace.<\/em><\/p>\n

9.\u00a0\u00a0\u00a0 The move to incorporate informal citizen and user networks under the \u201cweb 2.0\u201d banner is unstoppable. It is also highly useful \u2013 especially in managing contested or confused domains of disaster, battle, or crisis. Such moves also put information reliability and security at risk. We need a cyber strategy that permits government and industry to take advantage of citizen networks while addressing critical issues in authentication and security.<\/em><\/p>\n

10.\u00a0\u00a0\u00a0 We have good \u201cpoint\u201d measures of readiness and capability, but no consistent way to apply them across our extended enterprise. That enterprise is of its nature a Wild-West show; who just came on and came off the enterprise platforms and how did that change risk for all? We need a capability to measure test ever-changing risk, readiness and capability for cyber attack across extended enterprises which cross the boundaries of organizations, sectors and nations.<\/em><\/p>\n

\u00a0<\/p>\n

The Leadership Play: Fixing What\u2019s Wrong<\/strong><\/p>\n

A cybersecurity czar faces critical questions not only of strategy, but of managing a sprawling enterprise over which the czar will have little direct authority or control. What effects will she want to achieve? What\u2019s the right mix of government and industry action to achieve them? Will it be by regulation and enforcement, or laissez-fair market forces? None are perfect. How best to work the levers of change? As a nation, we will explore that next.<\/p>\n

[Cross posted to the Harvard Kennedy School Leadership for a Networked World<\/em> blog.<\/a>]<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

There continues to be concern that we are not doing enough to address the problem of cyber security \u2013 even that we lack, still, a clear view of the problem, a vision or strategy to deal with it, or an investment plan that will succeed. It is not for want of trying. Our nation\u2019s cybersecurity […]<\/p>\n","protected":false},"author":1649,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-30","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=\/wp\/v2\/users\/1649"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/fireunderembers\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}