Friday, April 16, 2010

"Cyber insecurity is the paramount national security risk."

Thanks to @borroff I read a fascinating article titled Cybersecurity and National Policy by Dan Geer. The title of my blog post is an excerpt from this article, posted in the Harvard National Security Journal on 7 April. This could be my favorite article of the year, and it proves to me that Dan Geer's writing has the highest signal-to-noise ratio of any security author, period.

(Personal note: I remember seeing Dan speak at a conference, and he apologized for reading his remarks rather than speaking extemporaneously. He said he respected our time too much to not read his remarks, since he wanted to conserve time and words.)

I've reproduced my favorite excerpts and tried to thus summarize his argument.

First, security is a means, not an end. Therefore, a cybersecurity policy discussion must necessarily be about the means to a set of desirable ends and about affecting the future. Accordingly, security is about risk management, and the legitimate purpose of risk management is to improve the future, not to explain the past.

Second, unless and until we devise a scorekeeping mechanism that apprises spectators of the state of play on the field, security will remain the province of “The Few”. Sometimes leaving everything to The Few is positive, but not here as, amongst other things, demand for security expertise so outstrips supply that the charlatan fraction is rising.

Third, the problems of cybersecurity are the same as many other problems in certain respects, yet critically different in others... these differences include the original owner continuing to possess stolen data after the thief takes it, and law enforcement lacking the ability to work at the speed of light.


Security is a forward-looking function, requiring a scorecard (sound familiar?) with problems that are both common and unique.

[B]ecause the United States’s ability to project power depends on information technology, cyber insecurity is the paramount national security risk...

[R]emember the definition of a free country: a place where that which is not forbidden is permitted. As we consider the pursuit of cybersecurity, we will return to that idea time and time again; I believe that we are now faced with “Freedom, Security, Convenience: Choose Two”

Dan then outlines three national security risks:

[W]hat types of risks rose to such a level that they could legitimately be considered national security concerns[?]...

The first is any mechanism that, to operate correctly, must be a single point of function, thereby containing a single point of failure...

[The second] national security scale risk is cascade failure, and cascade failure is so much easier to detonate in a monoculture...

[The third is that it] is simply not possible to provide product or supply chain assurance without a surveillance state...


Dan next provides us with what I may adopt as my own definition of security:

I currently define security as the absence of unmitigatable surprise.

This definition resonates with me, although it could be twisted for some odd consequences. Could one simply choose to never feel surprised in order to feel secure? I hope not! Dan provides some conclusions next:

[1] our paramount aim cannot be risk avoidance but rather risk absorption — the ability to operate in degraded states, in both micro and macro spheres, to take as an axiom that our opponents have and will penetrate our systems at all levels, and to be prepared to adjust accordingly...

[2] free society rulemaking will trail modalities of risk by increasing margins...

[3] if the tariff of security is paid, it will be paid in the coin of privacy...

[4] market demand is not going to provide, in and of itself, a solution.


I believe these are true. While explaining the third conclusion Dan notes:

It has been said over and over for twenty years, “If only we could make government’s procurement engine drive the market toward secure products.” This, ladies and gentlemen, is a pleasant fiction.

That is also true! I'm going to skip his discussion of government action and list three essential capabilities:

[T]he ability to operate in a degraded state is an essential capability for government systems and private sector systems.

A second essential capability is a means to assure broad awareness of the gravity of the situation...

There is a third essential, one that flows from recognizing the limits of central action in a decentralized world, and that is some measure of personal responsibility and involvement.


Dan concludes with:

For me, I will take freedom over security and I will take security over convenience.

I highly encourage reading the whole article. I skipped Dan's discussion of "regulation, taxation, and insurance pricing," but that is also worth understanding.

3 comments:

Andrew Jaquith said...

Thanks for posting this, Richard. Dan does indeed have the highest signal-to-noise ratio of anybody. I'll have to see how this one compares with my all-time favorite Geer speech, Risk Management is Where the Money Is, which is dated in a few places but has aged remarkably well.

gih said...

I do believe on that infomation. People never give attention to it but it's the most and effective way to fight the risk.

Michael Cloppert said...

Nothing like commenting nearly 30 days tardy, but I really enjoy Dan's commentary. He writes every month in Communications of the ACM, and always has great delivery and well thought-out points.