Critical Infrastructure, Cyber Conflict, and Compliance Regimes
A panel on cyber security policy offered both a take on the current state of the sector and advice for the next Administration and Congress. Panelists included Richard Harknett (Professor of Political Science at the University of Cincinnati, currently scholar-in-residence at US Cyber Command), Melissa Hathaway (President of Hathaway Global Strategies and senior adviser to Project MINERVA at the Harvard Kennedy School), Catherine Lotrionte (Director of the Institute for Law, Science and Global Security and Visiting Assistant Professor of Government and Foreign Service at Georgetown University), and Angela McKay (Director, Cybersecurity Policy and Strategy at Microsoft). Aaron Brantly (Assistant Professor in the Department of Social Sciences and the Army Cyber Institute, United States Military Academy) chaired the session.
Why cyberspace is a different kind of operational domain.
Richard Harknett opened by stressing the need to map policy to strategic realities, and understanding those realities begins with understanding how cyberspace is different.
First, the terrain is not steady, and so there's no steady state of defended terrain. And the terrain is neither a given nor a space constructed by red and blue (that is, by nation-state adversaries) but by actors whose motivation is different from those of states. For the most part these are business community actors, like Amazon, who have interests that may or may not converge with national security.
Cyberspace is a field of activity for a variety of agents who have very different motivations. This space isn't separated, and red can play in it as easily as can blue and white. All of these actors are in constant contact; all of them are playing with or against one another simultaneously.
Unfortunately, Harknett thought, our policies still assume this kind of interaction can be disentangled, that the entanglement is somehow aberrant. This is quite mistaken: structurally, cyberspace is interconnected. It's not a discrete military domain, but rather an interconnected domain in which the military and everybody has to operate with everyone else. Since our policies haven't been formed with an understanding of this, we don't have strategies of interconnectedness that assume constant contact as a fundamental feature of this domain. It's too fluid to conceive in terms of offense and defense; operations in cyberspace require disruption and fluidity. Cyber conflict is, Harknett thought, comparable in its "radical newness" to the early years of nuclear deterrence.
Getting serious about outcomes mean getting serious about critical infrastructure.
Melissa Hathaway argued that the next president needs to think about outcomes, and to do so intelligently should work with reduced set of critical infrastructure. "There aren't fifteen; there are three."
The first class of critical infrastructure is the electrical power grid, and this must be cleaned up. The energy grid is effectively in a state of emergency. The second class is telecommunications, and the ongoing botnet infestations we're seeing here indicates the direction in which threats to this infrastructure are moving. The third is the financial system.
All three of these must be secured, and in all three of these areas, Hathaway argued, adversaries have pre-positioned weapons ready to detonate.
Deterrence as an alliance issue.
Catherine Lotrionte advocated assisting NATO partners to develop cyber resilience. NATO realizes that cyber conflict is real, and has acknowledged officially that a cyber attack could trigger Article 5, the Alliance's commitment to mutual defense.
She recommended "extended deterrence," and proposed that the US take the lead in building a cyber framework. She advocated prioritizing defense of telcos, ISPs, and the electrical grid, and urged that NATO develop the sorts of playbooks and exercises for cyber operations that it has evolved in other areas.
Incentives and disincentives in service of software security.
Angela McKay discussed the issues surrounding insecure software systems, and the incentives and disincentives to fixing software problems. She thought, basically, that we're not adequately focused on risk management, and that it's difficult to apply risk management principles in a practical, prioritized way. Our public-private partnership isn't working well, and we haven't yet evolved a sound system of incentives and disincentives.
As we talk about such a system, she said that "It's important not to break innovation for the sake of security." In particular, discussions of software liability are, she thought, moving too fast, and that liability is only one of several sources of incentives and disincentives: standards, insurance, procurement, regulation, and liability all have a role to play.
But as the system evolves, we must bear in mind that the development world is changing very quickly. Now non-tech companies develop technology. Toy companies and banks all have developers. (In fact, McKay noted, Goldman Sachs has more developers than Facebook.)
"We don't want to stifle the IoT innovation space," McKay said, "and strict liability will kill IoT innovation. But absence of standards is no answer, either." She closed her remarks by calling for nuance in thinking through the roles of developers and users.
Counsels and warnings toward a more secure future.
Harknett cautioned against over-reliance on deterrence models derived from Cold War experience. He also demurred about innovation and regulation, arguing that the innovation system isn't so fragile that it can be broken by strict regulation.
He also pointed out that the priorities Hathaway recommended were all clean-up operations, and that he advocated moderate regulation as a means to this end.
Security, Harknett suggested, lies in management of conflict, not in the absence of conflict, and he cautioned against conflating malicious cyber activity with fundamental attacks on a nation state's security.
Hathaway advised starting with "muscle memory," and in particular using, say, the post-Cuban-Missile-Crisis NCS (National Communication System) as a model for securing the electrical grid. For botnet cleanup, she thought the Y2K program offered a useful model: require telcos to alert the Government, one another, and their customers of new infestations, including early warning of incipient infections. This might require enabling legislation, but the Y2K precedent shows how such a system might work.
Finally, Hathaway argued, we need to get ahead of the IoT, and begin regulating IoT devices. Anyone developing code should be responsible for delivering sound code without vulnerabilities. "Patch Tuesday is a symptom of a major problem."
Lotrionte said there's concern we're not well-positioned for high conflict levels in cyberspace. We need to assure that military networks are operational when necessary. We also need to exercise: "Interoperation in crisis won't happen automatically." The ISPs don't know what they should do in the event of high-end conflict—the ISPs themselves say so. She urged that we make imaginative use of the laws we have now as we prepare for high-end conflict. Department of Defense support to civil authorities is a long-standing practice, and, while the Department of Homeland Security has an important role to play, we need to build relationships between the Department of Defense and the private sector.
Noting the reality of the longstanding and natural friction between government and industry interests and responsibilities, McKay pointed out that while the market can do, and does, a lot of things, there are some problems it's not intended to solve. It isn't really capable of addressing the red case, the case of high-end conflict, and that's not a market failure. It's simply something that lies outside the scope of what a market could handle.
It's also important to recognize that industry isn't monolithic. Companies operate with very different business models and different kinds of regulatory exposure. It's important, McKay thought, to recognize that industry has a degree of honesty about the common problems we face. Microsoft, for one, has started to disallow certain insecure development practices, and some of this kind of management can be automated.
McKay noted, in response to a question about the security of the financial system, that compliance diverts resources from security. "Thus harmonization of compliance regimes is extremely important." And Hathaway concurred with this point: disparate regulations will slow or choke off the global movement of funds. But she sees a big task of education ahead of us. "Everything we do has a digital component. Dealing with that, in terms of education, is a fifty-year project."