Cyberspace Isn't Borderless. Rather, Everyone's on the Border.
Cyberspace is commonly referred to as "borderless." But Department of Homeland Security Assistant Secretary Andy Ozment thinks that's misleading. He told the symposiasts at the Billington CyberSecurity Summit that this isn't so. "It's more accurate to say that everyone is on the border." And this concern for basic digital hygiene and design for security was echoed by many participants. White House "cyber czar" Michael Daniel said he's seen this issue go from a niche concern to one of general importance, and to one that touches everyone. Not only has the online user base grown explosively, but so too have the technologies they use, and this has driven an increasing heterogeneity in approaches to defense.
We heard repeatedly, especially but by no means exclusively from NSA and GCHQ, that the direction of technological advance would necessarily be toward greater automation and more powerful processing of massive data sets. That direction is set not only by the speed with which the adversary can bring about effects, but also by the global shortage of human operators.
The coming threat that most disturbed participants is clearly the threat to data integrity. Data manipulation by hostile actors is worrisome, and there's a consensus that it's coming. As some put it, a data breach might be embarrassing, but data manipulation might well kill you.
US military cyber operators spoke in optimistic although guarded terms of cyber operations against ISIS. They also spoke of the challenges connectivity poses to the security of friendly forces. As Major General Loretta Reynolds, Commander, US Marine Corps Forces Cyberspace Command observed during the Service Commanders' Panel, it's tough to make sure that young Marines don't charge their Samsung phones by plugging them into SIPRNET. (This suggests General Reynolds has encountered Terminal Lance a time or two.)
Speakers also offered advice to the next US President:
- Tell the Cabinet this is important.
- Measure the right things.
- Work out accountability mechanisms.
- Don't let cyber security be seen as something that competes with agencies' core missions.
- Establish clear lines of authority, responsibility, and capability.
So, to all users, follow best practices, and be prepared for incidents. If you haven't done this, you can't be helped much by anyone. And you'll find that you'll have protected yourself from most of the threats out there: when the barrier of entry is as low as it's become for cyber criminals, a lot of the bad actors will live down to that barrier.