There's been considerable discussion since the Billington Cybersecurity Summit of the prospect of a "moonshot" for cybersecurity. The US Administration is expected to announce something along these lines over the next few weeks, and a fireside chat at the Summit gave two senior Federal officials an opportunity to discuss it. What are we to make of the very idea of a cyber moonshot?
There's long been a tendency in the United States to look to large engineering achievements as organizing myths of public action. Consider the transcontinental railroad of the later 19th Century, the Panama Canal of the early 20th, the Manhattan Project of the Second World War, and, of course, the moonshot itself, Project Apollo. All of these were large cooperative efforts devoted to achieving a single goal, and all were successful in a remarkably short period of time. They all had important secondary effects: the introduction of a widespread telecommunications network, methods of controlling yellow fever and malaria, nuclear power generation, and all of the widely used consumer products generally thought to have originated in NASA.
So these projects have tended to provide an organizing myth for public action. But consider another myth, Archilochus's passage on the hedgehog and the fox. "The fox knows many things," he wrote, "but the hedgehog knows one big thing."
Moonshots are problems for hedgehogs. They're complicated but well-structured, with dependencies that quickly become clear. And above all, they have a clearly defined end state they're designed to achieve: The golden spike is driven into the rails at Promontory Point. The SS Ancon passes through the Gatun Locks. Fat Man detonates at Trinity Site. Apollo 11 splashes down safely near the USS Hornet. If there's to be a cyber moonshot, it should be the case that cybersecurity is this kind of well-structured problem. And we should know, clearly and unambiguously, when we've solved it.
More later on the fox, but for now we'll consider the case for skepticism about what the hedgehog might handle.
John DeSimone (Vice President, Cyber Security and Special Missions, Raytheon) moderated the chat with the Department of Homeland Security's Jeanette Manfra (Assistant Secretary and Director of the National Protection and Programs Directorate) and Federal Chief Information Security Officer Grant Schneider. Both of them sensibly cautioned against pushing the moonshot metaphor too hard.
Manfra noted the consensus in Government that we seem to be treating symptoms rather than the underlying problems. "The 'moonshot' can be an inspiring call to action, but in some ways it's a limited metaphor. We're after several destinations, not just one." Fundamentally we want to rework the Internet for security, without destroying what made the Internet great. She reviewed some specific programs, and discussed how they come down to risk management. She would like to see a better understanding of incident response, and greater clarity about roles and responsibilities.
Schneider agreed that calling for a "moonshot" was a call to action, and not the announcement of a grand plan for a specific single outcome. And while "moonshot" may be a bit wayward as a metaphor, we've nonetheless had no shortage of "Sputnik moments" that ought to motivate us to work on improving our national cybersecurity game. "No one's in charge of the Internet," which is part of its beauty. The Internet's governance is inevitably collaborative. Everyone, therefore, has a role to play in cybersecurity. An open, interactive, and secure Internet require collaboration.
We need, Schneider argued, a far more sophisticated conversation than "Are we there yet?" It's a journey, and a cultural shift. Manfra agreed, saying that "the negative of calling it a moonshot is that we're trying to shift an entire ecosystem, not arrive at a single destination." We want, for example, a generation of children who understand what it means to be a responsible digital citizen. Schneider pointed to a positive sign in corporate culture: we've begun to see, he noted, non-security IT companies touting their security. He hoped to see a similar shift in consumer attitudes.
Manfra would also hope to see, ten years from now, some fundamental improvements in the way the Internet is engineered, so that "we're not still playing the current whack-a-mole." It would be better, for one thing, if we had a world in which you had to opt out of security.
Both agreed that this was an international challenge, and one that required sound international cooperation. Schneider pointed out that cybersecurity is an international problem, and in addressing it we need not only to engage allies, but to hold adversaries accountable.
So to call for a moonshot, in Schneider's and Manfra's view, is to call for action, and to call for a cultural shift. In this respect it's more like saying "Buckle up for safety" or "It's time for your flu shot" than it's like saying, "Before this decade is out, send a man to the moon and return him safely to earth." A decent working definition of "cybersecurity" might be "things people do to each other using computers." Considered as a problem, this is a foxy as they come. There's no end-state that's even easily described, let alone achieved. Cybersecurity is a problem for foxes, and from their comments, Manfra and Schneider both seem to understand this clearly, and so to place themselves among the foxes. When a call for a moonshot comes, understand that this will be more like the war on poverty, the war on drugs, or the war on cancer than it will be like the original moonshot. A great deal of attention, labor, and money will be devoted to solving or ameliorating a loosely connected family of problems. Foxes can be motivated by calls, and danger will energize them, but their solutions necessarily involve knowing many things. So too with cyber.