Building a Defensible Cyberspace
by Merit Janow, Greg Rattray & Phil Venables (Council on Foreign Relations)
It is commonly understood that cyberspace favors attackers over the defenders. A new report argues that flipping the offense-defense balance is possible.
Attackers in cyberspace have for decades held fundamental advantages, due to factors such as an internet that was never designed for security. As a result, cybersecurity practitioners and policymakers often look at their field with a sense of dramatic fatalism: they look for architectural overhauls to change the landscape, or wait on a deus ex machina technology to rewrite the rules of the game. Worse, some fall into the trap that the best defense is a good offense.
Yet a more defensible cyberspace is possible, if defenders pursue the right kinds of innovations.
This should not require a "cyber moonshot" and certainly not a government-directed "cyber Manhattan Project." Rather it requires a strategy built around leverage. Governments, companies, and other defenders can build a defensible cyberspace with the technology, operational and policy innovations that give the defenders the most defense advantage at the least cost and the widest scale.
It sounds obvious, doesn't it? Of course, defenders should do those things that give the most benefit. But it is shocking how often this is ignored. "Check-the-box" compliance imposes high costs on defenders yet places only minor obstacles in the way of attackers. It is the opposite of leverage, or rather it is leveraged but just to the advantage of the attackers.
A defensible cyberspace through leverage is the subject of a new report from a New York Cyber Task Force we co-chaired, comprised of roughly thirty cybersecurity experts, including senior executives in finance, telecommunications, cybersecurity and other companies, along with senior researchers and academics.
To achieve leverage there are deep lessons to be learned by analyzing the most defense-advantage innovations of the past fifty years.
First, game-changing innovations share one critical feature: scale massively aids the defense, such as taking the user out of the solution, taking away entire classes of attacks, or having a vendor or provider makes a change that benefits all their customers. All too often, defenders lament how attackers use the massive scale of the internet to their own advantage, then push technology solutions that must be correctly implemented at thousands or even millions of separate end points.
The best cybersecurity solutions -- such as automated software updates and end-to-end encryption -- work at scale across all of cyberspace. Cloud-based technologies still have more to offer here, the chance to build more secure architectures without pouring investment into an increasingly indefensible perimeter. The U.S. government's efforts to push shared services for the federal enterprise are a step in this direction.
Second, the best innovations use the minimum necessary intervention. For example, increased transparency can be a low-cost way to align market incentives. Think of the leverage now that Consumer Reports will be including ratings for the cybersecurity for devices like baby monitors, alongside quality and ease of use. Governments should understand that in the cases where regulation is necessary, it should regulate first for transparency to align market forces with the fewest unintended consequences, rather than for security.
Third, operational and policy innovations are powerful but overlooked and misunderstood. Some of the best security improvements of the last thirty years have emerged from process or organizational innovations rather than new technological devices.
In the 1980s, defenders had to invent computer emergency response teams. In the 1990s, it was an innovation to have a chief information security officer to centralize authority or build an information sharing and analysis center to share and collaborate with peers. In the 2010s, the idea of a cyber kill chain changed how defenders conceptualize their job. Further improving operational coordination―through response playbooks, frequent exercises, and groups like information sharing and analysis organizations―can be an inexpensive way to build significant capability. Such revolutionary innovations have a very modest cost yet are often overlooked in favor of the newest technological gadgets.
Leverage is possible not by implementing new innovations but reducing existing headwinds. Harmonization of cybersecurity regulations could reduce costs and simplify defenses. We support the U.S. administration's recent efforts to standardize on the NIST cybersecurity framework.
Other ideas to gain leverage, however, create both winners and losers. Innovations such as liability for software makers, imposing security regulations on network service providers, or creating a new, more secure internet are all ideas worth considering. But they all have significant downsides on innovation, privacy, or costs.
The findings of the New York Cyber Task Force argue for a new approach to cyber defense, one that can break the stalemate of the past five decades, so that defenders finally have the high ground, to fight with the advantage. This requires patience, effort, and carefully learning lessons from past successful (and unsuccessful) innovations.
Defense is possible, but only through leverage, and the sooner the better.
Merit Janow is dean and professor of practice at Columbia University’s School of International and Public Affairs (SIPA). Greg Rattray is director of global cyber partnerships and government strategy for JPMorgan Chase. Phil Venables is chief operational risk officer at Goldman Sachs.
Article: Courtesy Council on Foreign Relations.
CFR's Blogs represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Photo: A security message on a Whatsapp screen. Thomas White/Reuters