When you talk about the actors who threaten our cyber infrastructure, we know they are also a diverse bunch—motivated by any combination of political, economic, security, and criminal gain. So the challenge becomes even more complex. It means that numerous players—human and system, adversary and ally, and natural adversity—are continually and dynamically playing this game in unpredictable ways.
Here is our challenge. Despite the diversity of players, and the different ways they play the game, we sometimes act as if those players are centrally controlled and commanded and are playing the same game by the same rules. In addition, we often assume that one player can easily be protected independently of the others.
What do I mean? Much of our nation’s first efforts at cyber strategy were grounded in a government-centric, traditional national-security view. For example, the first Comprehensive National Cybersecurity Initiative (CNCI) attempted to redefine how the United States thought about cyber-security by focusing primarily on government systems, and deploying systems from the national security, .mil environment into the .gov environments. In some cases these assumptions were accurate, but in others they were not appropriate to meet civilian security needs.
The national security environment has evolved over the years but is often grounded in assumptions, such as centralized command and control, government to government interaction, and information classification requirements, which are not always effective in the decentralized environment that owns, operates and uses our nation’s communications and information environment.
Additionally, this construct doesn’t consider the interdependence between government and non-government organizations. Let’s consider, for example, the Internal Revenue Service (IRS). Even if we completely secure IRS systems so that they are 100% impenetrable to attack, revenue that the IRS collects can still be placed at risk by attacking the systems of large private sector tax preparers.
Finally, this construct can assume that security challenges are primarily addressed by the government acting alone. During the Cold War, when many elements of our modern national security infrastructure were developed, the job of protecting our nation was assumed to be primarily the province of military and intelligence agencies.
Given the decentralized environment surrounding communications and information infrastructure, there are many players in this game who are not part of the traditional national security environment, and whose engagement and expertise must be brought to bear. Thus, it is essential to acknowledge the diversity of the players and to shift from a perspective that is primarily focused on government action, which is historically rooted in a command and control model, to one that is more focused on tailored engagement and collaboration across a broader set of public and private organizations and citizens.
- How do you expect cyber threats to evolve in the next decade? What kind of impact will that bring?
I expect they will increase both in terms of frequency and of sophistication. I see the interconnectedness of IT as the number one challenge individuals, companies, and governments will face in the next decade. I predict the threats will drive completely new business models. I liken the evolution of cyberspace in the next ten years to the ways the interstate systems completely changed the way countries do business; it will bring opportunities and changes to the way we live, work, and play. The threats that will result from the expansion of IT in our lives will also change. Much like security, safety, governance and business opportunities that had to change along with the exponential growth of our infrastructure, threats and will opportunities evolve with the expansion of our cyber ecosystem.