Why is Cybersecurity so difficult?
Despite nearly 20 years of effort and billions of dollars invested, why is cybersecurity still a problem for organizations? The problem seems to be getting worse not better. This question cannot be answered by a technical examination of cybersecurity.
The technical challenges are real. We don’t know how code can be written without bugs. If you look at cybersecurity from a wider perspective, even if technical issues were resolved, cybersecurity would still be a difficult problem for three reasons.
It’s more than a technical problem. Cyberspace rules are different from the real world. Cybersecurity law, policy and practice are still in development. The first reason, that cybersecurity is more complex than a technical issue, has been discussed in other articles in this cybersecurity series. The other two factors are equally important in cybersecurity and must be considered when developing our strategies.
Different rules in Cyberspace
Cyberspace operates under different rules than the real world. I’m not referring to the social “rules”, but the physics and mathematics of cyberspace. Security is complicated by the fact that nodes in a light-speed network are not connected. This means concepts like distance, borders, or proximity can all be used differently. First, threats can come from anywhere and any actor, as distances are greatly reduced. Second, cyberspace borders don’t follow the same lines as the physical world. Instead, they are marked by routers and firewalls, as well other gateways. It is not about their physical location but who is connected along which paths.
Our mental models from the physical world won’t work in cyberspace. In the physical world, for example, the federal government is responsible for border security. Because of the physical nature of cyberspace, everyone’s network is located at the border. How can we limit border security to the federal government if everyone lives and works at the border? Physical crime is local. You must be present at the location to steal an object. Police have jurisdictions that are based on physical boundaries. Cyberspace is different. You can go anywhere and execute the crime, so local police jurisdictions don’t work well.
Cyberspace allows businesses to reach customers directly, and bad guys can also reach businesses directly using the same principles. But governments can’t get in the way or hinder the progress of the latter. While sharing information at human speed can work in many physical contexts it is not as effective in cyberspace. They will continue to fall short as long as we try to map physical-world models onto Cyberspace.
Legal and Policy Frameworks
Cyberspace is still relatively new in terms of policy and legal aspects. The internet and cyberspace in their current form have been around for about 25 years. They have also changed over the time. We have not yet developed the comprehensive frameworks that we need. We don’t have the answers to the key questions.
There are some answers. We shouldn’t expect the federal government, for example, to protect all businesses from all online threats. It’s not feasible and it wouldn’t be practical. It would also significantly impact our ability to do business. However, it is impossible to expect all organizations to stop the activities of sophisticated nation state actors. How can we solve this dilemma? Perhaps we should take some lessons from disaster response and split responsibility in a way that is flexible and adaptable to changing circumstances. Preparedness and initial response are at the local level in disaster response. If an incident threatens to overwhelm local response teams, then steadily higher levels can step in. These principles could be applied to the allocation of responsibility in cyberspace. Businesses and organizations are responsible for protecting their networks up to a certain point. If a nation state is implicated, or even if the federal governments suspects it, then the federal government will bring its capabilities to bear. These are the critical cybersecurity policy tasks for the next five- to ten years. We will make progress if we develop cybersecurity training that simplifies cybersecurity. Two years ago, a group made up of cybersecurity professionals from various organizations decided that the industry’s current operational model was not producing the desired results. They decided to create a new one. The goal was to work together in good will to share threat information in an automated manner. Everyone involved in the system will be given more weight and the context of threats will be given a lot of weight. CTA’s structure was created to address the known flaws of existing information sharing efforts. This innovation will allow us to finally make progress on this seemingly impossible problem.