Centralized Decision-making Is Essential to Cybersecurity

Written by

American politicians love to bash the Europeans. A common refrain during many campaigns here in the states is ‘my opponent’s policies will make us more like Europe’, as if the entire continent was a monolithic monster spewing forth a subversive socialist agenda. I would like to think that the more balanced among us view this repeatedly employed slight as nothing more than pandering to a least common denominator.

When it comes to a unified strategy to address cybersecurity, it appears that Europe is moving forward with a more concerted effort to address the issue. This fact was touched upon by ISF CEO Michael de Crespigny in our most recent print edition, when he reviewed the European Union’s plans to establish a common cybersecurity center designed to share vulnerability information among member states and stakeholders. Maybe ‘making us more like Europe’ isn’t such a bad idea after all.

It also seems the American pubic is on board with our European counterparts. Cybersecurity was cited as the US public’s primary security concern according to recent polling by Unysis. Among the findings associated with the research, three-quarters of respondents expressed the most concern over cybersecurity, whereas 68% believed terrorism to be the most pressing security problem. It’s no coincidence that both issues are quickly becoming intertwined, and policies to address both will need to move in lockstep in the future.

Cybersecurity has received increased attention from recent presidential administrations. While the handful of cybersecurity bills currently being considered by the US Congress have largely avoided the partisan rancor of more mainstream legislative initiatives, progress continues at a glacial pace while would-be cybercriminals and terrorists hone their skills.

The concept of cyber-terrorism is very real, hard to define, and even more of a challenge to combat. After all, what exactly does the word ‘cyber-terrorism’ mean? Does it include internal actors such as domestic saboteurs? Does it include only independent groups – sometimes with state-sponsored affiliations? Is it when a country like China steals IP from enterprises, or allegedly places malware on SCADA systems connected to the power grid?

What constitutes ‘terrorism’ is often a matter of perspective. When someone planted the Stuxnet malware at an Iranian nuclear facility – setting the country’s nuclear program back years – I’m certain it was met with consternation in some darker corners. To play Devil’s Advocate for a moment, what if the Iranian nuclear program really was intended to provide sustainable energy for the country? If so, then Stuxnet could be viewed as a terrorist attack meant to weaken the nation’s critical infrastructure.

Let’s get back to my original point: the US falling behind on cybersecurity because of partisan wrangling over reforms. I would like to take a page out of recent history and recall how Western countries have dealt with the prospect of physical terrorism. Quite simply, it has been confronted by the military and intelligence services, under the direction of the chief executive.

If cyber-terror is a battle, then it makes perfect sense to extend the military apparatus to address the problem. After all, decisions in the military can be swift, and have at their core a central responsible authority – not 535 bickering members of Congress who are often more worried about their re-election prospects than protecting the public good. The great thing about a president – at least here in the US – is that they can only seek re-election once.

It may sound draconian to ask that this power be vested in one person or branch of government, but sadly it appears this is the only way we will ever see movement on addressing the big tent that is ‘cybersecurity’. Organizations typically put the responsibility of security into the hands of one or a very few capable people – I believe we can learn much from this model. The challenges of information and network security are so vital that they are exactly the type of issues that require centralized, decisive action when viewed on a national scale.

The objectives of any security program are to protect, prevent, or limit the damage to a particular asset. The role of government with respect to terrorism, in my view, appears to be the same. If we can put our trust in a prime minister or president to execute our military and police functions, then there should be no reason why this can’t be extended to defense in the digital world, provided there is a system of checks and balances inherent in most representative governments. For me, it’s a complex problem with a simple solution. Now that’s something we Americans can get behind.

What’s hot on Infosecurity Magazine?