Cyber vandals and warriors seem to be emerging from the shadows in recent years. Current examples include the China-versus-Google incident (Operation Aurora), the appearance of the Stuxnet malicious software, and most recently the reprisal attacks launched after several organizations suspended services previously provided to WikiLeaks.
Cyberspace has become a battle space analogous to the traditional ground, sea, air, and space domains. This development is not surprising given the realization that cyberspace spans the traditional domains and increasingly is a significant, and even disproportionate, enabler of industrial and military power in the 21st century. Simply put, the enabling capabilities of cyberspace are precisely what make it such an attractive target.
Because the cyber domain is a contested battle space and an attractive target, cyber incidents are here to stay and will become even more common in the future. There is no durable ‘cure’, just as there has been no way to eradicate ground, sea, air, and space threats. Rather, access to traditionally contested domains has been appropriately assured through long-term risk management and a strategic, programmatic approach to fielding the necessary operational capabilities. The resulting endless cycle of threat emergence, countermeasure implementation, and counter-countermeasure development, therefore, will characterize cyberspace operations regardless of hopes and aspirations to the contrary.
Viewing the cyber domain as an endlessly contested battle space raises several complex issues. First, individuals and businesses (unlike government and military cyber defenders) typically do not have a soldier’s mindset and tend to be surprised by (and unprepared for) the strategies, tactics, and persistence of their potential cyber adversaries. Second, the concept of a long-term, programmatic approach to cyber defense clashes with the quarterly and annual focus of typical businesses.
In addition, the distributed nature of the cyber domain, with some infrastructure government-protected, but much of it monitored and defended by industry, hinders consistent definition, coordination, and execution of roles and responsibilities for cyber defenders. In aggregate, the durability and complexity of these issues are precisely why a long-term perspective is essential to establishing and sustaining a viable cyber defense posture.
Traditional national security approaches provide a basic framework for addressing security issues in the cyber domain. In the traditional domains, national security policy drives strategy that, in turn, informs roles and responsibilities as well as specific research, development, and procurement programs. The government has made strides toward establishing a cyber security policy framework through the Cyberspace Policy Review released in May 2009.
Translating the policy framework into clear roles and responsibilities – and consistent strategies and initiatives that actually guide programmatic execution by government organizations and industry – is a necessary next step. Put another way, the current state of cyberspace policy does not provide a directly actionable basis for defining specific cybersecurity programs.
A traditional example illustrates this difference. A central tenet of US military doctrine, shared by many other countries, is that information superiority, and even dominance, is a necessary enabler of military power.
From this high-level principle, specific objectives and strategies emerge. One is shortening the sensor-to-shooter data and information delivery cycle (applicable to multiple domains). This policy-driven objective leads, ultimately, to specific programs for researching, developing, and procuring systems (and defining the enabling processes and standards) that, for example, deliver national and tactical sensor data directly to frontline, tactically deployed forces.
Contrast this example with the typical situation in cyberspace where individual companies and government organizations deliver innovations that provide a prospective set of capabilities that feed, mostly in an ad hoc manner, into cyber defenses. This mostly technology-driven establishment of capabilities requires a fair amount of ‘analysis churn’ and vetting to identify innovations most applicable to the current and projected cyber battle space. Working from a consistent policy and strategy framework, and considering the process and technology aspects of cyber security in parallel, would be much more productive over the long term.
A common counterpoint to this long-term perspective is the realization that developments in the cyber domain must take place much more rapidly than is possible in traditional procurement programs – programs that can take years to deliver results and sometimes overrun budget projections by a substantial margin. Fortunately, properly formed policy and strategy typically evolve relatively slowly, even if the enabling systems and processes may turn over much more rapidly. The durability of sound policy and strategy suggests that a more programmatic approach to cyber defense, even within industry, is not only feasible but also preferable over the long term.
The policy and programmatic aspects of cyber defense receive far less press than the technology developments and reporting of cyber incidents. However, industry ultimately should view cyber defense opportunities and developments through the lens of a coherent policy and strategy framework.
Regardless of which perspective cybersecurity experts take on this issue, there should be no debate that cyber threats will continue to increase in capability and that cyber incidents will become even more common over time. It is an enormous mistake to view cybersecurity as an academic exercise or technology ‘arms race’.
Cyber threats are capable of persistent probing and transitioning quickly to battle – and the initiative, by definition, rests with the offense. This basic realization should not dishearten cybersecurity policy makers and practitioners. Rather, understanding the nature of the cyber battle space should inspire cyber defenders to mobilize for long-term engagement.
Craig Robinson has more than 20 years of experience in operations, IT, information assurance and R&D. His executive experience ranges from start-ups to multi-billion dollar corporations, in both the commercial and government sectors. Craig served in several leadership roles at Symantec and successfully led the company’s entry into the incident management software market and leadership quadrant of the managed security services market. In 2008, Craig joined GlobalSCAPE as COO, where he is currently responsible for integrating and enhancing business and technical operations across all functions and markets. He also serves on the board of directors of CoreTrace, a leading provider of application whitelisting solutions.