By Diogo Monica and Nico Sell, Cybersecurity Agenda for the 45th President, CSIS Cyber Policy Task Force
First appeared in TechCrunch on January 5, 2017.
As the next US administration takes office, it is vital to modernize our approach to cyber security that is still largely based on an antiquated defense vs. offense framing of information security, rather than on the fact that the Web is a global resource that must be treated as such to sustain our economic growth and stability.
Today, the proliferating cyber security risks facing all state and non-state actors are global in nature and practically impossible to contain to a particular target. Yet, the policies most nations still rely on are based on the idea that states have control over their national cyber “territories” to the extent that they can credibly protect it or deter others from the attacks. While it is understandable that for many policy-makers it is a familiar modus operandi, it is rooted in outdated assumptions, which precludes us from effectively addressing the unfolding information security crisis.
2016, The Information Security Year
Information security has played a significant, if not decisive role, in changing the course of government and business in 2016. The largest data breach in history was reported and is now being investigated by the FBI; over hundred thousand infected internet-connected devices were used to bring down major global services. Clearly, this is merely the beginning – future attacks will not only have a grave economic impact worldwide, but may cause severe damage to our critical infrastructure and national security.
Yet the latest wave of national cyber-related proposals continues to call for weaker security: from the expansion of government access to information to indiscriminate data retention to mandate for removing encryption and a requirement for private companies to hack their products. All these ideas are designed to aid national law enforcement in investigating crime. However, if implemented en masse without a thoughtful public debate, these policies would jeopardize many other missions that law enforcement is dedicated to: protecting citizens and their property from cyber criminals, ensuring the security of critical infrastructure, and defending businesses from economic espionage.
No Such Thing as National Internet
When the majority of services, devices, and software are sold and used globally, the stakes for governments and law enforcement become much higher than simply solving a particular crime or prosecuting a criminal. Today, the same network routers and industrial control systems are operated across the world, running through the same fiber-optic cables and deploying the same network and encryption protocols. This offers a clear advantage in capabilities and reach to the intelligence services. However, as the world becomes increasingly interconnected, such control comes at a price – the very palpable risk that any state may bring upon its own citizens, economy, and national defense as it exploits global tech to penetrate a target nation or entity.
It is not uncommon to see the countries still attempting to segregate their Web “territory” from the rest of the world to deploy the attacks against foreign systems, while assuming that similar technology used domestically will somehow remain unaffected. The proponents of the state-centric approach to security policy continue to ignore one key change that occurred in recent years – the governments no longer retain a monopoly and control over cyber capabilities. Nor do they have much control over security of their own critical infrastructure, communications and financial networked systems.
The Rise of Private Actors
Almost 85% of the US critical infrastructure and key assets, including power plants, oil and gas production facilities, and water systems are owned by the private industry. Aside from a small set of regulations, government has very little influence over how companies secure their technology against cyber threats that may affect every citizen and hence national security. In fact, most of the critical facilities remain severely vulnerable, deploying legacy systems designed for pre-internet operations and thus lacking basic safeguards like encryption and authentication protocols. To require weaker security, for instance – encryption backdoor, is to willingly open up our own networks, including critical facilities, to attacks.
As the Web continues to grow, more private companies join the digital economy – building the IoT and medical devices, smart cars, and communications tools. With that, come more data – collected, shared and indefinitely stored, often without meaningful user control and public oversight. Although the adoption of encryption within the tech industry has grown significantly, we collectively continue to under-appreciate the risks inherent in keeping sensitive and personal information forever at the same time as many new products still lack basic application security and privacy safeguards.
Having accumulated such a significant power over global data streams, businesses have now become a high-risk target for criminals and foreign intelligence, opening up individuals and governments to the unauthorized collection and use of sensitive data. The underestimation of cyber threats will only continue driving up the business and reputational costs of data breaches while exposing the troves of enterprise secrets and government data. It also creates a breeding ground for national security risks waiting to disrupt the global economy and critical infrastructure.
Stronger Security Requires Real Incentives & Collaboration
It is time to realize that it is equally as important for government decision-makers to rethink how to protect the nation against foreign adversaries as it is to incentivize stronger security practices within private companies and among the public.
As part of a bipartisan group of the nation’s leading cybersecurity experts, we just released recommendations for the next administration on improving the nation’s policy on security vulnerabilities. We strongly believe that it is critical for our country’s economic growth and national security that the incoming President remains committed to raising the bar for information security across the government and corporate sector.
Understanding that no security is 100% guaranteed, we must ensure that exploiting vulnerabilities in our technology and policies is never easy or cheap. To make any adversarial efforts more difficult and expensive means understanding that we now live in an increasingly decentralized and connected world in which the scale of decision-making is changing, rendering any domestic security policy or corporate decision global.
The non-state actors – individuals and private companies – grow as powerful as only the states used to be. They can help to protect the Web or wreak havoc on a massive scale. The two conflicting forces – the increasing autonomy and technical capability of individuals and companies and the decreasing control by central authority – are now re-defining the security landscape and the power balance on a global level.
Harnessing the potential of private actors to help protect us all will require addressing two systemic problems: first, companies are not incentivized to build security in their products; and, second, the business and policy ecosystems are far from favorable to the vulnerability research – both legally and economically. All this creates an unsustainable and frankly dangerous situation in which it is cheaper for companies to deal with the consequences of a data breach and more lucrative for researchers to sell zero days on the black market.
If we are serious about building a long-term vision for cyber security, the defense vs. offense mindset dominating most policy conversations must be left behind. In such a complex environment where state and non-state actors deploy largely the same tools and methods to protect or attack the systems, developing an effective cyber policy requires understanding that the Web is a critical global space that is impossible to segregate to damage only criminals or foreign adversaries. From now on, rather than relying on an antiquated framing of cyber security, the focus should instead be on immunizing the Web by improving network reliability, quality of products, capabilities, and trust to ensure the long-term resilience of our economy and all internet-powered systems.
