Towards a Realistic Cybersecurity Policy
Dr. Allan Friedman is a renowned cyber expert and the co-author with P.W. Singer of “Cybersecurity and Cyberwar: What Everyone Needs to Know” (Oxford University Press, 2014). A visiting scholar at the Cyber Security Policy Research Institute at George Washington University, Friedman has written on subjects ranging from telecommunications policy to electronic medical records to the recent NSA controversy. Allan Friedman was interviewed by S&BP Assistant Editor George Jagels.
S&BP: What are some of the pervasive trends in cybersecurity from today looking ahead five years?
Friedman: The future will be like the present, only more so. In the book we highlight a number of future challenges that will continue to introduce new risks—mobile computing, the increasing internationalization of the Internet, and the diffusion of networked objects in the “Internet of Things”—but many of the policy challenges will maintain their current form. This is not just a technical issue; it requires understanding human behavior, how organizations work, and perhaps most importantly, what the incentives are—the economics of information security. We’re never going to have a completely secure world. So the goal should not be an absolute security model. Rather, it’s a question of resilience.
Resilience is a vague term, but it essentially means this: How can you withstand an attack and still adapt, react, and rebuild? This is not just a technical matter. It’s also a question of organization, investment, and planning. There’s no specific way to do this. Different countries and organizations will decide what works best for them.
S&BP: What is new about cybercrime? How can it be prevented?
Friedman: First, it’s important to distinguish between existing crimes supported with information technology, and genuinely novel cybercrime. We’ve always been able to launder money; that’s not new, even if you’re using a computer. The interesting thing is how little a criminal can actually do. You can steal data, processing power, and credentials, and from that narrow set of issues, we have all the current risks.
How I like to approach it is look at what the actor wants to do, and then figure out how to raise the costs for the attacker and make it as cheap as possible for the defender to respond. The theft of Target credit cards was an inconvenience, but it did not threaten consumers’ long-term solvency. We’ve made it more difficult for criminals to extract value from stolen credit cards. As a result, these cards trade for very little on the open market.
We’ve made it more difficult for criminals to extract value from stolen credit cards. As a result, these cards trade for very little on the open market.
Another much-discussed cybercrime is the theft of company secrets, which has often been linked to other countries. With regard to this competitive data theft, the question we need to ask is: What is the actual incidence of harm? I’ve done some research related to this, and I don’t think we should treat data as an asset, but as a tool for growth. So how will an adversary who steals your information affect your growth? This will vary by sector, timeframe, and the expertise of the adversary.
S&BP: Is there any risk of cyber-insecurity stifling innovation?
Friedman: It is true that certain types of progress will be slowed, but some of these issues are cases where we should be asking questions before charging forward. For example, why does a pacemaker need to access a wide area wireless network? It is a slight convenience and a somewhat cheaper provision of healthcare, but what are the long-term risks in terms of security? The decision-maker who wants the cheaper, more convenient products may not be in a position to answer this question.
Another example is a power company that would save money by having a remotely accessible substation rather than sending a technician to the site. On the other hand, they’re taking a lot of risk if they’re not investing in security beforehand … [We need to look at] the externalities here. In some cases we’ll still charge full ahead.
S&BP: What are some meaningful metrics in cybersecurity?
Friedman: Because you’re dealing with an automated global system, many of the numbers are huge, and some are meaningless. A system could be attacked a million times a second, and once a day, someone really sophisticated may come after you. The rest of the time there might be a bunch of unpatched Windows 95 boxes spamming every IP address from zero to infinity. This is not a real threat.
The most important issue we can think about is our level of insecurity: How many unpatched machines are out there? How many smartphones are there without security patches? Among those vulnerabilities, what’s being attacked? The vulnerability databases are very large, but very few are attacked in a weaponized, systematic way; so you want to know that ratio. From a business perspective, you want to know how to prioritize your defenses. As policymakers, we want to know the tools and information we need to communicate to the decision makers.
In terms of statistics, everything stems from threat assessment and the target landscape. We hear that 110 million credit card numbers were stolen. It’s a big number and useful, but how many of those numbers have been cancelled? How much fraud has been linked to that incident? The important questions are to understand where the damage is happening, and what is the cost of mitigating these harms. In the example of the Target credit card breach, it’s ultimately a large distributed set of merchants who will have to absorb those costs when criminals attempt to use the stolen cards to extract value.
S&BP: What is the cyber threat landscape?
Friedman: In the book, we note that we haven’t been able to attribute a single power outage to cyber-terrorist activity. On the other hand, there are dozens of outages a week caused by squirrels. No one is proposing a war on furry-tailed rodents. So the notion of the cyber terrorist threat has been over inflated.
After 9/11, we saw our society as being open and vulnerable. So we tried to secure everything. That’s impossible, however, and it was the wrong approach. We wasted money and didn’t become much more secure.
Through DHS, the current approach has been to coordinate throughout critical infrastructure and focus on helping the owners and operators of these systems to empower themselves to identify vulnerabilities, then identify threats, and then put a plan in place for mitigation. The problem is that each of these companies have different internal system dynamics.There is no one-size-fits-all solution.
In February 2014, the National Institute of Standards and Technology released a Cybersecurity Framework built around the notions that each actor is different and that the government doesn’t want to be in the business of prescribing technical solutions. This voluntary approach was directed by the President in a 2013 executive order. The role of the government is to coordinate. It also performs a slightly supervisory role: helping people figure out what they need, watching how the market is responding, and seeing how regulatory agencies are working with their industry partners.
S&BP: What is your assessment of current cybersecurity legislation?
Friedman: The last large bill on cybersecurity was in 2002 and devoted to federal systems. Starting in 2009 and 2010, there were a number of attempts to give more direct regulatory authority to DHS, and to focus on information sharing. That last part was controversial because it involved handing information to the NSA—an idea that’s even less popular now.
The current bipartisan House bill gives statutory support to a role that’s already been adopted by DHS—to lead on cybersecurity coordination efforts both inside the government and between the government and private sector. In my opinion, it doesn’t give any more regulatory authority. The changes will be positive, but aren’t major other than giving Congressional approval, which is important, to ongoing programs. This is more about legitimizing an approach than changing policy. Yet any time Congress allocates more money to this issue is important.
S&BP: Do you think DHS needs more cybersecurity regulatory authority?
Friedman: One way of interpreting the voluntary framework in the executive order is that that it’s too early for the government to know what to do and prescribe protective measures through traditional regulation. Partly, it’s because this is an evolving space. In part, it’s to give the private sector a chance to self regulate and show that they don’t need additional incentives to understand their own security needs.
The voluntary model works best if market participants believe that a failure to act will have dire consequences. Trade associations and communities can talk to each other, get on board, and demonstrate progress, or else the government will come in with more burdensome regulation. The government wants the carrot of a voluntary model as well as the stick of potential regulation.
S&BP: How do you grade DHS on cyber issues? What can the U.S. learn from foreign governments?
Friedman: The DHS perspective of 2008-2009 focused on cybersecurity within an open market. It required public-private partnerships, incentive mechanisms, and an understanding of the relationship between the roles of government and the private sector. At that time, this was a rare notion. Yet I think it’s now conventional wisdom.
DHS has had to deal with the challenge of acquiring technical expertise and integrating it with policy expertise. This is a challenge for any organization dealing in cybersecurity: How to bring people up to speed with the problem.
The U.S. has been a leader in addressing these questions, although other nations are asking similar questions. We differ from our European colleagues who have more of a regulation-based focus. Culturally and politically, we are driven by liability. Europeans, on the other hand, rely more on a priori regulation. The U.K. has had success with informal leadership, however, and has brought together leaders from critical sectors to work on the issue. The challenge for the U.S. is that we’re much larger than the U.K. and there’s much more dynamic competition. It’s very hard to get competitors in the room together. Then there are anti-trust issues.
Our peers on the Pacific Rim have done a very good job working with thestandards community to identify areas where international standards can be helpful. One of the biggest dangers moving forward is that countries try to push for nation-specific cybersecurity regulations for products. This would make it very difficult to have a global marketplace for technology.
S&BP: For state actors, is there a significant difference between offensive and defensive capabilities?
Friedman: Many have argued that cyberspace will be offense dominant because it’s difficult to defend. In the book, we disagree for a couple of reasons. First, throughout history, we’ve often been wrong. Go back to World War I, when everyone assumed offense would dominate due to technology. Yet states spent most of the war discovering just how good defense could be.
Second, the very successful cyberattacks are very complicated. The one we know the most about is probably Stuxnet, the attack against Iranian uranium enrichment. This was not something that could have been conceived and executed by Red Bull-drinking teens in their parents’ basement. Stuxnet required mass amounts of expertise and, more importantly, intelligence. The attackers knew a great deal about the systems they were targeting, even building a physical mockup, according to one report. This is something only a state can do.
This was not something that could have been conceived and executed by Red Bull-drinking teens in their parents’ basement. Stuxnet required mass amounts of expertise and, more importantly, intelligence.
Finally, I worry about the implications of thinking about this as an offense-dominant space. A recent report said the U.S. is spending between 2.5 and four times the amount on researching offensive capacity as it is on defensive capacity. That’s scary, because in a world where we’re trying to protect our entire society, the focus should be on understanding defense.S&BP: What are cybersecurity ghettos and how are these problematic for more secure nations?
Friedman: As nations such as the U.S. adopt more secure postures, there’s a danger of creating a gap between richer countries and poorer countries. For developing countries, the focus is trying to get them aboard the IT revolution rather than securing what they have. Security is expensive, requires expertise, and is difficult to manage.
One can imagine a future where wealthier countries secure their own systems. Adversaries who are seeking to exploit unprotected systems will then concentrate on the poorer countries until most of the “bad” traffic comes from those countries. This would be incredibly deleterious for the poor countries since rich countries may try to block all traffic from these places.
We’ve seen a push for cyber global capacity building from South Korea. They realize that if they are attacked in the cyber domain by North Korea, it won’t be from computers in North Korea. It will be from computers around the world that have been exploited by North Korean operations and turned against the South.
This notion that we are all vulnerable to insecure systems and networks whether they are in our country or not is very important. It’s going to be one of the most challenging ideas to build policy around. The real fear is that ten years from now, the Global South will still be using Windows 95 machines plugged into giant pipes, meaning that they will have the network capacity of the 21st century but the computer security of the 1990s. This will leave them both vulnerable to attacks and to serving as platforms for attacks against the U.S.
Top photo caption: Groups such as Anonymous, the members of which are often seen wearing Guy Fawkes masks, have attacked computer networks and websites in both the private and public sectors. “In a world where we’re trying to protect our entire society,” Allan Friedman says, “the focus should be on understanding defense.” (Jeff Ling)
This article was originally published in the Spring 2014 issue of Security & Border Protection magazine.