Cyber Security Politics: Imperial Nudity (part II)

(part I is here) Legacy futures distract us from thinking clearly about the reality of cyberspace, and hobbles efforts to advance original thinking that could actually lead to superior outcomes. Not all old-think is irrelevant to the problems we currently face, but these are academic discussions until the cyberspace takes the form and follows the function that would allow them to become practical. We have serious problems now with the cyberspace we have; devising strategies for a notional cyberspace aren’t helpful.

One could argue that cold war stratagems are good ones because they worked, but you’re working off of an awfully small data set and overlaying those constructs onto an entirely different world than the one that existed 50 years ago. For all the time and energy expended trying to counter the proliferation of nuclear weapons, the number of nuclear powers in the world has only gone up. Somehow though, the same approaches are supposed to work when the players and problems are far more numerous and vastly more complicated?

Cyberspace is a construct with physical underpinnings. As long as those underpinnings are resilient enough to withstand or recover from attacks in a timely fashion, an adversary can attack all day, every day, to little or no avail. Someone once said the “war on terror” should continue until terrorism was a nuisance, and so should it be for cyberspace as well. A safer cyberspace is less about security as it is about resilience. “Security” is a multi-billion-dollar market; resilience is…see that COOP binder collecting dust on the shelf? Yeah… It’s a shame because of the two communities – security and resilience - the latter is achievable. Backups and redundancy in connectivity, in storage, etc., do more to neutralize cyber-threats than firewalls, intrusion detection systems, or anti-virus software.

A safer cyberspace also depends on addressing behavioral factors that enable threats. When BBS sysops ruled the roost, you complied with the rules or you were off-line. In our rush to watch dancing hamsters, participate in the worldwide garage sale, and speed access to nudity, being a good netizen didn’t just take a back seat, it was left in the garage. We lose billions in R&D and trade secrets that support national security, yet we still don't punish people for their digital sins the same way we would if they had committed a similar violation in meat-space. The adversary’s job is so much easier with a lackadaisical target set.

We should support wholeheartedly practical efforts to make cyberspace a better place for everyone around the world, but where are those practical efforts? I see thrust but no vector; movement but not necessarily forward motion. The lessons have been learned and the recommendations are clear; what stops us from acting in any meaningful way is the pain associated with the cure, which for now is worse than the disease. Until national leadership starts acting like they care as much about the ability of an adversary to run arbitrary code on a national security computer as they did nuclear fission occurring over CONUS, there will be no progress.