The Center for Strategic and International Studies (CSIS) produced a cybersecurity report in December 2008 for the 44th Presidency (CSIS-44) and built on that to produce a report in January of 2017 for the 45th Presidency (CSIS-45). What follows is a limited comparison between the two reports.
Some of the notable differences between CSIS-44 and CSIS-45 include:
Policy: CSIS-44 touted increase use of private-public partnership and the various benefits that could be derived therefrom. CSIS-45 recognizes the cold hard reality that those partnerships simply failed to materialize and that delivered very little (if any) value to our cybersecurity posture. CSIS-45 goes so far as to say that this type of approach that “encourages” cooperation is doomed to fail since it neither mirrors market realities nor is there any stick (ergo the private sector will only act if market forces dictate action or if action is mandated via regulations, etc.).
Another lesson learned from CSIS-44 was the attempt to focus on authentication and digital identities. CSIS-45 acknowledges that programs such as the National Strategy for Trusted Identities in Cyberspace (NSTIC) were grandiose in vision and lackluster in practice.
One other area covered here is the need for a national data breach policy. CSIS-45 postulates that a federal data breach policy will enhance security since entities will understand their requirements and the policies and procedures they must implement.
Take-away: that ideas and vision are wonderful however if there is no mechanism for regulation or enforcement they are unlikely to come to fruition. Thus, the current Administration needs to recognize the bounds and limits of its influence and work with (rather than against) the legislative branch to effect the best possible outcomes.[1] With respect to the national data breach legislation – I agree that is important, however, I don’t think it is as significant a cybersecurity issue as CSIS-45 postulates. Not everything that moves from the state level to the federal is wiser or more efficient. In some respects, states and localities may have more flexible and tailored data breach notification rules than trying to create a one-size-fits-all. A single standard would certainly be easier but it is not clear how data breach notification rules applied federally will in and of itself create a higher level of cybersecurity. For instance, what if a locale currently has a very strident data breach policy and the federal policy is less stringent. In such a case, wouldn’t the result be decreased cybersecurity?
Encryption: CSIS-45 includes several paragraphs on encryption and discusses the need to balance the national security implications of privacy, security, and innovation. One would have thought that the various issues surrounding the infamous clipper chip coupled with the latest FBI/iPhone “all-writs-act” court case would have made encryption a more prominent topic not only in CSIS-45 but so too would have warranted at least a mention in CSIS-44. With respect to breaches and exfiltration of PII, one could argue that encryption is at the very heart of any discussion; however interestingly enough while some specific vulnerabilities are raised, scant attention is paid to this.
What CSIS-45 does say is that private-sector encryption should be encouraged but should also include private-sector cooperation to ensure that lawful access to encrypted data can be achieved. Hopefully, efforts in this area will also include an independent party that is able to make a neutral and detached decision regarding whether or not data can be unencrypted in a lawful manner. Furthermore, it will be essential to ensure that the tools to effect this do not use the proverbial back-door approach since the government does not seem to be particularly adept at preventing the exfiltration of tools and software that it utilizes (i.e. consider recent tools that made their way into the public market, as well as the Snowden revelations).
Take-away: merely saying that you need to balance privacy, liberty, and security does nothing to ease the misgivings of privacy crusaders, tech companies, and 1st amendment supporters. Stating that encryption should include a mechanism by which a lawful process can decrypt data strikes fear in the hearts of many. For one, there has been no proposal as to the “who” that can make such a determination, would it be the judiciary? Additionally, who would retain the technological capability of decryption? If the private companies or the industry has this – who will safeguard it? How will the use of decryption be monitored, logged, and accounted for? What happens when a new authoritarian figure takes office with the support of a willing and able legislature and is able to define “what” they can access and decrypt? How much liberty and privacy should we sacrifice for our security?
Cloud and IoT: while CSIS-45 specifically discusses both increased use of cloud devices as well as the proliferation of IoT devices and then goes on to say that any strategy must be fluid in order to accommodate the rapid pace of technological change, this approach seems rather narrowly focused. While it is easy to view the movement to the cloud and the advent of IoT as disruptive technologies that require a revised strategy that isn’t the case. Networked storage is not a new phenomenon nor is software-as-a-service (SAAS), taken together and coupled with centralized provider services this is more evolutionary than revolutionary. The underlying strategy if purpose-built to discuss data and PII should be largely unchanged irrespective of the underlying technology or architecture. Similarly, with respect to IoT this is more so an issue of scale versus some revolutionary new technology. Neither the intended uses nor the ubiquity of IoT devices should impact a comprehensive cybersecurity strategy.
Take-away: CSIS-45, on the one hand states that the growing number of IoT devices will result in an immense number of connected devices and then proposes implementing a rating system similar to the NHTSA crash test system. With the exponential growth in IoT devices, how would such a system be managed? The overhead and administrative burden of operating a program to rate IoT devices would be mind boggling. Further, with the rate of technological change and both software and hardware updates, this system would be impossible at the very least and unwieldy and unworkable at the very best. Once again, the problem is one of focus — looking at the device and the perimeter vs. what really matters — PII.
Offensive Cyber Operations: CSIS-44 devotes a fairly large section to a discussion of the use of military and developing appropriate response thresholds. Whereas, CSIS-45 merely talks about identifying the split of responsibility along the military and civilian spectrum to ensure that no issues arise with respect to use of forces barred from domestic response during a cyber event. CSIS-45 thus recommends strengthening DHS and simultaneously building capabilities within the National Guard and Reserves, either of which could be rapidly deployed to the states until Title 32 or Title 10/50 (this would have the added benefit of creating citizen-soldiers with expertise in cyber operations).
Take-away: CSIS-45 should likely be viewed in the context of CSIS-44 which provides a wealth of additional background and delves deeper into the concepts of necessity and proportionality (without ever spelling them out). Ultimately, however, the issue will continue to arise where one force is deployed and tasked with monitoring and defensive operations and a separate force conducts offensive cyber or kinetic operations (especially in the case of cyber events initiated by Nation-states). What this really comes down to, what really needs to be extrapolated is the attribution element. The ability to confuse, inveigle, and obfuscate renders the question of cyber or kinetic offensive operations somewhat moot. This also raises the issue of asymmetry which is probably a topic best left for a separate post.
Organization: CSIS-44 and CSIS-45 both allude to the fact that an effective cybersecurity strategy is going to require clear leadership with well-defined authority – preferably flowing directly from POTUS to a highly-placed official with operational control over the moving pieces. Here, CSIS-45 builds on CSIS-44 and states that DHS could continue to be the lead on this if the (1) the DHS Cyber Mission is fully defined; (2) Cybersecurity is put into an independent operational component of DHS; and (3) supporting agencies are strengthened and given key roles (e.g. State, FBI, Commerce, National Intelligence Agencies).
Take-away: the recommendations from CSIS-44 were never followed so we do not have a single lead-agency with the requisite power to manage cyber operations across the landscape. The report doesn’t specifically call this out, but the OPM data breach, the Sony hack, the IRS hacks, all point to a rather poor cybersecurity posture using the weak-DHS model. In CSIS-45 it almost seems as though the authors have accepted the way things are and are pushing for modest, incremental change. However, if creating a standalone cybersecurity model (such as other nations are doing) is the best, most efficient approach shouldn’t’ CSIS-45 continue to advocate for that? Kind of a shoot for the stars and reach the moon approach vs. CSIS-45’s Eeyore, whoa is me approach.
Resources: in this area CSIS-44 and CSIS-45 both advocate for training and education to develop a cybersecurity workforce. CSIS-44 may not have been dire enough in its prediction of the number of skilled cybersecurity professionals that were going to be needed. CSIS-45 pays a little more heed to this but still discusses at a very high level. With all of the rhetoric over the past several months about college tuition and the need for a skilled workforce and the need to build/re-build private/public partnership, this seems like a key opportunity that was missed by CSIS-45. The obvious truth is that the supply of cybersecurity professionals has been outstripped by the demand by a very large factor. Thus, this problem impacts the private and public sector alike.[2]
Take-away: might be best to use this workforce shortage to create a long-term supply reaching all the way down to the elementary level, targeting persons whose inherent skills and aptitude make them ideal candidates for such a career path. Private industry could help defray the costs of training and education, with the benefit of a skilled worker at a reduced rate of pay for a specified duration. Credits could also be given for the training expense incurred by persons that enter the public vs. the private sector. Thereby strengthening the public/private relationship and creating a long-term solution to a specific need. This would also create the infrastructure needed to develop similar pipelines for other skills, thus allowing some level of career pre-determination (several eerie science fiction movies have been based on similar premises).
Conclusion: in many respects, CSIS-45 builds upon what was crafted and delivered in CSIS-44. Little of this is revolutionary and is largely just an extension of the CSIS-44 principles. However, taken together these recommendations could serve to bolster US cybersecurity. The key will be to get the White House and Congress to acknowledge the scope of these issues and to devote the necessary time and resources to both short and long-term solutions. The development of a workforce that targets elementary age children puts the horizon out several presidential terms which dictates that action be taken in conjunction with congress rather than via presidential fiat.
[1] It is interesting to note that the CSIS-45 report has an entire section on previous attempts to model government after the private sector and building in the typical C-Suite executives (CTO/CISO/CIO) and how this has been ineffective since these C-Suite positions lack real authority and thus pushing a private sector organizational model into the public sector falls short. Since this dialogue was lacking in the CSIS-44 report one can only wonder if the non-business person was assuming the helm if language dictating the pitfalls of trying to apply a private-sector business organization to the government model would have been included?
[2] With obvious trade-offs and incentives within each. For instance, the lure of an NSA job may be using and developing cutting-edge tools and access to some fascinating technology contrasted with the public sector which can offer more financial incentives than the public sector.
Admin_WCS
Bruce Schneier has added some analysis of the CSIS recommendations on his blog at https://www.schneier.com/blog/archives/2017/02/csiss_cybersecu.html .