IBM has a new cybersecurity white paper. The paper’s executive summary, which I co-authored and is posted below, is titled Meeting the Cybersecurity Challenge: Empowering Stakeholders and Ensuring Coordination.
Full transparency – IBM is my employer; however, the issues, challenges and possible paths to greater national cybersecurity named in the summary are important concepts. Through a comprehensive, wide-spread cybersecurity effort, all individuals, businesses, organizations, agencies and corporations can play a part in achieving greater national security. The information below contributes to this important mission.
Meeting the Cybersecurity Challenge
Our economy, government and society increasingly rely on digital infrastructures to function. That reliance creates critical vulnerabilities to cyber threats posed by everything from hackers to organized crime, terrorists, espionage and warfare. As the nation strives to address these threats, it is important to realize that cyberspace is a complex system of systems. No one entity can solve the problem of cybersecurity. Cybersecurity poses a systemic challenge to society. Meeting the challenge requires shared responsibility, clear definition of roles and responsibilities, and good-faith cooperation and collaboration. IBM understands the broad range of cyber threats and the critical importance of cybersecurity.
IBM’s approach to cybersecurity and risk mitigation explicitly addresses the multiple layers of IT— from system users to hardware, software, applications, network access, and data access. At the same time, IBM recognizes that cybersecurity is about much more than simply IT. Effective cybersecurity requires fostering a culture and governance model that reinforces shared ownership and accountability
Addressing A National Security Issue
Cyberspace is defined by its ubiquitous connectivity. While “anywhere, anytime” connectivity brings untold benefits to society, it also presents serious risks. As networks increase in size, reach, and function, their growth equally empowers law-abiding citizens and hostile actors. The United States government faces four major challenges as it seeks to strengthen national cybersecurity:
- Challenge 1. Organization and Culture The organization and culture of the Federal Government today does not adequately address cybersecuirty as a national security concern.
- Challenge 2. Policy Authorities and Laws Policy authorities and laws have not kept pace with the rapid evolution of IT.
- Challenge 3. Criticality of Networked Operations Networked information technology is critical to the military, government and the global economy. Cybersecurity must be made an unequivocal priority.
- Challenge 4. Strengthening Security as well as Commerce and Privacy Security, commerce, and privacy cannot be mutually exclusive. They must be treated as simultaneous goals and reinforce one another.
A Public Health and Safety Model for Cybersecurity
Most often, cyber threats are addressed in the context of security or using military metaphors. Unfortunately, an over-reliance on security metaphors can lead to a misallocation of resources and create policies, procedures, and authorities that are too narrow.
A public health and safety model for cybersecurity offers a fresh perspective. Rather than viewing threats primarily as attacks or warfare, it views most of the day-to-day challenges in the cyber realm as disease vectors that can evolve into epidemics and pandemics. In a public health and safety model for cybersecurity, responses are based on continuous research, open information exchange, and collaboration among a wide range of actors. A public health and safety model provides a highly effective framework for confronting many cyber threats, particularly those that are widely distributed or implicate the public at large.
Implementing The New Model
The recommendations contained in this paper align with the Near-Term Action Plan presented in the Administration’s 2009 Cyberspace Policy Review. Notably, our recommendations can be implemented in relatively short order because they leverage existing organizations and structures. The recommendations do not require completely new federal structures, only better coordination and focus in a way that leverages what already exists.
- Recommendation 1. Create a national Cyber equivalent to the Centers for Disease Control (Cyber-CDC) to monitor, report, coordinate, and collaborate on cyber threats and trends nationally and internationally.
- Recommendation 2. Create a national Cyber Federal Emergency Management Agency (Cyber-FEMA) to manage the response to cyber events of national significance.
- Recommendation 3. Create a Cyber National Response Framework (Cyber-NRF) to clearly define lead and support roles for responding to the full range of cyber threats. The Cyber-NRF offers three tangible benefits: Clear Roles and Responsibilities, Assigned Threat Thresholds, and Graduated Response.
The authors believe that the perspectives and recommendations contained in this paper can help the Administration confront the cybersecurity challenges that the nation faces. Steps must be taken to improve our ability to monitor, analyze, and take action against cyber threats. This is not an issue for the future, but one that must be confronted now.