At the Defense Daily Cyber Summit, Dawn Meyerricks, Deputy Director for Science and Technology at NSA stated without hesitation that Cyber Security is NOT the same as Information Assurance (IA). Many of us gave her hearty “amens.” However, she continued to say that IA was more comprehensive and was mainly about risk management. She said cyber security was a smaller category that did not encompass risk management. I was perplexed.
In the Q&A session, I asked her if this distinction was her personal opinion or if it was an NSA position. Before she answered, I pointed out that in many circles, particularly the Department of Defense, cyber security is all about risk management and mission assurance. They see IA as a subset of cyber security. She admitted that others, many of her own colleagues, used the concepts as I outlined them. She smiled, said she was not doctrinaire about it but was willing to engage in debate. Meyerricks then made the point that the differences between various experts were evidence that we badly needed to resolve these definitional differences.
She made three other points:
1. There is a need for tailored trustworthy spaces. Clearly, everything is not the same (we behave differently in movies vs. ballgames), so we must acknowledge that we need different levels of security for different cyber activities. You demand that your online banking works all the time, but when you are using Google to do a search, you are OK with refreshing if needed.
2. We must add speed to the process to make our cyber structures moving targets. We should get the updates out FAST and look at “places” of potential vulnerabilities and give them extra protection.
3. We need to provide cyber economic incentives. These could be positive or negative. It must be determined what is the pain point needed to provoke good cyber hygiene.
She also made the point that forcing software designers to ensure their products probably would not work. After all, health insurance will not stop cancer. Will software insurance stop software problems?
Her closing points were that we must all focus on mission outcomes, solve problems collaboratively and Innovate relentlessly.
It was a useful session but would have done better to have a longer Q&A.