At the Defense Daily Cyber Summit, Dawn Meyerricks, Deputy Director for Science and Technology at NSA stated without hesitation that Cyber Security is NOT the same as Information Assurance (IA). Many of us gave her hearty “amens.” However, she continued to say that IA was more comprehensive and was mainly about risk management. She said cyber security was a smaller category that did not encompass risk management. I was perplexed.

In the Q&A session, I asked her if this distinction was her personal opinion or if it was an NSA position. Before she answered, I pointed out that in many circles, particularly the Department of Defense, cyber security is all about risk management and mission assurance. They see IA as a subset of cyber security. She admitted that others, many of her own colleagues, used the concepts as I outlined them. She smiled, said she was not doctrinaire about it but was willing to engage in debate. Meyerricks then made the point that the differences between various experts were evidence that we badly needed to resolve these definitional differences.

She made three other points:

1. There is a need for tailored trustworthy spaces. Clearly, everything is not the same (we behave differently in movies vs. ballgames), so we must acknowledge that we need different levels of security for different cyber activities. You demand that your online banking works all the time, but when you are using Google to do a search, you are OK with refreshing if needed.

2. We must add speed to the process to make our cyber structures moving targets. We should get the updates out FAST and look at “places” of potential vulnerabilities and give them extra protection.

3. We need to provide cyber economic incentives. These could be positive or negative.  It must be determined what is the pain point needed to provoke good cyber hygiene.

She also made the point that forcing software designers to ensure their products probably would not work. After all, health insurance will not stop cancer. Will software insurance stop software problems?

Her closing points were that we must all focus on mission outcomes, solve problems collaboratively and Innovate relentlessly.

It was a useful session but would have done better to have a longer Q&A.

Dr. Steven Bucci is director of the Allison Center for Foreign Policy Studies at The Heritage Foundation. He was previously a lead consultant to IBM on cyber security policy. Bucci’s military and government service make him a recognized expert in the interagency process and defense of U.S. interests, particularly with regard to critical infrastructure and what he calls the productive interplay of government and the private sector. Read More
  • Ryan

    Steven, fantastic article. I agree, many folks within the security community use the terms interchangeably, resulting in less experienced folks (such as myself) often times have a hard time differentiating the two. I'm a student fresh out of a semi-technical degree program, however often find myself getting confused when I hear people referencing very similar activities with both terms.

    I have a few questions for you that I am hoping you could answer to help clarify this picture for me.

    -How do/have your previous DoD client organizations defined “cybersecurity” and “information assurance”?
    -What tasks do you feel correspond with CS vs. IA?
    -If you had to identify the single, most important differentiator between CS and IA, what would it be?

    Thank you very much!