We have reached a new fork in the road in the very interesting field of cybersecurity. It seems that cybersecurity always elicits strong opinions (OK, or none at all). When they are strong, however, it normally runs along the schism of security on one side and privacy on the other. I have written in the past about this being a false dichotomy. I do not believe you can have any expectation of privacy if you have no or inadequate security.
The folks who come down on the privacy side – the same ones who put everything to be known about themselves on Facebook – really mean to say that they want privacy from the “prying eyes” of the government. Well, regardless of how you view the privacy v. security issue, it has gotten even more complicated.
Since I started working cyber issues, the mantra for possible solutions have centered on the concept of information sharing. There seemed near universal agreement that we needed to do more of it and do it more efficiently. If that could be achieved, particularly between government and the private sector, or at least among government agencies, we would all be closer to having better cybersecurity.
The Govies wanted the private sector to share all the details of when bad guys got to them (and how they did it) so they could then pass the word around and hopefully head off any future events against other entities. Private firms were reluctant to do this in some cases because it made them look bad/weak/vulnerable to their share holders, customers and competition. The Private sector also did not want to give the government proprietary information to which a competitor could later get access through the Freedom of Information process.
On the private side, they wanted the government to share real-time, classified, cyber threat intelligence so they could take action to protect themselves. The Govies, naturally, cried foul and said the “protection of sources and methods” precluded such sharing.
Fine, we all get the problems, but how do we develop procedures to allow it to occur? In defense of everyone involved, they were and are really trying to fix these challenges. At least they were, until WiKiLeaks occurred.
Now, many governmental agencies are pointing to the Department of State secrets swiped from DoD networks as evidence that they should do less information sharing, not more. The cry of “Not Need to Know, but Need to Share” is hardly heard anymore. What was touted as the key enabler of security is now in tension with it. Where does that leave us?
We now have an Iron Triangle of Cybersecurity. At the points are security, privacy and information sharing. Each one is enabled by the other two, and each one is, at the same time, in conflict with the other two. How can we achieve the balance that we so badly need?
I’d love to say I have the answer. Frankly, I do not, nor do I think anyone else does today. I do believe that resolution of this Gordian knot is one of the keys to having working cybersecurity in a capitalist democracy like ours and those of our main allies.
I am throwing out this line today to see what all you experts think about this. In my job at IBM, I am beginning a process of trying to develop an answer. It will take every bit of our technological expertise and policy agility to do it, but I think the effort will be worth the return. I challenge readers to offer insights into this conundrum. Heck, I am looking for help! How can we break, or better yet, use the Iron Triangle of cybersecurity? What is the correct balance of security, privacy and info sharing that will give the good guys the upper hand in the fight to protect the networks that are now our life blood?