I teach an online Master’s Level course in cybersecurity policy Issues. As part of one of my lessons, I asked students the following question: Can the principles of public health be applied to help understand cybersecurity, or should we stick with a military/defense metaphor? One of the students in his response offered the following:
Public health is centered around 10 core functions, which are:
- Monitor status and identify community problems
- Diagnose and investigate threats identified
- Inform, educate, and empower communities
- Mobilize community partners and solve problems
- Develop plans and policies that support the individual and communities
- Enforce laws and regulations that serve to protect the public’s safety
- Link people to services, and ensure services are provided
- Assure a competent workforce
- Evaluate accessibility, effectiveness, and quality of services provided
- Research insights and new innovations to solve problems
Dato, Virginia (2000), Principles of Public Health-Mission, Core Functions and Ten Essential Services
These 10 core functions of public health entities is a stark contrast to traditional law enforcement and security premises centered on enforcement, detection, and deterrence. Due to the constant evolution of technology, trends need to be constantly identified, tracked and responded to. Limiting a national focus strictly to enforcement, detection, and deterrence in this student’s opinion is a classic example of reactionary response versus a proactive solution-based option.
I was suitably impressed. The ten functions given above fit the need of national cyber security to a tee. They cover the dynamic nature of the threat, the need for constant interactive vigilance, education and awareness, and continuous research and innovation. Howard Schmidt and Janet Napolitano take note. I am a lifelong military/intel guy, but this model is such better a fit for cybersecurity, it is amazing.
We badly need a real National Cyber CDC that can track trends and guide responses. They should also inform and have some oversight to the efforts of all the departmental cyber efforts.
OK, if someone attacks us outright with cyber means, it becomes a different issue set, but to deal with the ongoing, constantly evolving threats in the cyber realm, this model would work. Why are we not using it?
Thanks to Ronald Martin of Long Island University’s Homeland Security Management Institute for the assist.