Opinion

This Profound Moment in Cybersecurity, and Three Challenges that Frame It

Richard Power looks at the big picture and how security must move forward

By Richard Power

Page 5

Second, arguably the greatest threat to cyber security of the nation does not arise from the dark side of the human psyche or some fatal flaw in some dominant operating system or application; it comes, instead, from our own inability in both government and business to address the organizational issues which hamstring our best intentioned effort to secure the nation's quadrant of cyberspace. Cyber security in both government and business has suffered from a lack of leadership at the top, a lack of meaningful mandate from the top, and in government particularly from a lack of continuity and unity of vision across departments, agencies and administrations.

No, Melissa Hathaway did not disclose the findings of the 60-day review of US national cyber security ordered by President Obama and delivered to him just prior to her keynote remarks at RSA 2009. Although from the influx of media in the hour or so before her hastily scheduled remarks during today's afternoon keynote session, it is clear that many expected that she would. But Hathaway did seem to more than hint at one important finding, i.e., that the White House must lead. Because cyber security is a national security issue, and no single agency in government could possibly oversee it for the whole of the government, the leadership must be centered in the White House.

That is (or hopefully shall be) as it should be.

If only more corporate leadership would recognize the need for robustness in the governance of enterprise security. (For more on this vital issue, see To Govern or Not to Govern in CSO Online, 12-2-08)

Third, and most important, cyber security suffers from lack of a great transformative metaphor. We need to find a 21st Century vision worthy of this 21st Century challenge. Cyber security suffers from being conceptualized as an architecture, and indeed as merely a subset of IT architecture, i.e., on the white board, all that an IT architecture is a orderly representation of networks, hubs, servers, workstations and clouds, and cyber security is simply another layer within that representation, i.e., a strata of firewalls, authentication servers, intrusion detection devices, etc. positioned strategically throughout the greater IT architecture. This view of cyber security as simply flat, technology-centric and wholly subservient to the general IT environment limits and distorts the role of cyber security. A truly 21st Century cyber security architecture for the enterprise would not take as its model the blueprint of a building, or present itself as a simply a sub-set of IT. A truly 21st Century cyber security architecture would take into account the physical space and the psychological space as well as the digital space; it will be informed not only by technology, but also by economics, psychology, anthropology, criminology, and other disciplines. The vision of cyber security as a web, an organic structure, would be more useful than that of cyber security as a blueprint. After all, in the 21st Century, the web of life has become interdependent and intertwined with the web of digital information; therefore, we envision the web of security as a third dimension, one that also becomes interdependent and intertwined and serves to strengthen and enhance the vibrancy, resiliency and health of the other two webs.