February 6, 2018
With the release of the January 5, 2018 Draft Report to the President “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” the U.S. Administration set forth a vision that, if properly executed, has the potential to profoundly impact the security of our global digital infrastructure. What is at stake is nothing less than the sustainability of political, economic, and social constructs that are continuously evolving as a result of massive changes over recent decades in information, communications, and technology (ICT) products and services. While industry and governments have made significant advances in applying security measures to defend our global digital infrastructure, there is also a heightened awareness of sector interdependencies and systemic risk associated with our “hyper-interconnected world.” Moreover, the accelerating nature of the underlying technologies that will enable new applications such as artificial intelligence and augmented reality can serve to both preserve and destroy our most precious values.
What is required to address this evolving existential threat is nothing less than a hyper-coordinated, global strategy of like-minded nations with a plan to combat highly motivated and well-resourced adversaries with asymmetric economic advantages and generally unencumbered by ethical and legal norms. We must collectively come to acknowledge that incremental, silo-based and non-congruent measures and policies applied across a borderless cyberspace are deficient and that “collective defense” must now be the foundational cornerstone for coordinated governments and industry action.
Six High-Level Themes to Steer Collective Action
Following a series of initiatives and reports developed through an “open and transparent process” as called for in the Executive Order, the January report sets forth six high-level themes that are grounded on generally-accepted, if not irrefutable facts. First, and of great importance, the report recognizes the global nature of the problem and that the majority of compromised devices associated with recent cyber- attacks have been located outside the United States. It logically asserts that increasing the resilience of the “Internet and communications ecosystem” will require coordinated action with international partners. We can safely conclude that if we in the United States did everything right, it would be of limited consequence without broad international engagement and cooperation.
The second theme acknowledges that effective tools exist and, while routinely applied in selected market sectors, they are not widely used. Lack of awareness, cost avoidance, insufficient technical expertise and lack of market incentives are all cited as reasons for this circumstance. What needs to follow from this observation is the need for organizations to have greater clarity around their vulnerabilities, the potential associated consequences, and the availability of cost-effective solutions.
With recent attention focused on the threats posed by the ubiquitous deployment of Internet-connected devices (e.g., home cameras, smart thermostats), the third theme addresses the need to secure these products at all stages of the lifecycle. The authors note that many of these devices are vulnerable as soon as they are deployed, are not capable of patchable updates, and remain in service after vendor supports end. These are clearly not trivial impediments as evidence would indicate that consumers generally value price, functionality, and convenience over security.
Accordingly, the fourth theme notes that education and awareness is needed and that “knowledge gaps” among home and enterprise customers, product developers, manufacturers and infrastructure operators is a major impediment to making the ecosystem more resilient. It will take a major effort to get all of these stakeholders aligned around the value proposition and to take the necessary actions that would make the ecosystem less susceptible to the kinds of recent attacks.
Understanding how the market is working is the subject of the fifth theme where the authors note that market incentives are misaligned. The authors note that the goal set in the Executive Order to “dramatically” reduce the threats from automated and distributed cyber-attacks is undermined when product developers, manufacturers and vendors are incentivized to minimize cost and time to market and that there needs to be a better balance between security and convenience. Adjusting market incentives of this magnitude will require dramatic changes in how society writ large comes to terms with the threat.
Finally, the sixth theme captures the essence of what it will take to make meaningful progress around cyber security. In very few words, the authors note that the attacks represent “an ecosystem-wide challenge” and that “[N]o single stakeholder can address the problem in isolation.” As with the preceding themes, collective action based on a common understanding of urgency is the predicate for making real progress.
An effort of this magnitude and ambition must go well beyond aspirational words and must speak to an understanding of risk at the casual level. The January report provides strong scaffolding for a set of actions and recommendations that are certain to have a direct impact on every major participant in the digital ecosystem. Taken in their totality, the effort to implement the recommendations will place significant stress on both government and industry resources. Much of this work will require the active participation of individuals with deep technical and operational expertise who also operate on the front-lines of the cyber battle on behalf of their respective organizations. While the challenge may be daunting, as members of a functioning society we have little choice but to fully engage. The burdens must be equitably distributed across all stakeholders with a clear appreciation for the urgency and the cost of failure.
Stakeholders are set to provide additional input through comments that will be filed with NTIA next week, and it is highly likely that such input will result in some important refinements before the final report is issued this coming May. Still, even in its current form, it has all of the elements that should lead to consensus-based commitments and actions that would apply across the broad Internet and communications ecosystem.