Posted by Taylor Armerding on December 4, 2018
Making the internet safe and secure in 10 years isn’t going to be easy, if it’s even possible. And that’s why NSTAC’s new proposal is a cyber security moonshot.
Stop me if you’ve heard this before: A presidential commission is launching a national cyber security initiative.
That’s right. The President’s National Security Telecommunications Advisory Committee (NSTAC) voted a couple of weeks ago to accept a subcommittee report on a proposed ‘cybersecurity moonshot,’ echoing President John F. Kennedy’s 1961 challenge to put a man on the moon before the end of that decade.
According to the introduction, this will be a “whole-of-nation” effort to “deliver a clear aspirational and inspirational vision as a catalyzing force for national activities … [and] declare a national strategic intent to: Make the Internet safe and secure for the functioning of Government and critical services for the American people by 2028.”
Which would, of course, be a very good thing—assuming that anybody knows what the internet landscape will be in 10 years. It’s just that we’ve heard much the same thing before—multiple times from multiple presidents over nearly two decades.
It is also a very difficult thing. In the week the report was accepted, there were headlines about how catastrophically insecure many Internet of Things (IoT) devices are; how hackers at a security conference in Tokyo easily broke into some of the newest and best smartphones; a small flood of new Spectre/Meltdown attacks aimed at computer CPUs, or chips; and a brand of child-tracking smart watches that are “easy to hack.”
And that was a pretty normal week—a week that follows decades of effort to make the internet safe and secure.
But as JFK said at the time, “We choose to go to the Moon in this decade and do the other things, not because they are easy, but because they are hard; because that goal will serve to organize and measure the best of our energies and skills.”
And the report, as noted above, does describe itself as “aspirational.”
Of course, as also noted, President Trump is not the first to issue exhortations, orders, or initiatives to improve cyber security.
President Clinton proposed a National Plan for Information Systems Protection in 2000, labeled “the first-ever national strategy for protecting the nation’s computer networks from deliberate attacks.”
President Bush released the National Strategy to Secure Cyberspace in 2003. While it backed off earlier proposed mandates, its stated goal was to launch a “coordinated and focused effort from our entire society—the federal government, state and local government, the private sector and the American people”—to reduce the nation’s vulnerability to cyber threats. That sounds a lot like a “whole-of-nation” effort.
And President Obama issued more than one. In February 2013 it was about better security of critical infrastructure. Three years later, at the start of his final year in office, he established the Commission on Enhancing National Cybersecurity.
Add to those the dozens of private, public/private, and government agency standards and best practices that prescribe (many in exhaustive detail) how to make connected devices, networks, and systems more secure.
And after all that time—nearly 20 years—now that the internet has embedded itself into modern life, much as the automobile and television did in earlier generations, nobody would describe it as “safe and secure.”
So when aspiration collides with reality, as it inevitably must, will this initiative make things any different?
For starters, it’s hard to picture it as a “moonshot,” which calls up visions of heroics—celebrity space “pioneers” being feted with parades, White House visits, medals, and more.
Most experts will tell you that transforming the security of the internet is more about the grinding, often boring, frequently anonymous work of getting bugs out of software, designing hardware without flaws, and teaching people how to tell when somebody is trying to scam them.
As Michael Fabian, principal consultant at Synopsys, puts it, “Information security across the board needs to do fewer ‘transformational’ things and more ‘fundamental’ things.”
“If you recall, the overwhelming message in the last few Verizon Data Breach Investigations Reports is that 90% of breaches could have been prevented by the most basic of cyber security controls and that 90% of breaches are a result of vulnerabilities more than a year old. More than a year!”
Jacob Olcott, vice president of communications and strategic partnerships at BitSight, and former counsel to former Sen. Jay Rockefeller, D-W.Va., is skeptical as well.
“Nothing like government pulling a bunch of government people together to have the same old boring conversation about what government can do about the cyber challenge, and then writing a 55-page report about it,” he said.
But the authors of the moonshot report obviously think this one will be different. They acknowledge that there are “many known best practices and policies that, if more judiciously followed, would measurably improve Internet safety and security.” But they call for “the pursuit of more transformational efforts that will fundamentally alter the default level of Internet safety and security.”
Tom Patterson, chief trust officer and vice president at Unisys and a member of NSTAC, describes it as a “defend today, secure tomorrow” approach.
“While the report clearly calls out, respects, and supports the nation’s past and current efforts on defending today—a mission that many of the report authors are part of on a daily basis—our task was to come together as a nation to envision a dramatically more secure future state and recommend pathways to achieve it,” he said.
Patterson said there have been “good efforts” from “many components of government, international norms, industry associations, and individual organizations,” but that this initiative intends to bring them all together in “a single, coordinated, and funded whole-of-nation approach” that will include “all aspects of federal, state, and local government, as well as industry, academia, associations, and individuals.”
According to the cyber security report, previous cyber security initiatives have “failed to articulate the cybersecurity challenge in a way that incentivizes and ensures this level of collective action.”
Patterson said the report focuses on “six critical pillars”: technology, privacy, ecosystem, policy, education, and behavior.
“It’s within the behavior change section that we most fully recognize that these are not simply technology issues, but rather must fully embrace all aspects of human behavior,” he said.
Fabian said for incentives to address “all aspects of human behavior,” there will have to be the kinds of penalties that have not been seen so far. “Equifax can lose the data of pretty much every credit-having adult in the nation, and what’s the penalty?” he said. “Sure, they lost some money, but it’s a drop in the bucket—it should have been the corporate death penalty, a la Enron, for them.”
Beyond that, there is clearly a technology component at play, in which attackers continue to evolve more quickly than defenders. The report cites “quantum computing, artificial intelligence (AI) and machine learning, cloud computing, and 5G communications” as tools for automated cyber security defenses that will “shift more leverage and the overall balance of power to cybersecurity defenders.”
But attackers have access to those technologies as well.
Patterson said the initiative calls for the good guys to develop them faster. “The report recommends that we accelerate the development and deployment of quantum-resistant encryption in a trusted fashion in advance of these coming adversarial abilities,” he said. “Another example is the coming rollout of 5G communications, which offers the U.S. the ability to significantly improve our overall national communications security posture.”
To which Fabian offers another dose of reality: “At the end of the day, a defender has to do 100,000—or more—things right. Attackers need one mistake.”
Finally, where will the money to fund all this come from? That remains hazy. The moonshot report recommends that the current level of funding for cyber security be increased by “orders of magnitude” without specifying how many orders or the source.
Patterson didn’t specify either, simply saying that “the costs will go up.”
“The report provides a playbook to get to the answers of how much and by whom, but the authors did not want to sugarcoat the issue of funding,” he said, adding that the hope is that economic benefits from better security will offset early cost increases.
Fabian said there will always be applicants for more government funding, but that “any effort needs to start from the ground up. We need to stop trying to do all these sexy things and do the right things right.”
He said a good start would be to eliminate the so-called M&M model of defense—hard on the outside, “but once you get through, it’s all chocolate goodness. Let’s get better at defending, detecting, and shutting down issues, minimizing the damage, rather than putting up a tough shell and dealing with things later,” he said.
Get the latest Software Integrity news, thought leadership, and more.