Cybersecurity Straight Talk: Beyond Digital Armageddon
The political public debate over U.S. cybersecurity policy over the last few years has produced chilling sound bites like "electronic Pearl Harbor," "digital Armageddon," and even "cyber 9/11." And despite the clarion calls for "action" that inevitably flow from these phrases, such heated rhetoric does not lend itself to nuanced and focused policymaking. Perhaps that's why I found my attention riveted on the keynote address given by Scott Charney, vice president, Microsoft Trustworthy Computing at the Business Software Alliance cybersecurity conference on April 30th.
In his speech, Charney proceeded to peel back the layers on the disconnect among the various stakeholders within the cybersecurity community, what they need, and how to get it, in the most level-headed analysis of the cybersecurity landscape that I've heard in a long time.
He begins by asking why it has been so hard for people to "get their arms around"the cybersecurity and answers rightly that "[w]e have no workable taxonomy." He then proceeds to cogently deconstruct the cybersecurity problem, first setting out six key factors that make it so difficult to understand the problem: the broad range of actors, the difficulty in establishing motive, the shared and integrated nature of the Internet domain, the unpredictable nature of the consequences and the sheer "ugliness" of the worst case scenarios; and then breaking apart the actors and the motives (cybercrime, military espionage, economic espionage and cyberwarfare). Together, the taxonomy is an important contribution to clarifying a path forward for each threat. As he notes in his remarks:
"…often I have seen people get together and say, what are we going to do about the cybersecurity threat. When you talk about cyber threats that broadly, there is no way you can craft a strategy that will work; it's too broad."
The point--- that that are " different cybersecurity threats and each of them calls for a different strategy" -- may seem straightforward to those that do not follow this issue closely; however, it has been difficult at times to inject nuance into the discussion. CDT has long been frustrated by the broad-brush recommendations relating to "critical infrastructure" that fail to differentiate between strategies appropriate for the open Internet and those aimed at the power grid or chemical facilities.
Charney's thoughtful taxonomy begins to inject some welcome clarity into the debate, and is a welcome relief from some of the alarming rhetoric on the issue: a case in point this New York Times report on an Internet conference in Russia: "Stewart A. Baker, a fellow at the Center for Strategic and International Studies in Washington, and the former chief counsel for the National Security Agency, agreed that the most important step in combating Internet crime would be to do away with the anonymity that has long been a central tenet of Internet culture." What are Internet advocates to do with such remarks? We have no choice but to draw a line in the sand and defend the Internet.
It's not as though Charney doesn’t support increased attribution. He clearly sees increased identity as the first line of defense, but makes clear that it is not appropriate in all cases, that preserving anonymity for speech is important and why identity matters in specific instances. The point here is not that CDT agrees with every line of Charney’s speech. The subject matter, which includes the need for greater global law enforcement cooperation and rules for cyberwarfare, will surely raise a host of civil liberties concerns. I expect that when I get over being awed by it (and by his delivery…. 25 minutes without notes), I will find things to criticize. Rather, the point is that by setting out a thoughtful framework, civil liberties are not the enemy. Instead of drawing lines in the sand, we are all invited to the table to examine the taxonomy, determine where civil liberties and security might be in tension, and participate in the line drawing that matters most.