Don't worry about the bad guys turning out the lights. Worry about everything they're stealing while the lights are still on.
The theft of intellectual property ranging from Hollywood films to defense secrets is underway by cyber-criminals of various stripes. Maintaining control over intellectual property may be the single most important challenge to American economic security.
Implementing a cyber-reliant infrastructure is a national challenge which crosses the traditional boundaries between economic sectors and between public and private domains. For this purposes of this discussion, a cyber-reliant infrastructure will be defined simply as an end-to-end system of cyber-reliant products, protocols and processes, including services, which resist participating in the unauthorized transfer of protected material. A cyber-reliant product can be thought of as one that's going to be connected to a publicly accessible communications network and which begins and remains reasonably resistant to participating in unlawful cyber activity throughout its lifetime when used and maintained in a typical manner.
In response to the economic imperative of "accelerating the widespread adoption of integrated cybersecurity tools and technologies" the National Institute of Standards and Technology (NIST), in partnership with the State of Maryland and Montgomery County, MD, announced establishment of the National Cybersecurity Center of Excellence (NCCoE). Located within the Department of Commerce, the NCCoE has the potential to bolster American economic security by spurring deployment of the software, hardware, standards and services needed to build a cyber-reliant infrastructure.
Some the lessons that are needed for achieving national implementation of a cyber-reliant infrastructure can be gleaned from the experiences of Apple and SOPA/PIPA.
The iPad and the rejected legislation shared a notable commonality that's important to understanding why some IT security plans succeed while others do not, each's outcome was determined by how well it was designed for the cultures it had to negotiate.
The anti-piracy legislation and the computing devices shared another commonality. The designs of iPads and SOPA/PIPA called for implementing existing technologies such that they would interface with society in new ways. Every new social-technology interface brings with it the seeds of either rejection or success based on how well the interfaces meshes with the public's needs, customs, habits, values and priorities.
One of Apple's basic design goals has been to take friction out of the technology adoption process. Thus, the company creates packages of technologies and services that are sculpted on many levels to make them appear easy to use and desirable to own a branded basis.
In short, what Apple has done is to place low coefficients of friction between the public and new consumer technologies. As a result, society quickened its embrace of the new technologies.
By contrast, SOPA/PIPA is an example of using existing technologies in ways that received somewhat less public acceptance. This, despite a broad consensus that legal protection of intellectual property is essential for economic security.
One of the broad lessons that can be drawn from the experiences of Apple and SOPA/PIPA is that consumer acceptance of new technology applications is necessary — irrespective of whether consumers are the technology application's intended end-user.
Based on the lesson, it can be surmised that a product's social aerodynamics will be an influential factor on whether cyber-reliant products and processes succeed. Social aerodynamics can be thought of as a way of expressing the postulate that the adoption rate for new technology products and services will be an inverse function of the economic and cultural frictions that they generate when meeting society.
A formal understanding of the various frictions at the social/technology interface would be useful for anyone interested in understanding how the adoption of cyber-reliant technologies is influenced through product design.
Analysis of how to design and deploy a cyber-reliant infrastructure in light of the diverse voices interested in the interface between the security infrastructure's building blocks and their lives, should start with the premise that: 1) no single view will prevail; and 2) no single view should prevail. While the "design by committee" moniker enjoys great status among humorists, achieving the level of social consensus necessary for adoption of a cyber-reliant infrastructure will require design processes that reflect many perspectives, including privacy.
The initial starting point for evaluating the prospects for potential cyber-reliant products/services should be to understand their likely economic frictions. Passing a cost-benefit test is a necessary but not sufficient requirement for cyber-reliant products and processes. Moreover, cost-benefit analyses for upgrading cyber-reliance need to include careful consideration of distributional effects and indirect impacts, particularly with regard to small business and other small entities including municipal governments.
Small entities are often particularly susceptible to experiencing significant but indirect effects from third-party actions. The extent to which small entities can exert friction sufficient to slow or prevent a product or process's deployment, as happened with SOPA/PIPA, should not be underestimated.
An effective analysis of a cyber-reliant product/service needs to hunt for potential sources of friction and understand them so that methods can be developed for negotiating passage through the potential difficulties via design, education and other processes.
Many of the analytic tools for understanding potential sources of economic friction are those that are used in conducting Regulatory Impact Analyses (RIAs). These analytic methods can be useful even if no regulatory actions are contemplated. A properly performed regulatory impact analysis has the potential to assist in understanding potential sources of friction that may not appear significant from a traditional, business case macro perspective.
Analyses of planned cyber-reliant products and services, even those unrelated to regulatory compliance duties, would benefit from being evaluated in ways which take into account the complex regulatory environments in which their intended purchasers and end-users live.
An understanding of the potential regulatory frictions that can occur when people and businesses use new equipment/services is essential for evaluating the likely marketplace fate of those products. Moreover, analysis of regulatory frictions should include frictions likely from proposed or planned new regulations as well as consideration of a broader range of business legal concerns, including liability.
There are five federal guidance documents that provide structure and standards for conducting a thorough regulatory impact analysis: OMB Circular A-4, Regulatory Analysis; The US Small Business Administration/Office of Advocacy's A Guide for Government Agencies: How to Comply with the Regulatory Flexibility Act; OMB's draft Implementing Guidance for OMB Review of Agency Information Collection; OMB's Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies; and OMB's Final Information Quality Bulletin for Peer Review.
Because analytic tools specific to IT security assessments are still in their early development, metrics will need to need to be developed to measure the security and cost effectiveness of cyber-reliant products and services, including FedRAMP.
OMB stressed the importance of IT performance and cost metrics in their FY 2011 Report to Congress on FISMA implementation. The report provided metrics for agency adoption of continuous monitoring, Trusted Internet Connection (TIC) capabilities, as well as Information Security Cost Metrics.
Since societal acceptance of a given product or process is dependent on social and cultural frictions as well economic ones, it would be helpful to be aware of the complex, dynamic social processes which affect deployment of a cyber-reliant infrastructure. In developing IT security plans, therefore, it should be recognized that organized opposition to certain deployments of cyber-reliant product/services is not necessarily an obstacle to defeat but rather may be part of the social fabric that needs to be incorporated into an overall deployment strategy. An analogy would be "sailing into the wind” which refers to a nautical tactic that allows sailboats to head toward (though not directly into) the wind. A sailboat can make far better progress sailing into the wind than it could make if there were no wind at all.
Unfortunately, there are no handy how-to manuals, analogous to the regulatory guidance documents, for analyzing potential sources of cultural frictions. One way to obtain a read on how socio-cultural currents may impact deployment of a cyber-infrastructure is to reach out to people have demonstrated accomplishment in the arts as well as sciences. After all, music and science share mathematical underpinnings. Today's musician may be tomorrow's musician with rigorous training in the cryptographic sciences. Similarly, Steve Job's perspective on design was influenced by calligraphy.
Thus, the nation's cybersecurity leadership should consider looking to the visual and performing arts communities as sources of insight in helping to understand the cultural interfaces between society and the implementation of cyber-reliant products and services.
By Bruce Levinson, SVP, Regulatory Intervention - Center for Regulatory Effectiveness
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines