Home / Blogs

Cyber Security Word Salad

Anthony Rutkowski

Two months ago, the Trump White House published its National Cyber Strategy. It was followed a few days ago with the release of its draft NSTAC Cybersecurity "moonshot."

The Strategy document was basically a highly nationalistic America-First exhortation that ironically bore a resemblance to China's more global two-year-old National Cybersecurity Strategy.

However, the Moonshot draft comes across as a Public Relations gambit meant to underpin the Strategy pronouncement by borrowing on the Von Braun project pitched to President Kennedy and implemented in the 1960s as the Apollo program. Apart from the rather ludicrous comparison, the draft itself serves up little more than another cybersecurity word salad found around Washington with six "strategic pillars" sprinkled on top. We are told that these pillars achieve "a more enduringly safe and secure Internet within the next 10 years [that] will require a holistic and multi-disciplinary approach." A "word salad" rendition of the draft is attached as an image.

These kinds of documents have appeared everywhere around the world over the past decade. Perhaps not unexpectedly, they all tend to have the same salad ingredients: Technology, Human Behavior, Education, Ecosystem, Privacy, and Policy. NATO has an extensive library of them.

And, almost every regional and global organization and intergovernmental body today have their own versions. The EU has several, and nearly two hundred Nation States at the ITU Plenipotentiary at the moment, are redrafting a bundle of them.

There is not much new in the NSTAC draft except the Moonshot packaging plus potentially creating a few new mini-government bureaucracies among existing government agencies to oversee the effort and lobby for additional funding. The last point — funding — figures prominently into the recommendations even as the document plainly offers nothing substantively new.

The report places considerable faith in "U.S. Government leadership" when the historical record in creating joint efforts like SEMANTECH and MCC have been problematic at best in sectors far less abstruse. Furthermore, as opposed to the UK's NCSC, the aversion within the U.S. to supporting its most valuable expert Information Assurance assets at NSA, creates an enduring institutional dysfunction. Additionally, scores of other national government agencies and thousands of companies and institutes scattered globally are pursuing similar well-funded initiatives that are largely unknown within the U.S. government, and with no ability to discover them and bring about convergence and harmonization.

What is most unfortunate is the model itself — which suggests there is some kind of achievable endpoint of cybersecurity. The complexities and dynamics of contemporary electronic components, code, and networks — coupled with business economics, adversarial incentives, legal constraints, and human foibles — result in an ecosystem where risk management and cyber-hygiene are the necessary courses of action.

On the positive side, the draft recommendations do harken back to a period when NSTAC hosted its own R&D;expert community and regular R&D;workshops. There are, however, several faux pax. While the draft repeatedly mentions that 5G is extremely important and that it will replace existing internets, it somewhat embarrassingly in the Glossary does not know where 5G work is done (i.e., 3GPP and NFV ISG) and that it is already being rolled out. The lack of engagement by U.S. government agencies in existing 5G industry technical developments has long been endemic.

More significantly, the report continues to push the politically motivated "open internet" when NSTAC was warned two decades ago by the DARPA Director who approved the TCP/IP platform development — that the "open internet" notion was flawed and meaningful cybersecurity is fundamentally impossible with open internets. Indeed, the dangers of open internets have come vividly home to roost over the past year courtesy of Russia's FSB and GRU.

Fortunately, the legacy DARPA internets are rapidly transitioning to a world of virtually instantiated network slices under a 5G aegis. While considerable attention is being devoted to 3GPP and related venues to security, it is unclear whether unknown and unforeseen vulnerabilities and attacks will not emerge.

By Anthony Rutkowski, Principal, Netmagic Associates LLC
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Postscript Anthony Rutkowski  –  Nov 07, 2018 5:22 PM PST

For me, the subject is familiar territory on two fronts.  I was an engineer on the
Apollo project at KSC Launch Complex 39 and part of the Firing Room
team, and also for some years was the cybersecurity SME (Subject Matter
Expert) for NSTAC.  It is amazing how the same word salad just gets set out
again and again.  However, it is good to see NSTAC at least nominally alive again.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC