Admiring the Pretty Problem

By Phil Reitinger

Trying to grapple with cyber security presents two overarching and related problems.  The first problem is scale.  We are making more devices “smart,” filling them up with functionality provided by millions of lines of code, and connecting them to the Internet.  Trying to secure even one very smart device, with perhaps tens of millions of lines of code, is a very difficult task by itself, because no one knows how to write vulnerability-free code in a commercially-reasonable way – so millions of lines of code means thousands of vulnerabilities.  And there are billions of smart devices with vulnerabilities.

The second problem is complexity.  We not only have billions of software-powered devices, they are all interconnected and interact in ways that seem to defy modeling.  Solving one problem affects another in often unpredictable ways.

Taken together, these two factors make cyber security a fascinating problem to study.  It’s a pretty problem – a lovely problem.  Effective approaches or solutions, however, those are another thing entirely.

Regardless, governments have an imperative to reduce cyber security risk.  To address the increasing risk, governments are taking regulatory approaches to cyber security and privacy, including the NIS Directive, the GDPR, state regulation in United States, regulation in China, quasi-regulation around the world (including the efforts of the FTC in the United States and privacy commissioners elsewhere), etc.  Moreover, these regulatory approaches occur against a political backdrop of rising concerns about sovereignty and internationalism – see Brexit, national movements in Europe, and political changes in the United States.

The likely result from more regulation and less international collaboration is divergent mandates among nations and regions.  For every security analyst you hire, you will hire and assign a lawyer-buddy to advise on whether the analyst can examine or share some data.  While the scale of the Internet has made increasing security automation a crying need for years, doing so in a real, international environment will become, you guessed, more complex.  The cyber security and privacy problem will become even prettier.

I’ve written before about problems presented for cyber security by increasing isolationism, which makes collaboration more difficult and impairs both cyber security and privacy, Isolationism, Cybersecurity, and Privacy, the advantages and risks posed by regional privacy mandates that add complexity to cyber response, The GDPR and the Future of Information Sharing, and risks posed by the increasing diversity of cyber regulation imposes mandates with less clarity and transparency than a more uniform regime would, Cyber Regulation: No Coke, Pepsi.

The requirements for policy are clear.  Especially to the extent mandates are imposed, those mandates must be harmonized.  Differences in mandates facing a single entity only slow response and waste resources that could be used for effective operational activity.  Mandates must also be clear, whether or not they are harmonized.  One can only automate response if software can make decisions – the “rules” can be written in code – and clarity tends not to be a hallmark of either cyber security or privacy regulation.  Let’s try to make the cyber security problem less pretty but easier to solve.  Scale we can only take into account rather than reduce (in my opinion), but harmonization and clarity are possible, and both reduce complexity.  Policy makers, have at it!

The Global Cyber Alliance (GCA) takes a different approach to reducing cyber security risk. GCA’s method is unique –  we don’t write reports that you may read and forget, or try to sell you a technology to protect you.  There are excellent think tanks, research organizations, and information security companies aplenty.  Instead, GCA concentrates on real, concrete tools and services that anyone can use to protect their business.  We attack the strategic by building tactical solutions, to see if they work and produce a measurable, positive result.  There are similar government efforts around the world, including by the National Cyber Security Centre in the UK and the National Cybersecurity Centre of Excellence in the US.  Governments, please give us more of them.

The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.