Paige Atkins is Vice President for Cyber and IT Research at the Virginia Tech Applied Research Corp., and former Director for Strategic Planning and Information at DISA. ()
I recently had the opportunity to speak on a cybersecurity panel at the Telecommunications Industry Association’s 2013 conference on the “Future of the Network.” When we think about the Future of the Network, a fundamental element or enabler is protecting that infrastructure in an increasingly challenging cyber environment. And as our network(s) transforms, our threats and vulnerabilities will continue to change rapidly and significantly. Everyone is at risk — everyone has been compromised — so how do we collectively best remediate, mitigate and manage the risk for the benefit of all?
Cybersecurity is most often associated with protecting the individual privacy of our citizens, the secrets of our nation, and the networks and computers that provide the basis for our communications, banking, commerce and industry. Within the general rubric of cybersecurity, equally important but less well publicized (and underappreciated) are cyber-physical systems that cross the boundary between the cyber world and the physical world.
We depend on these cyber physical systems in our everyday lives, and that dependency is growing. These systems range in size from electrical power stations to tiny implanted medical devices, and support our national critical infrastructure. Enemies are targeting the types of computer control systems that could derail passenger trains and trains loaded with chemicals, contaminate water supplies, or shut down the power grid. All of which can cause panic, destruction and potentially loss of life.
I believe in the area of cybersecurity, particularly related to critical infrastructure, we are still trying to solve yesterday’s problems. We have not kept pace with where we are headed — and the growing complexity, interdependencies and unpredictability of cybersecurity as it relates to protecting our organizations as well as national interests and assets. We have seen increasing interest in and continuing reports of cyber-physical attacks such as Stuxnet and others, and additional attribution for persistent threats in the areas of cyber reconnaissance, malware infection, and data exfiltration — particularly highlighted by Mandiant. And yet we continue to struggle with establishing effective policies, legal framework and processes to better protect us all.
Often when we talk about cybersecurity, we get very focused on technical solutions. However we cannot forget that effective cybersecurity requires our understanding among many interrelated and interdependent components — to include policy, legal, technology and operations — and we must consider them holistically to be effective. This is a hard problem, and it is clear we must all come together to effectively fight cyber crime and protect our personal, company and national assets. And public-private partnerships are essential — to effectively tap the expertise and lessons learned across this diverse set of interrelated issues as well as recognize the interdependencies across our public and private sector infrastructures. We are all in this together — and we will succeed or lose together.
However we can never lose focus on the need to balance — to ensure protection not only from a cyber defense perspective, but also to ensure we maintain an adequate level of privacy as well as usability for all individuals. Many folks see this balance as an “either/or” game. I contend that, collectively, we can shape our options to provide the right balance between privacy and protection. We do not have a choice.
The last item I will highlight is one we often forget. We cannot forget the basics — “basic blocking and tackling,” such as good computer and network hygiene, could prevent the majority of exploits. And we are only as strong as our weakest link — the end user, consumer, private citizens. We must continue to educate not only our own workforces, but the broader population to strengthen our cybersecurity posture around the globe. We are all responsible for cybersecurity.