Over the weekend, three stories crossed my desk that got me thinking about the challenge that Art Coviello issued to the security industry in his RSA Conference 2012 keynote: to forge a “collective resolve” to stand together against “a host of adversaries who threaten our very trust in the world’s digital economy”.
The first of these was the report, published in the Christian Science Monitor and elsewhere, of a new ICS-CERT alert regarding an ongoing attack on the United States natural gas infrastructure. The second was the “ClearText” closing article by Bruce Schneier in the latest IEEE Security and Privacy, taken from his recently published Liars and Outliers, a very thoughtful and insightful book. And the third was the announcement of a debate on international cooperation on cybersecurity to be held in Brussels on May 10th.
What do these stories have in common? All three lead to important questions about what effective cooperation means to achieving cybersecurity: how do we actually move forward together? The article in the Christian Science Monitor described a major cyber attack “currently under way aimed squarely at computer networks belonging to US natural gas pipeline companies.” What struck me most in the report was not the breadth of the attack, but the nature of the response: “the unusual if not unprecedented request to leave the cyber spies alone for a while.” The affected companies were asked to cooperate, at least to some extent, against their short-term best interests. How do they balance the value of cooperation in such a case against the risk of compromise? What enables us to trust that cooperation is our best response?
The extract from Bruce Schneier’s Liars and Outliers in IEEE Security and Privacy is taken from the chapter on “Technological Advances” (pp 228-229). While talking about the differences in speed of technology adoption between attackers and defenders, Bruce also describes “technologies that immediately benefit the defender and are of no use at all to the attacker.” One of his examples is communication technology, specifically radio communication for police. The technologies and processes for what, in his keynote, Art called “cooperation around intelligence sharing” is also one of those defender-favoring advantages. Participation in a cooperative response to attacks like the one against the natural gas infrastructure strengthens that advantage. Our belief in the strength of that advantage itself encourages us to trust in the value of cooperation.
But in responding to attacks, we have to pay attention not only to our longer-term defender-favoring advantages, but also to our near-term risks. And that’s what the announcement of the debate on international cooperation got me thinking about. As Bruce puts it: “Society has to implement any new security technology as a group, which implies agreement and coordination”. But it’s not just technology that requires agreement and coordination: cooperation itself requires agreement, requires impact assessment, requires reconciliation of conflicting priorities and understanding of risk. So a debate on international cooperation against cybercrime is valuable and necessary. At the same time, however, it’s essential to move forward quickly where we can in international cooperation, like with the Cyber Atlantic exercises, minimizing the time differential between strengthening our advantages and addressing our immediate risks.
I’m in Prague on the 10th and won’t be able to make the debate in Brussels or the cybersecurity workshop on the same day, also in Brussels, that the European Union Telecom Commission (EUTC) is hosting and RSA is co-sponsoring and providing a speaker for. But even though I can’t be there, I’m convinced that both the debate and the workshop are essential. We need them both – not only assessment of what we are doing but also immediate concrete action — if we are to respond effectively and with conviction to Art’s challenge.