National Academies Press: OpenBook
« Previous: 3 International Relationsand National Security
Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×

4 Accelerating Progress in Cybersecurity

Progress in cybersecurity has been slow, and government, rather than leading by example, has often lagged behind other sectors. The rate of progress could be accelerated, but this will require a sustained effort by multiple stakeholders to understand the current context, make changes, and monitor the consequences of actions taken. Resilience, flexibility, and adaptability may be more useful than heavyweight defenses.

Gaining and Maintaining Trust

Given the importance of information technologies in modern life, government has a responsibility to take extra precautionary steps. Governments could make new efforts to protect information to the proper level, prioritize resources, and achieve both oversight and transparency.3

Trust has a technological dimension. For example, establishment of identity is being advanced in both the United Kingdom, with the Identity Assurance Programme, and the United States, with the National Strategy for Trusted Identities in Cyberspace program. These programs allow private sector firms providing authentication services to

_______________

3For example, in 2013 the U.K. government increased funding for the National Cyber Security Programme by £210 million, putting the total for the 5-year program at £860 million. As part of an upgrade in cybersecurity after recent breaches, senior civil servants now have increased responsibility for managing risks. Organizations that supply services to the U.K. government must now comply with a “Cyber Essentials” scheme by adopting a set of technical controls.

Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×

federate identity and use the right identity for the right purpose. Large companies with hundreds of millions of users across the world may be able to provide more trustworthy authentication services than the government. They perform billions of authentications per day and may be better placed to spot attacks and block them faster than smaller players, including small nations. The current trend is for people to use authentication services from large firms such as Google, Facebook, or Microsoft rather than government-issued IDs when accessing private-sector services.

The users of IT have a role in maintaining cybersecurity. User education—for instance, in the area of phishing—can strengthen this role, although it is not clear what kinds of education would be most effective or long-lasting. Moreover, in many cases users have little choice about whether and how to participate in certain systems, for they are compelled to share or use data or use certain technologies. Imposing additional, complex responsibilities could be unfair. In any case, studies are needed to determine how education can be most effective in this domain. For example, it could be focused on areas with the lowest marginal costs for users to change behavior and the highest marginal benefits in terms of cybersecurity.

Strengthening the Workforce

A critical boost to cybersecurity could come through developing national talent, including elite individuals and teams. Today, both the public and the private sectors are having trouble finding enough qualified cybersecurity workers. Furthermore, professions such as the law and psychology also need people with cybersecurity backgrounds. Especially important are people who can translate or mediate between those who focus on organizational intent and those with expertise in technology.

Hiring strictures and lower salaries in government are among the factors that impede progress in the public sector, but not in all agencies. For example, the U.S. National Security Agency generally has been able to get the people it needs, in part by identifying and attracting people with strong backgrounds and providing the necessary specialized training in cybersecurity. The signals intelligence agencies in both the United States and the United Kingdom work with colleges, universities, and schools to interest students in science, technology, engineering, and mathematics and demonstrate how these skills might be applied in government. Intelligence agencies have many different kinds of jobs, allowing people to follow multiple career paths.

Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×

Exerting Leadership

Cybersecurity could be enhanced if the leaders of organizations pressed for cybersecurity, not just the people within the organization with responsibility for IT and cybersecurity. If leaders had an understanding of and interest in the topic, cybersecurity could be an ongoing concern, not something to be checked off and forgotten. For example, senior decision makers could be running desktop exercises in the boardroom or at the executive management level to test how their organizations would respond in times of a cyber crisis. They could disseminate informed and proactive messages about organizational resilience.

Leaders do not need to be experts in cybersecurity, but they do need to ask how security fits into their organizations. Can security be managed? What risks are being taken? Can security be outsourced to another organization? These kinds of benchmarking questions are being asked by leaders and in boardrooms today, which is a sign of progress.

Leadership within government and its agencies can encourage thinking in terms of risk and resilience.

Stronger leadership could also provide organizations with greater flexibility. Business executives, for example, might argue that they succeed in part by taking and accepting risk and that accepting some cybersecurity risk, rather than focusing on comprehensive cybersecurity protection, is the best approach. Such an approach provides further incentive for shifting focus from compliance to risk management, a direction already outlined in the U.S. National Institute of Standards and Technology (NIST) framework for critical national infrastructure cybersecurity programs. In this way, the need for security could become more widely accepted by leaders even though they may not understand all the technical details and even though the risk-based approach also has problems.

While some government agencies respond to ongoing assessments of risk itself, they tend more often to be driven by compliance. But compliance-based measures tend to look to the past, not to future threats, and they can lead to a “box-ticking” approach to security. Again, leadership within government and its agencies can encourage thinking in terms of risk and resilience.

Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×

Preparing for an Uncertain Future

Cybersecurity is a high-stakes issue that will continue to grow in importance. What happens with IT will affect many aspects of public and private life, so cybersecurity policies need to be considered carefully. At the same time, cyberspace continues to change very rapidly, creating new opportunities for malevolent actors to disrupt the system. It can be hard to change a system that always has to be on and is used by most of the population almost continually, especially with limited funds and time.

The fundamental importance of the Internet to modern life points to the need for a continuing multistakeholder governance model with open standards. The problems people have are different and require different solutions, which calls for a multifaceted approach. Many entities have interests in these decisions, which requires not only that they have a voice in them but that people have a common understanding of cyberspace. This can be difficult, since different perspectives need to be combined to see the larger whole. Also, since many parties will be involved in improving security, the technical infrastructure will need to accommodate a wide range of inputs into the decisions about what is going to be allowed.

Innovative ways of thinking about the problem—for example, a complex systems approach, or biological metaphors for predator–prey relationships, or evolutionary perspectives on privacy policies over time—may bring progress. Technological developments, too, can yield major progress. For example, moving the operations of a government agency or of a business to the cloud could raise cybersecurity concerns, but such a move could also enable the upgrading and rethinking of an entire network.

In both the public and the private sectors, some groups are farther ahead than others in providing cybersecurity. All groups can benefit from becoming more resilient, which can put one in mind of some other relevant “R-words”: respond, retaliate, restore, repair, reconstitute, reroute, reboot, write out, and recover. Groups are now better at recognizing incidents, but many still have not implemented the cycles of improvement and change that can steadily improve strategies, capabilities, and resources. All organizations would benefit from acknowledging that they are vulnerable to cyberattack and cybersecurity failures and that they have issues that need to be addressed.

The challenges that will arise in the future are difficult to anticipate, since most of the important applications of the future almost certainly have not yet been invented. Even a decade ago, important features of the world that exists today could not have been anticipated, and the pace of innovation shows no signs of slowing down. Cybersecurity is a problem that cannot be fixed quickly or easily. Rather, many partial solutions and potentials paths forward exist and will need to be implemented, which will require collaboration, collective action, and—most of all—determination.

Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×

FOR FURTHER READING

For more detailed discussion of many of the topics addressed in this document, see the following National Research Council reports, published by the National Academies Press, Washington, D.C. (before 2002, National Academy Press):

At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, 2014

Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment, 2008

Engaging Privacy and Information Technology in a Digital Age, 2007

Toward a Safer and More Secure Cyberspace, 2007

Trust in Cyberspace, 1999

Cryptography’s Role in Securing the Information Society, 1996

Computers at Risk: Safe Computing in the Information Age, 1991

Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×

imag

Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×
Page 29
Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×
Page 30
Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×
Page 31
Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×
Page 32
Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×
Page 33
Suggested Citation:"4 Accelerating Progress in Cybersecurity." National Academy of Sciences. 2015. Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum. Washington, DC: The National Academies Press. doi: 10.17226/21833.
×
Page 34
Cybersecurity Dilemmas: Technology, Policy, and Incentives: Summary of Discussions at the 2014 Raymond and Beverly Sackler U.S.-U.K. Scientific Forum Get This Book
×
Buy Ebook | $9.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Individuals, businesses, governments, and society at large have tied their future to information technologies, and activities carried out in cyberspace have become integral to daily life. Yet these activities - many of them drivers of economic development - are under constant attack from vandals, criminals, terrorists, hostile states, and other malevolent actors. In addition, a variety of legitimate actors, including businesses and governments, have an interest in collecting, analyzing, and storing information from and about individuals and organizations, potentially creating security and privacy risks. Cybersecurity is made extremely difficult by the incredible complexity and scale of cyberspace. The challenges to achieving cybersecurity constantly change as technologies advance, new applications of information technologies emerge, and societal norms evolve.

In our interconnected world, cyberspace is a key topic that transcends borders and should influence (as well as be influenced by) international relations. As such, both national and international laws will need careful evaluation to help ensure the conviction of cybercriminals, support companies that work internationally, and protect national security. On December 8 and 9, 2014, the Raymond and Beverly Sackler U.S.-U.K. Scientific Forum "Cybersecurity Dilemmas: Technology, Policy, and Incentives" examined a broad range of topics including cybersecurity and international relations, privacy, rational cybersecurity, and accelerating progress in cybersecurity. This report summarizes the presentations and discussions from this forum.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!