Is CyberSec Framework Doomed to Fail?Researcher Touts Market-Driven Approach as Alternative
George Mason University research fellow Eli Dourado says the cybersecurity framework, issued earlier this year by the National Institute of Standards and Technology is likely to cause more problems than it solves.
Instead, critical infrastructure operators, the group the framework targets, should adopt dynamic cybersecurity provisions, Dourado says in an interview with Information Security Media Group (transcript below).
Dourado, who co-authored a paper titled Why the Cybersecurity Framework Will Make Us Less Secure, defines dynamic cybersecurity as a market-driven approach in which organizations, such as Internet service providers, cooperate with one another at will, without formalizing an agreement, and break ties with entities that fail to provide adequate security.
The cybersecurity framework uses the term dynamic cybersecurity only once. But Adam Sedgewick, NIST's point man on the framework, says the framework doesn't dismiss dynamic cybersecurity. "The framework is not a single standard," Sedgewick says. "There's wide agreement on the need to leverage what they call 'dynamic cybersecurity,' as you can see in the framework itself." (see The Evolving Cybersecurity Framework.)
Asked about Sedgewick's comment, Dourado says the NIST senior IT adviser misses the point. "It's great that there's a recognition that this is important," he says, but the framework's structure that encourages entities to adopt specific, fixed roles could undermine dynamic cybersecurity.
In the interview, Dourado:
- Addresses concerns that the voluntary framework could become mandatory despite government's assertions it has no intent to do so;
- Proposes that the federal government purchase cybersecurity insurance to drive down premium prices, making insurance more affordable for businesses; and
- Explains why he believes the federal government deems too many sectors as critical infrastructure industries.
Dourado's research at George Mason University's Mercatus Center focuses on Internet governance, intellectual property, political economy and the economics of technology. In 2012, he co-created the International Telecommunication Union transparency site WCITLeaks.org and participated in the World Conference on International Telecommunication as a member of the U.S. delegation.
ERIC CHABROW: OK, why will the cybersecurity framework make us less secure?
ELI DOURADO: Cybersecurity is an extremely complex area. The cybersecurity we have that has protected us so far is a result of an emergent bottom up cooperative process between all kinds of players in the ecosystem. And that emergent quality is hard to replicate through sort of top-down direction. The more complex and dynamic the system is, the more difficult it is to sort of comprehensively play to replicate in the effective emergent aspects of what is going on through a comprehensive top down plan.
CHABROW: You're relying on the marketplace to provide these solutions as you've felt they've done over the years?
DOURADO: Network operators, operators of financial sector, others who have an interest in protecting their own assets, but also service providers. ... So there are companies who, of course, specialize in providing security products, academic researchers who help discover vulnerabilities and responsively disclose them. It's hard to coordinate the interaction between them all at a national or governmental level. What would actually make us more secure is to leverage that existing dynamic provision of security instead of trying to plan who has what roles and what boxes they all need to be checking.
CHABROW: Explain what dynamic cybersecurity is.
DOURADO: It's the term that we decided to use. It came out actually of another paper I wrote on just ISPs and how they work together to create security online. What's interesting about ISPs is that they peer and [have] transit arrangements on an at-will basis. Typically there is no contract when networks connect to each other, and they do this so that they can de-peer when their peers are not providing adequate security. What I found in the earlier paper was that actually represents a great deal of how we are actually producing cybersecurity, but it's not something that is really seen. It's that dynamism of being able to say, "Pick up the phone and call your fellow network operators saying you've got to fix this or else we're going to de-peer you, even if it is not stated that explicitly." To us, that was an interesting and dynamic aspect of how security can be provided.
CHABROW: I exchanged e-mails about your paper with Adam Sedgwick of the National Institute of Standards and Technology. Based on his initial glance at your study, he doesn't see how the framework is a plan to federally categorize industries and prioritize vulnerabilities as determined by federal agencies. Is he missing the point or what?
DOURADO: Well, yes. I think there is often lip service to this dynamism that I'm referring to, but I think that the idea of having a program to try to replicate that, it's [just] misguided. I think it doesn't work. It's great that there is a recognition that this is important, but I think that there's a recognition of the way that classification schemes [are] very much encouraging people to adopt certain roles, specific roles that are fixed can undermine the dynamic of cybersecurity provision.
CHABROW: Aren't they just talking about a collection of best practices and offering it to infrastructure owners and other businesses that choose to follow it?
DOURADO: For now the framework is voluntary. There is talk about having incentives to implement it. I mean the incentives are not jail time for not implementing it, but they are there. At some point in the future this could become non-voluntary. There has of course been legislation to make it not voluntary. The definition of what is critical infrastructure keeps expanding too. So I worry that at some point in the future, this is going to become a less voluntary plan that applies to a lot of people.
CHABROW: Even outside of cyber, is there a role for government to broaden regulations, and if so, in certain areas, why not in cyber?
DOURADO: I think that, for instance, the example I always give of what the government should be doing is something like antibiotic resistance. So antibiotic resistance is the real problem, where there is collective action problems and the government should regulate to solve it. In cybersecurity, I'm not convinced that there is a huge market failure. A lot of the players involved have skin in the game. They have something on the line and they want to be secure. One proactive way that the government can help improve cybersecurity that we discuss in the paper is purchasing cybersecurity insurance for its own agencies and heavily regulated monopolies in order to help kick-start that market. That is a clear market-failure; whether there is the demand for cybersecurity insurance. But there hasn't been a market at this point. I'm not saying that there is no role; I'm saying, we do discuss what we think are constructive things that the government could do as well.
CHABROW: What sector out there should not be considered a critical infrastructure?
DOURADO: What I think critical infrastructure should cover are utilities that have a regulated monopoly that aren't subject to market forces. So something like nuclear power plants, I have no problem with that being covered as critical infrastructure. Other industries between the finance sector or Internet networks, I do have a problem with those being considered critical physical infrastructure even though they are infrastructure.
CHABROW: Why so?
DOURADO: As I say, [they're] subject to market forces and not in danger of underproviding cybersecurity.
Impact on Society
CHABROW: What would be the impact on our society should something go wrong with the market, whether it's the banks or a water company?
DOURADO: I'm sure that there is a big philosophical difference. I mean the point is that yes, something could go wrong, but what we actually observe, the kinds of cybersecurity problems that we observe, are things like data breaches, espionage and cybercrime. Not these cyber Pearl Harbor events that we sometimes hear talked about. I don't see any of it as a serious threat that justifies more government involvement, then of course the government monitoring its own resources, which it should do.
CHABROW: When you talk about focusing priorities, you're talking about basically catastrophic failures versus data breaches, information being stolen that kind of thing?
DOURADO: I think absolutely that the government should, in short, try to ensure that nuclear power plants are not breached. But the more you add to that task, and government also has to secure all these other industries, the more complex that system becomes and the harder the job. Yhe more difficult it becomes to do an effective job at any of them through the adoption of a centralized plan.
CHABROW: Would cultivating a private sector cyber-insurance market be changing a certain dynamic in government?
DOURADO: First of all, it should be noted that federal agencies, I think in the most recent year the data is available, they experienced 22,000 breaches. This is not just a small number. I think that you're right that there has been a difficulty in getting this market off the ground, and that is a legitimate role of government to help markets when they don't work. The government could buy cybersecurity insurance and maybe force the regulated monopolies, such as nuclear power plants, to also buy cybersecurity insurance. That would create a class of specialists who look and assess risk, and are able to give feedback through the price system to operators of both the agencies and some infrastructure. That would help make us more secure in the future by opening up that expertise to the private sector as well.
CHABROW: In your paper you discuss that maybe the federal government isn't sharing as much as they should with the private sector. Why don't you expand on that?
DOURADO: Even the cyber alarmists say that this is the case; the government has been overprotective of classified intelligence of cyber threats. Even in existing information sharing programs often [they] make it easier for private sector people to get clearance to view the information. There is very little movement on declassifying the information. A lot of this is not really important to be kept secret for national security purposes. It's just a relic of how the Department of Defense or other agencies have been doing things for years. So I think it would be beneficial to declassify a lot of that information.