The Digital Big Bang. Phil Quade
as a primary or a secondary feature in the continued transformation of cyberspace. This author suggests that it must be the former and that the security implied by the services of confidentiality, integrity, and availability must be thoroughly considered when any technology, service, or capability is being designed or introduced. Moreover, security must consider all of the contributing factors, encompassing all five layers of the model. Issues of policy, law, and ethics attach to the people and geography layers, which cannot be separately defined from the middle three (technology-only) layers.
But although the challenge of securing cyberspace may be a bridge too far, it is a domain of extraordinary interest that can and must be made defensible and, in turn, actually defended and supported through the employment of means and methods both in and outside of cyberspace itself. Useful analogs may be found in other complex manmade systems, such as those employed by the aviation industry, which has, over time, introduced a system of both technology innovation and governance that fosters continued transformation and capacity generation while imposing a requirement that the security implications of each new addition be considered and thoroughly engineered up front and by design, rather than after the fact. Cyberspace would do well to emulate this approach, though the immediate problems will be that domains do not govern themselves and that the present roles and responsibilities for driving and implementing security solutions remain fractured across organizations and sectors.
As stunning as the changes wrought by cyberspace have been to date, trends suggest an even greater transformation ahead. The pace will only increase anywhere and, increasingly, everywhere on the planet. And while the cyberspace domain can and must continue to be an engine of innovation and a means of global collaboration in support of private or public interests, the opportunities afforded by these trends must be accompanied by the exercise of responsibility across engineering, operations, and governance in fair measure to the value that is derived from, stored in, and leveraged from cyberspace.
ABOUT THE CONTRIBUTOR
John C. (Chris) Inglis – Former NSA Deputy Director
Chris Inglis is a former deputy director of the National Security Agency, currently serving as the Looker Distinguished Visiting Professor of Cyber Studies at the United States Naval Academy. He began his career at the NSA as a computer scientist in the National Computer Security Center and was promoted to the agency's Senior Executive Service in 1997. While at the NSA, he served in a variety of senior leadership assignments, including eight years as its chief operating officer, responsible for guiding strategy, operations, and policy.
A 1976 graduate of the US Air Force Academy and retired Brigadier General in the US Air Force, Inglis holds advanced degrees in engineering and computer science from Columbia University, Johns Hopkins University, and the George Washington University. From 2014 to 2018, Inglis served on or co-chaired Department of Defense Science Board Studies on cyber-resilience, cyberdeterrence, and cyberstrategy. He is a member of the Strategic Advisory Groups for the United States Strategic Command, the Director of National Intelligence, and the National Security Agency. Inglis is a managing director at Paladin Capital Group and serves on the boards of FedEx, KeyW, and Huntington Bank.
SECTION 2 ELEMENTARY SHORTFALLS:THE THINGS WE DIDN'T GET RIGHT AT THE BEGINNING
Because the Internet represents one of the most astounding innovations in the history of human evolution, its originators are often so revered that their staggering shortsightedness gets a pass. But when we pause to reflect, it is baffling that such visionary computer scientists—whose insights into the power and possibility of digital connectivity were powerful enough to change the course of history—could overlook or not address the most basic question about their invention: what if this really catches on?
It is sadly ironic that the three things that cause the most havoc in the cybersecurity domain are ones that network operators have the most control over.
UNANSWERED QUESTIONS
Today, nearly every cybersecurity expert and executive is living in the havoc of the answer. When a communication platform designed by and for a tight circle of academics and engineers is rapidly expanded for global public use by billions of people, incredible challenges result, along with fundamental questions that should have been more effectively addressed.
For example, authentication. If this really catches on:
How will it be possible to authenticate who is who and what is what?
How can we validate the identity of users to dictate and restrict their access across this vast network?
How will we authenticate software to operating systems, operating systems to hardware, or software to software?
In a system structured around the principle of trust, what happens when nothing is trustworthy?
For example, maintenance. If this really catches on and spreads beyond the confines of high-level military and academic use cases:
Who will be the police, the doctors, the civil engineers, and the maintenance workers?
How will we be able to recruit, train, and consistently, methodically advance the skillsets of the workforce necessary to ensure proper functioning of this innovation?
How will we tier, organize, and classify this workforce—and what are the potential ramifications of a vast, hyperconnected system without sufficient human resources to protect and maintain it?
For example, protection. In this digital utopia of human connection:
Do we risk it becoming a digital dystopia—a collapsed information state that creates a vacuum for the most unscrupulous?
Could we be creating a model of extremely efficient contagion—a volatile potential chain reaction of fraud, grift, and vulnerability?
How will we be able to identify vulnerabilities and provide the necessary solutions to mitigate them?
How will we distribute those solutions, who will implement them, and how can we ensure that it is done correctly?
These unaddressed questions led to inherent vulnerabilities that are built into the DNA of Internet security. In turn, the vulnerabilities have led to repeated patterns of compromise, settling for some measure of security so as to achieve satisfactory performance. The result has been deep-seated weaknesses that have shaped the tangible paradigms of digital compromise. As we will see in the next three chapters, these fundamental structural flaws form the common denominators of nearly all attacks and create the most intractable challenges in the cybersecurity domain.
The greater, overarching trajectory of cybersecurity becomes clear when we analyze what happened when these deep-seated weaknesses proliferated across the global Internet.
If fixes are ignored or fumbled, will the liabilities remain contained within the confines of those who didn't make the suggested improvements?
Or, in a hyperconnected system, will one individual or organizational error create a foothold and safe haven from which to attack others?
Network operators need not be exquisitely insightful at guessing foreign threats or omnipresent in detecting network intrusions. As the chapters in Part II make clear, if they master the issues of authentication, patching, and user training, they can develop a cybersecurity strategy that will succeed.
Конец