American Center for Democracy

You are here: Home / ACD/EWI Blog / Cybersecurity: Engine for Growth or Economic Anchor

Cybersecurity: Engine for Growth or Economic Anchor

by

Mark Weatherford, Deputy Under Secretary of Homeland Security for Cybersecurity, Noted the following at ACD/EWI Briefing on CyberThreats & The Economy, George Mason University, April 9,2013:
I focus today on two issues related to cybersecurity and the economy:
  • The first is the role of government in working with the private sector with respect to cybersecurity
  • The second is how the United States might use cybersecurity as an engine for economic growth.
    • The first issue is a question many of us in government have been asking for some time and that is, “What’s our Role in Cybersecurity?” I’ve only been in the federal government for about 18 months but have sat through quite a few meetings where we’ve explored the question and I can assure you, it’s not a trivial or easy discussion.
    • Historically, the mission of the Department of Defense is to provide the military forces needed to deter war and protect the security of our country. Doctrine however, seems to be shifting to anticipate, or at least consider, that the next big destructive act facing our country will involve information technology.
    • Here’s a couple of things to think about:
    • What is the role of government in a toxic waste spill where a community is endangered? The government typically monitors the situation but the private sector does the work.
    • What is the role of government when a hurricane destroys miles of high-voltage transmission lines that supply electricity to our cities and the result is physical and economic suffering? Government often plays a more active role like during Hurricane Sandy but we typically monitor the situation while the private sector does heavy lifting.
    • What is the role of government when geomagnetic storms or solar flare activity create coronal mass injections significant enough to damage electrical transformers that then cause widespread power outages – perhaps for months at a time?
    • How about if that same transformer damage if it is caused by a High-Altitude Electromagnetic Pulse from a warhead detonated miles above the earth’s surface?
      • These are two completely different issues requiring the same mitigation steps by the private sector, but I assure you that expectations regarding the role of government are different.
      • Who is responsible for hardening the transformers?
      • Who is responsible for maintaining a supply of spare transformers? These things are made mostly overseas, can take up to two years to built, cost millions of dollars, and not easily transportable?
      • Closer to home and more timely, what is the role of government when an cyber-adversary launches a Distributed Denial of Service attack against the banking and finance industry which threatens the banking industry’s ability to satisfy their customers? Several days every week?
        • This is something we know a little bit about, but it still isn’t clear-cut.
        • DHS and other government agencies like Treasury, the FBI and DOD have been working with the Banking industry for the past nine months on how to mitigate and respond to these attacks but is there a threshold? What is the government’s role if that threshold is crossed?
  • One of the significant roles of government is to share threat and vulnerability information with the private sector. This kind of information is frequently synonymous with Intelligence Information, which is often – too often in my opinion – classified.
  • As most of you probably know, classified information is only shared on a “Need-To-Know” basis with those who have been vetted and granted a security clearance. This creates a conundrum for the government because there are a lot of people in the private sector who could benefit from “Need to Know” information.
  • When I worked at NERC, I’d get into conversations with government organizations who, because I had a security clearance would brief me on these scary things threatening the electricity industry, but then tell me that I couldn’t share it with the electric utility companies who actually run the systems.
  • Our philosophy at DHS is different because while we have cybersecurity responsibilities for the civilian federal government agencies, our primary constituents are those private sector critical infrastructure companies across the nation.
  • It’s something we call a “Duty-To-Share” versus a “Need-To-Know” and we do everything possible to get threat and vulnerability information into the hands of people who need it.
  • So shifting gears, my second point is that I think there’s an opportunity for the Unites States to consider how cybersecurity policy, and the investment in technology that supports the policy, could be a catalyst for economic growth.
  • First, we have to recognize where we are today in our capabilities versus the cyber-threat environment.
  • Security has always been a “throw it in if you have time and it doesn’t cost anything” issue during system design and development. It’s never really been a priority and consequently, we are in a constant state of rebuilding of our infrastructure.
  • I was reading about the Hubble telescope a while back and I thought it might serve as a crude, but related analogy.
  • Hubble was funded in the 1970s and launched in 1990 at a cost of about $2.5B. As most of you know, they almost immediately discovered that the main mirror was too flawed and required repair if they were going to be able to get anything useful from the project. The Hubble servicing mission followed in 1993, just three years after launch, and cost about $1.1B.
  • This is the security business today. The vendor market around bolt-on security is proof of this constant rebuilding, and while there is certainly some economic value to this market, we’ll never achieve the kind of security I think we expect from a nation of innovators.
  • These aren’t just maintenance issues like changing the oil in your car – we expect to do that. What we shouldn’t expect is constantly fixing software defects and faulty applications.
  • Almost all of our critical infrastructure systems have security flaws that could have been corrected during the initial design. The problem is, most of these systems were put in places decades ago. There are still turbines in Dams, substations in the power grid, and industrial plants in the manufacturing sector that were built 20, 30 and even 40 years ago.
  • This was way before there was even a cybersecurity issue to worry about. Since that time, these facilities and systems have been connected to, and are dependent upon, this very vulnerable thing we call the “Internet”.
  • This requires companies to conduct extensive vulnerability analysis and then, either mitigate the vulnerabilities, or apply compensating controls like network segmentation, isolation and other wrap-around security measures.
  • Of course they can also choose to upgrade and replace the systems entirely but this is incredibly expensive and something not many companies want to do when there are years left in the life cycle. These kind of capital investments are typically only made every decade or so in many sectors.
  • This is where we are today – in Constant Remediation.
  • We are making systems work with, metaphorically, a bunch of broken parts.
  • This Remediation creates jobs but this has only limited impact on the overall economy.
  • This is where the next big thing, or Cybersecurity 2.0, can elevate the United States and actually distinguish us from other nations as a safer place to do business.
  • Cybersecurity 2.0 is when we begin to design security into every critical infrastructure system, to make the United States the safest place in the world to develop and host systems and applications..
  • Just like “Safety” in a manufacturing plant is everyone’s responsibility, good security design will become habitual and an expected performance measure.
  • After the significant remediation in our existing critical infrastructure is completed, and it’s going to take a few more years, standards for good security design and development will guide a new generation of product differentiation.
  • This is when all of the new Cloud and Mobile applications and services will become safer.
  • And in case you haven’t been paying attention, Cloud Computing and Mobility ARE the future.
  • In a November 2011 Harvard Business Review article, Andrew McAfee called Cloud computing:
  • “A deep and permanent shift in how computing power is generated and consumed. It’s as inevitable and irreversible as the shift from steam to electric power in manufacturing, which was gaining momentum in America about a century ago.”
    • So here’s a Question? How do you feel about banking and hosting your financial information in a country where you don’t know what security policies and controls govern the infrastructure?
    • Would you feel better about doing that same business in a place where the policies and systems have been specifically designed, implemented and are regularly tested to ensure they have effective cybersecurity practices and controls in place?
    • What about your healthcare information?
    • How about the rest of your privacy related information?
    • I think people in other Nations and companies in other countries will feel the same way and chose the more secure place.
    • There’s very little disagreement that the next generation economy is already information-based and becoming more-so every day.
    • That means we can’t – CANNOT – continue to treat security as a bolt-on after-thought. It must be designed and built into everything, and I think that can become a differentiator for the US economy.
    • Made in the USA will mean something!
    • Software will be developed with secure coding, Systems will be designed to natively encrypt and protect data, and our Hosting facilities will have threat monitoring and continuous diagnostics and mitigation built-in to create the most secure facilities in the world.
    • Security can be profitable!