The Cyber Domain: Five Ways to Frame the Security Policy Discussion
By Stephen Recca, M.A.
In August, 2010, the international pedophile ring Dreamboard was shut down, and 52 arrests made after a worldwide investigation led by the U.S. Department of Homeland Security. With about 600 members, the website is believed to have distributed some 123 terabytes of child pornography. It was the biggest prosecution by the U.S. of child pornographers.
In May, 2011, the Chinese Defense Ministry confirmed it has a unit of about 30 elite Internet specialists, officially said to be engaged in cyber-defense operations. Many worry, however, that the “Blue Army” has been used to hack into online systems of foreign governments.
In March, 2012, somewhere between 50,000 and 10 million credit card holders were put at risk of fraudulent charges when third-party processor Global Payments was hacked.
Over the last decade alone, technological advances have forced a sea change upon the world with myriad positive implications. But for all the positives, there’s a dark side to our fast-evolving cyber world, and these three examples just touch on its scope. There’s been a simultaneous emergence of cyber threats and crimes on a variety of fronts that pose a risk to individuals, businesses, and governments.
It’s made the cyber realm a critical domain from the security perspective, and one that the public and private sectors must come together to address in a defensive manner. That’s no small challenge: As fast as technology changes, so, too, do the threats. It has hindered the development of a coherent national policy for the cyber domain, and without one, we’ll never get a firm handle on how to manage the good and the bad that lie within it.
The onus is on current and future professionals who deal with security and technology to play a role in shaping our nation’s policy on this realm – and the thinking that forms its foundation. Significantly, that means advancing our understanding of this domain and where it’s going so that we do more than merely identify future challenges, but do the job of shaping the space around it.
Consider five areas where we should focus our thinking in order to get ahead of the curve on this evolving domain:
- Understand what the cyber domain encompasses.
Effectively mapping out the territory is critical to understanding its dimensions and making this sprawling domain more manageable from a policy perspective. That’s no easy task given its international nature, that it’s “owned” primarily in the private sector and by individuals, and that its tendrils spread to multiple facets of our lives, culture and society.
- Develop a glossary of common terms.
To enable more people to be part of the discussion requires that we adopt terms of reference that are as easily understood by laypeople as by technicians. The more easily people can grasp the terms of reference, the more broadly they can think about solutions to the issues at hand.
- Identify the threats putting the domain at risk.
We need ensure there’s an open aperture to capture the diversity of cyber threats. There’s hacking. There are viruses. There’s organized crime, and disorganized, as well. There’s cyber crime and cyber warfare. When it comes to crime, identity theft is a big issue for individuals, while data and systems security are major concerns for the private sector. Moreover, there are threats that cross public/private boundaries that need to be anticipated. Remember a plotline of the television show “24”? The bad guys plotted to breach our nuclear plant grid to gain control of the entire critical infrastructure protocol.
- Identify needed resources and capabilities.
Are we equipped, from a technical and non-technical perspective, to deal with cyber threats? What will it take, now and in the future? How do we think about behaviors that will make for a more secure cyber environment? On one hand are system fixes, hardware and software considerations. On the other are capabilities that we need to study for our comfort and legal zones, not to mention our defensive posture. Are we equipped to conduct a preventive war in cyber space? To counter a cyber attack by an unfriendly nation? And, importantly, where and how do we balance investment in technology with investments in political, policy and regulatory capital?
- Develop a national policy using these planks as the platform.
Our policy on security within the cyber domain must reflect our best thinking on these sorts of issues, and factor in organizational considerations – who’s responsible for what, for example – to ensure we get and stay ahead of the curve on this fast-changing environment. Ultimately, it needs to represent the kind of common ground that the public and private sectors need to effectively manage the good and the bad of this brave new world.
Do you have ideas to share for framing security policy discussions? Tweet us @CTUSecurity, or leave a comment below.