Friday, April 16, 2010

"Cyber insecurity is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paramount national security risk."

Thanks to @borroff I read a fascinating article titled Cybersecurity and National Policy by Dan Geer. The title of my blog post is an excerpt from this article, posted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Harvard National Security Journal on 7 April. This could be my favorite article of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year, and it proves to me that Dan Geer's writing has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest signal-to-noise ratio of any security author, period.

(Personal note: I remember seeing Dan speak at a conference, and he apologized for reading his remarks racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than speaking extemporaneously. He said he respected our time too much to not read his remarks, since he wanted to conserve time and words.)

I've reproduced my favorite excerpts and tried to thus summarize his argument.

First, security is a means, not an end. Therefore, a cybersecurity policy discussion must necessarily be about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 means to a set of desirable ends and about affecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future. Accordingly, security is about risk management, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legitimate purpose of risk management is to improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future, not to explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past.

Second, unless and until we devise a scorekeeping mechanism that apprises spectators of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of play on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field, security will remain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 province of “The Few”. Sometimes leaving everything to The Few is positive, but not here as, amongst ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things, demand for security expertise so outstrips supply that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 charlatan fraction is rising.

Third, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems of cybersecurity are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r problems in certain respects, yet critically different in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs... cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se differences include cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original owner continuing to possess stolen data after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 thief takes it, and law enforcement lacking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to work at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speed of light.


Security is a forward-looking function, requiring a scorecard (sound familiar?) with problems that are both common and unique.

[B]ecause cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States’s ability to project power depends on information technology, cyber insecurity is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paramount national security risk...

[R]emember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definition of a free country: a place where that which is not forbidden is permitted. As we consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pursuit of cybersecurity, we will return to that idea time and time again; I believe that we are now faced with “Freedom, Security, Convenience: Choose Two”

Dan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n outlines three national security risks:

[W]hat types of risks rose to such a level that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could legitimately be considered national security concerns[?]...

The first is any mechanism that, to operate correctly, must be a single point of function, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby containing a single point of failure...

[The second] national security scale risk is cascade failure, and cascade failure is so much easier to detonate in a monoculture...

[The third is that it] is simply not possible to provide product or supply chain assurance without a surveillance state...


Dan next provides us with what I may adopt as my own definition of security:

I currently define security as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 absence of unmitigatable surprise.

This definition resonates with me, although it could be twisted for some odd consequences. Could one simply choose to never feel surprised in order to feel secure? I hope not! Dan provides some conclusions next:

[1] our paramount aim cannot be risk avoidance but racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r risk absorption — cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to operate in degraded states, in both micro and macro spheres, to take as an axiom that our opponents have and will penetrate our systems at all levels, and to be prepared to adjust accordingly...

[2] free society rulemaking will trail modalities of risk by increasing margins...

[3] if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tariff of security is paid, it will be paid in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coin of privacy...

[4] market demand is not going to provide, in and of itself, a solution.


I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are true. While explaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third conclusion Dan notes:

It has been said over and over for twenty years, “If only we could make government’s procurement engine drive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market toward secure products.” This, ladies and gentlemen, is a pleasant fiction.

That is also true! I'm going to skip his discussion of government action and list three essential capabilities:

[T]he ability to operate in a degraded state is an essential capability for government systems and private sector systems.

A second essential capability is a means to assure broad awareness of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 gravity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation...

There is a third essential, one that flows from recognizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 limits of central action in a decentralized world, and that is some measure of personal responsibility and involvement.


Dan concludes with:

For me, I will take freedom over security and I will take security over convenience.

I highly encourage reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole article. I skipped Dan's discussion of "regulation, taxation, and insurance pricing," but that is also worth understanding.

3 comments:

Andrew Jaquith said...

Thanks for posting this, Richard. Dan does indeed have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 highest signal-to-noise ratio of anybody. I'll have to see how this one compares with my all-time favorite Geer speech, Risk Management is Where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Money Is, which is dated in a few places but has aged remarkably well.

gih said...

I do believe on that infomation. People never give attention to it but it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most and effective way to fight cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk.

Michael Cloppert said...

Nothing like commenting nearly 30 days tardy, but I really enjoy Dan's commentary. He writes every month in Communications of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ACM, and always has great delivery and well thought-out points.