6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Merritt Baer<br />
security end-result, as is presumed by security-investment-level calculations. See, e.g., Schavland,<br />
Chan and Raines (2009:629): “Our model places a dollar valuation on the insurance we are willing to<br />
purchase for information security." Yet the assumption of a linear connection between investment and<br />
security is generally inaccurate. Karen Evans, Administrator for Electric Government and Information<br />
Technology, Office of Management and Budget (2007), emphasized in a statement to a congressional<br />
subcommittee that when it comes to e-security, neither high spending nor high regulatory compliance<br />
translate directly to actual higher security.<br />
Because of the private sector‟s lack of incentives to collaborate, coupled with private companies‟<br />
incentives not to divulge information about breaches (See, e.g., Gal-Or and Ghose 2004), there is an<br />
opaqueness about cybersecurity vulnerabilities which can produce misinformation. For instance, there<br />
has been a longstanding assumption that cyberattackers are exploiting unpatched computers after the<br />
patch has been released-- Internet security expert Eric Rescorla (2004) has even argued against<br />
disclosure and frequent patching for this reason. However, the latest Verizon data breach report does<br />
not support this: "In the past we have discussed a decreasing number of attacks that exploit software<br />
or system vulnerabilities versus those that exploit configuration weaknesses or functionality…[This<br />
year] there wasn‟t a single confirmed intrusion that exploited a patchable vulnerability” (2010: 29). In<br />
other words, as Verizon‟s 2009 Report stated, "vulnerabilities are certainly a problem contributing to<br />
data breaches but patching faster is not the solution” (2009:18).<br />
There is another concrete instance of misinformation in the “60 Minutes” video (2009) that claimed<br />
that the Brazilian powergrid was taken down by hackers. While the video met wide acceptance and<br />
generated apocalyptic fears, Bob Giesler, Vice President for Cyber Programs at SAIC, soon avowed<br />
the video to be “part of the dialogue that is absolutely wrong. The Brazilian powergrid dropped<br />
because of poor and faulty maintenance.” Giesler was corroborated when Wired Magazine (2009)<br />
reported that there was an investigation, and the blackout was “actually the result of a utility<br />
company‟s negligent maintenance of high voltage insulators on two transmission lines.”<br />
Misinformation about our cyber nemeses obscures analysis of policy needs and threat prioritization.<br />
Game theory cannot apply efficiently when we miscalculate or fail to identify those against whom we<br />
are playing.<br />
4. Moving from a linear to a biological model<br />
High reliance on private sector for cyber development means the DoD must use a customer-driven<br />
intelligence model, identifying needs and contracting for them. Yet competition for contracts does not<br />
occur in a perfectly competitive environment, and reliance upon it incorrectly presumes that the<br />
government has perfect information about their own needs and the risks of disclosing them. Umehara<br />
and Ohta (2009: 323) model transparency as a zero-sum game, and “assume that when a<br />
government agency makes a decision it knows the total amount of the potential damage." We may<br />
need to reevaluate the customer-driven intelligence model to find ways to harness more of the<br />
brainpower that exists not only in the private sector but also within the nonprofit, academic, and<br />
government domains—such as the working group that came together to face the Conficker virus<br />
challenge (See Moscaritolo 2009).<br />
Similarly, there are “weapons” confronting the DoD in the cyber arena that do not come from<br />
traditional or foreign enemies, such as the Wikileaks disclosures. As Giesler (2009) phrased it, “The<br />
challenge to the government is: how do you harness that decentralized, netcentric organism? How do<br />
you enable the ecosystem's antibodies to react to these things as opposed to regulating and breaking<br />
it down? How do you nurture that reaction?” This decentralized power emerged in the response to<br />
Pakistan blocking Youtube-- as Jonathan Zittrain (2009) reminds, this was a crisis to which NANOG,<br />
“an informal network of nerds, some of whom work for various ISPs,” promptly responded.<br />
Cyberwar strategy requires us to think outside of a linear security-investment frame of mind toward<br />
weapons development. The most accurate model of cyber threat appears to one that is biological—<br />
specifically, one that is epidemiological— in its response to invasion. In the case of the Estonian<br />
cyberattacks, Giesler (2009) offers as example, “it was the banking sector, it was the tellco sector that<br />
responded,” and “I started to think „Maybe that's the right model. This stuff is so decentralized, the<br />
problem is so pervasive and so fast…how you organize around a problem will dictate how you solve it<br />
and it requires a lot more dialogue.” The Department of Defense has recognized this interweaving of<br />
capabilities and data, and released the more oblique statement, “We are in the Age of<br />
Interdependence, out of the Information Age” (DoD 2009 Vision <strong>Conference</strong>).<br />
26