During an in-depth policy discussion at the 2017 RSA Conference in San Francisco, former special adviser on cybersecurity to President Barack Obama, Michael Daniel, outlined the three main models for thinking about national defense: Border security, missile defense and deterrence, aka mutually assured destruction. Unfortunately, he said, none of these are sufficient to meet the cybersecurity challenge.
"We tend to think of cybersecurity at the national level like border security; we also have this image of cybersecurity as missile defense or defense against aircraft; we have this idea of deterrence," specifically nuclear deterrence, Daniel said. "I think all three of those models are wrong."
While cybersecurity began with firewalls and perimeter defense, those tactics have long since faded into the background or become obsolete.
"In the border case, we as a society don't want the U.S. government operating at the border" of cyberspace, he said. "We actually have a model for that, it's called the Great Firewall of China. I don't think that we want that as a society."
So if border security is an inapt comparison, what about missile defense: Creating systems that can intercept attacks being lobed at federal and private sector networks?
That doesn't fit, either, Daniel said.
"In four and a half years as the president's cybersecurity coordinator, I've never once said, 'In 30 minutes the malware is going to hit. Go wake the president,'" he said. "That never happened. That idea that we're going to see the malware, where it originated, and see it come over as a missile and throw up a big shield in front of it is just wrong."
Well, what about deterrence? That only works when the adversary has just as much to lose, Daniel explained.
"We've been talking about all the different flavors of cyber incidents that we have: Criminal activity to nation-state activity to general miscreants – pimply teenagers in their parents' basement. How you deter those actors is all very different," he said. "Thinking only of deterrents as a mutually assured destruction is not an effective way to approach this question."
With none of these established models to rely on, Daniel urged the community at RSA – government officials and private companies and individuals – to come together to build new models for defense in cyberspace.
"One of the issues we will face over the next couple of years is, if those models are wrong, what are the right ones?" Daniel asked. "How should we be thinking about those new kinds of models and what should we be bringing to the table?"