Why Is Cybersecurity So Hard?

24/5/17, 11:54 AM

Why Is Cybersecurity So Hard?

Create an account to read this article

Already registered? Sign in.

After nearly 20 years of trying and billions of dollars in investment, why are
organizations are still struggling with cybersecurity? In fact, the problem seems to be
getting worse, not better. Answering this question requires moving beyond a purely
technical examination of cybersecurity. Its true that the technical challenges are very
real; we dont know how to write bug-free code, for example. But if you look at the
challenge more broadly, even if we resolved the technical issues, cybersecurity would
remain a hard problem for three reasons:

Its not just a technical problem

The rules of cyberspace are different from the physical worlds
Cybersecurity law, policy, and practice are not yet fully developed

The first reason that cybersecurity is more than just a technical problem,
incorporating aspects of economics, human psychology, and other disciplines has
been explored in other articles in this cybersecurity series. However, the other two
reasons also contribute strongly to making cybersecurity difficult, and our
approaches must take them into account.

https://hbr.org/2017/05/why-is-cybersecurity-so-hard Page 1 of 4
Why Is Cybersecurity So Hard? 24/5/17, 11:54 AM

Differing Rules in Cyberspace

Cyberspace operates according to different rules than the physical world. I dont mean
the social rules but rather the physics and math of cyberspace. The nodal nature of a
light-speed network means that concepts like distance, borders, and proximity all
operate differently, which has profound implications for security. First, with distances
greatly reduced, threats can literally come from anywhere and from any actor. Second,
the borders in cyberspace dont follow the same lines we have imposed on the physical
world; instead they are marked by routers, firewalls, and other gateways. Proximity is a
matter of whos connected along what paths, not their physical location.

Insight Center
As a result, our physical-world mental
models simply wont work in cyberspace. For example, in the physical world, we assign
the federal government the task of border security. But given the physics of
cyberspace, everyones network is at the border. If everyone lives and works right on
the border, how can we assign border security solely to the federal government? In the
physical world, crime is local you have to be at a location to steal an object, so
police have jurisdictions based on physical boundaries. But in cyberspace you can be
anywhere and carry out the action, so local police jurisdictions dont work very well.

The same principles of cyberspace that allow businesses to reach their customers
directly also allow bad guys to reach businesses directly. Yet you cant have
governments get in the way of the latter without also getting in the way of the former.
Sharing information among people at human speed may work in many physical
contexts, but it clearly falls short in cyberspace. As long we continue to try to map
physical-world models onto cyberspace, they will fall short in some fashion.

Legal and Policy Frameworks

Next, cyberspace is still very new from a legal and policy point of view. In the modern
form, the internet and cyberspace have existed for only about 25 years and have
constantly changed over that time period. Therefore, we have not developed the
comprehensive frameworks we need. In fact, we dont yet have clear answers to key
questions:

What is the right division of responsibility between governments and the private
sector in terms of defense?
What standard of care should we expect companies to exercise in handling our
data?
How should regulators approach cybersecurity in their industries?

https://hbr.org/2017/05/why-is-cybersecurity-so-hard Page 2 of 4
Why Is Cybersecurity So Hard? 24/5/17, 11:54 AM

What actions are acceptable for governments, companies, and individuals to take
and which actions are not?
Who is responsible for software flaws?
How do we hold individuals and organizations accountable across international
boundaries?

Some answers are beginning to emerge. For example, we should not expect the federal
government to protect every business from all online threats all the time its simply
not practical, nor is it desirable, because it would significantly impact the way were
able to do business. On the other hand, we can hardly expect most organizations to
thwart the activities of sophisticated nation-state actors. So how do we resolve this
dilemma?

Perhaps we should borrow concepts from the disaster response world, and divide
responsibility in a fluid manner that adapts over time in response to changing
circumstances. In disaster response, preparedness and initial response reside at the
local level; if a given incident overwhelms or threatens to overwhelm local responders,
then steadily higher levels of government can step in. We could apply these principles
to allocating responsibility in cyberspace businesses and organizations remain
responsible for securing their own networks, up to a point. But if it becomes clear that
a nation-state is involved, or even if the federal government merely suspects that a
nation-state is involved, then the federal government would start bringing its
capabilities to bear. Fully answering these questions is the key cybersecurity policy
task for the next five to 10 years.

As long as we treat cybersecurity as a technical problem that should have easy

technical solutions, we will continue to fail. If we instead develop solutions that address
the reasons why cybersecurity is a hard problem, then we will make progress.
The Cyber Threat Alliance (CTA) is just one example of this approach (disclosure: Im
the president of CTA). A little over two years ago, a group of cybersecurity
practitioners from several organizations concluded that the industrys operational
model was not producing the desired results and decided to adopt a new one to
work together in good faith to begin sharing threat information in an automated
fashion, with everyone contributing to the system, and with the context of threats
being given a lot more weight. CTAs structure is an attempt to deal with the known
flaws in existing information sharing efforts. If we can continue to innovate in this
manner, we can finally begin to make some progress against this seemingly intractable
problem.

https://hbr.org/2017/05/why-is-cybersecurity-so-hard Page 3 of 4
Why Is Cybersecurity So Hard? 24/5/17, 11:54 AM

This article is about SECURITY & PRIVACY

https://hbr.org/2017/05/why-is-cybersecurity-so-hard Page 4 of 4