The economics of a national cyber immune system

futuristic cyberwar

White House cyber czar Michael Daniel does not buy into the Hollywood doomsday hype of the so-called cyber Pearl Harbor. But he does wish it wasn't the bad guys pulling in blockbuster revenues in today's real-world cybersecurity battles, while governments rack up billions in bills.

As the National Institute of Standards and Technology prepares to release a formalized version of its cyber framework around Feb. 13, many in the federal cybersecurity community are looking to what's next. Much of what is ahead builds on yesterday and today, including information-sharing efforts that officials say are better than they used to be but still need to be improved in order to reverse the economics of cybersecurity and build healthier networks.

"How do we flip the economics in favor of the defender? Right now the underlying economics -- not only the structure of cyberspace, but the economics of cyberspace -- favor the attacker," Daniel said Jan. 29 at the Cyber Innovation Forum in Baltimore. "Simple, cheap attacks are used multiple, multiple amounts of times to generate huge amounts of revenue for the bad guys, whereas it takes us lots and lots of money to propagate defenses across the network. That's not a sustainable, tenable place to be."

Change hinges on what Daniel termed a cyber immune system for federal networks. Comparing cybersecurity to public health is not new -- tackling viruses being a prime example -- but according to Daniel, building an immune system requires going beyond technology and achieving engagement across the government, industry and general public.

"How do we encourage the broadest possible implementation -- in other words, how do we get everybody to get their flu shot?" Daniel said. "Most of the problems that we face are usually not solely about the technology; they're about the people and about how people use the technology. So the solution ... is going to have to involve getting the people part right, not just the technology."

There are good examples of that in place, according to Bobbie Stempfley, deputy assistant secretary at the Homeland Security Department's Office of Cybersecurity and Communications. However, taking partnerships to the next level -- boosting them into a national cyber immune system -- means making efforts like DHS's Cyber Information Sharing and Collaboration Program more than just anecdotal examples, Stempfley said.

"When I think about what we've been successful in today and the breadth of what we're facing, what strikes me is that the future is about scale," she said, highlighting the CISCP program. "We're able to bring together pieces of information from across a number of sources and turn that into actionable threat indicators for use by the community. We average 26 indicators a day, which isn't a trivial amount. But how do we take these partnerships, ensure they're two-way, ensure they have the [necessary] trust, ensure the open dialog and engagement ... at the scale of problems like the Internet of things? We have to make sure we take structures and mechanisms in place and make sure they're successful."

Donna Dodson, division chief of NIST's computer security division and acting director of the National Center of Cybersecurity Excellence, pointed to programs like NIST's National Strategy for Trusted Identities in Cyberspace, which establishes a shared ecosystem for cybersecurity. They key is partnership that promotes collaboration as a means to move forward -- as an immune system and as an economy.

"It's a chicken-and- egg problem," Dodson said, noting that most people would agree that the use of something more secure than passwords is necessary today, but neither society nor government really have managed to move ahead. "The question is how do we get there? Because it's a security challenge, an interoperability challenge and an economic challenge all rolled into one. So we all need to partner together to change that culture and that kind of environment."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group