The economics of a national cyber immune system

White House cyber czar Michael Daniel does not buy into the Hollywood doomsday hype of the so-called cyber Pearl Harbor. But he does wish it wasn't the bad guys pulling in blockbuster revenues in today's real-world cybersecurity battles, while governments rack up billions in bills.

As the National Institute of Standards and Technology prepares to release a formalized version of its cyber framework around Feb. 13, many in the federal cybersecurity community are looking to what's next. Much of what is ahead builds on yesterday and today, including information-sharing efforts that officials say are better than they used to be but still need to be improved in order to reverse the economics of cybersecurity and build healthier networks.

"How do we flip the economics in favor of the defender? Right now the underlying economics -- not only the structure of cyberspace, but the economics of cyberspace -- favor the attacker," Daniel said Jan. 29 at the Cyber Innovation Forum in Baltimore. "Simple, cheap attacks are used multiple, multiple amounts of times to generate huge amounts of revenue for the bad guys, whereas it takes us lots and lots of money to propagate defenses across the network. That's not a sustainable, tenable place to be."

Change hinges on what Daniel termed a cyber immune system for federal networks. Comparing cybersecurity to public health is not new -- tackling viruses being a prime example -- but according to Daniel, building an immune system requires going beyond technology and achieving engagement across the government, industry and general public.

"How do we encourage the broadest possible implementation -- in other words, how do we get everybody to get their flu shot?" Daniel said. "Most of the problems that we face are usually not solely about the technology; they're about the people and about how people use the technology. So the solution ... is going to have to involve getting the people part right, not just the technology."

There are good examples of that in place, according to Bobbie Stempfley, deputy assistant secretary at the Homeland Security Department's Office of Cybersecurity and Communications. However, taking partnerships to the next level -- boosting them into a national cyber immune system -- means making efforts like DHS's Cyber Information Sharing and Collaboration Program more than just anecdotal examples, Stempfley said.

"When I think about what we've been successful in today and the breadth of what we're facing, what strikes me is that the future is about scale," she said, highlighting the CISCP program. "We're able to bring together pieces of information from across a number of sources and turn that into actionable threat indicators for use by the community. We average 26 indicators a day, which isn't a trivial amount. But how do we take these partnerships, ensure they're two-way, ensure they have the [necessary] trust, ensure the open dialog and engagement ... at the scale of problems like the Internet of things? We have to make sure we take structures and mechanisms in place and make sure they're successful."

Donna Dodson, division chief of NIST's computer security division and acting director of the National Center of Cybersecurity Excellence, pointed to programs like NIST's National Strategy for Trusted Identities in Cyberspace, which establishes a shared ecosystem for cybersecurity. They key is partnership that promotes collaboration as a means to move forward -- as an immune system and as an economy.

"It's a chicken-and- egg problem," Dodson said, noting that most people would agree that the use of something more secure than passwords is necessary today, but neither society nor government really have managed to move ahead. "The question is how do we get there? Because it's a security challenge, an interoperability challenge and an economic challenge all rolled into one. So we all need to partner together to change that culture and that kind of environment."