Read the first post of this series, "The State of the Cybersecurity Story: Signs of Progress – Part One."
Last week I wrote about progress in cybersecurity policy and practice over the last decade. Yes, the world is more aware today in part because stuff has gone pear-shaped in cyberspace over and over. Naturally, reporters have risen to the task and written story after story about it. There is a veritable cottage industry about what Russia did with the interwebs. But beyond improvements in daily media reports, we’ve also seen an up-tick in major book-length works.
This spring was no different. Today I want to flag three long-form works that indicate a positive, increased trend towards nuanced narratives and smart policy solutions. Long-form writing has moved beyond “cybersecurity is a problem and isn’t it terrifying?” to more nuanced analysis, historical writing, and clear recommendations. Anytime humans get smarter about an issue is cause for optimism.
So, what are the three big pieces from the spring and summer?
First is a no-brainer: the long-awaited release of David Sanger's book The Perfect Weapon in June. For those of you who know David or have followed his reporting in The New York Times, David is a scoopmaster. A long-time denizen of Washington and a professor at Harvard, he develops sources across the cybersecurity and national security community with such ease. He wins trust in part because he is a great writer. But he’s also avuncular and disarming. Any national security person should beware when he’s near.
And in true Sangerian fashion, he got scoop after scoop for The Perfect Weapon and again raised the issue of cybersecurity directly into the forefront of the nation's mind. (He did it with Confront and Conceal, too, when he broke this story.) His book peers into the policy process as Washington and other capitals confront the challenge and opportunities posed by cyberspace technologies. In his semi-breathless opening, he explores how cyber weapons can be used to legitimately defeat far more dangerous weapons emanating from rogue nations that threaten lives in the real world, like, for example, nuclear missiles. Read the excerpt here. For those more inclined to radio than reading, you can also hear his interview with Michael Krazney on Forum (and my five-minute surprise phone call into the program) here. While Sanger’s book is less policy prescriptive, it gives readers a clear sense of the rapid evolution of the threat and the world’s response.
The second item in this bucket of "hopeful knowledge creation" is far less well-known but speaks to an issue close to my heart. In April, New America Foundation scholar Robert Morgus published his report, Securing Digital Dividends. The aim is to help the international development community and governments in emerging markets to ensure the success of economic digitization by delivering effective cybersecurity. If that doesn’t happen, emerging digital economies will suffer from increased theft and attack – and the dividends of growth will be lost.
Morgus saw a hole and stepped in to fill it. The international development community has traditionally shied away from working on information technology, and Morgus argues that trend needs to change quickly and smartly if developing countries are to transition to knowledge-driven, middle-income status and reap their "digital dividends" of development. How will countries in emerging markets adapt cybersecurity best practices? What is the role of foreign aid in the process? This report can help countries and development institutions like the World Bank to bake-in cybersecurity at an earlier stage in the digitization process. By taking steps earlier in their digital story, companies and countries may be able to get ahead of the cyber risks that have faced the United States as it achieved mass Internet penetration.
The last publication I'd like to flag from this spring comes from Harvard’s Belfer Center – my long-ago place of employment and study. This summer, Belfer’s “Defending Digital Democracy” Initiative published the European version of its election handbook. Why is this important? Because what happened in the United States will soon happen in countries all over the world. No academic or non-profit organization is better positioned to make this contribution than Belfer.
Belfer has spent the last two years working with technology companies, national security professionals, and campaign officials from both parties to help secure the United States electoral infrastructure. Belfer has produced playbooks for how to manage cyber incidents and run table-top exercises on cybersecurity best practices with all of the offices of the secretaries of state. I attended their May table-top as an observer. It was inspiring: in addition to the committed staff and leaders from the offices of the secretary of state, leading IT professionals, and members of the national security community, Harvard master's students also volunteered to help. Some were at Harvard for their two-year military professional development training, which meant that some of the smartest and most well-trained officers helped run the exercise. The event ended with a hackathon where undergraduate and graduate students pitched their app ideas for how to blunt information operations. A few hundred well-meaning Americans from across the country in a room for two days trying to fix election security: hard to beat.
Then Belfer took its knowledge creation abroad in recognition that other countries may suffer similar problems in the future. That’s smart strategy. Belfer’s good work shows how civic institutions can play a part in educating the public and affecting change for organizations across the globe. That’s good cybersecurity news.
These are just a few publications that show maturity in the field.
Five years ago you wouldn’t find such in-depth publishing. We’re beginning to see the fruits of more than a decade of committed work by some of the country’s best and brightest strategic thinkers. And that increased knowledge is helping everyone learn about how and why they need to invest in resiliency measures to withstand cyberattacks.
This October, Cybersecurity Awareness Month can become a way to explore issues with greater depth.
It once seemed like a moniker to get security nerds their time in the sun (literally). Back in my Pentagon days, it was the month when folks took their online security trainings. Who could ever forget the vaguely anime-shaped faces of some of the characters on your desktop. "Heeeeyy there," says the character, "Can I borrow your ID? Gosh I left my badge at home, would you mind letting me in?" It seemed so basic – who would ever fall for this? But people do. The simplest forms of hacking and social engineering leave organizations vulnerable. Attackers often get through simple means.
The basics still matter. But Cybersecurity Awareness Month can become a way to explore issues with greater depth. Why not pick up Sanger’s book (or listen to him on Forum)? What good cyber articles are you reading? Drop me a line on Twitter @jonathanreiber.
October is also a good time for organizations to force decisions on investments and changes they’ve resisted to date. No time like Cybersecurity Awareness Month to make an investment. Need to tell your board that the company’s cyber posture needs an upgrade? Why not do it now? You have the world’s cybernerds at your back. And, thanks to the world’s increased awareness of the issues, you will have shareholders and boards at your back too. My septuagenarian aunts and uncles have been calling me about Sanger’s book. They say they’ve subscribed to WIRED. One even asked me about NotPetya.
Now organizations need to move from knowledge to investment. That has less to do with words and everything to do with leadership – which will be the subject of one of my next posts.