What I'm reading this week:
Cybersecurity in the Trump Administration: With the inauguration today, all eyes in the cybersecurity community this week have been on what we can expect from the Trump administration. There are still many unknowns, but a picture is emerging as nominations and approvals proceed. Among other details, cybersecurity has been a frequent topic in recent hearings, and nominees by and large have been focused on the issue, which is a good sign. It also seems likely that the new administration will continue to focus on incentivizing security, rather than mandating it.
One thing we don’t have an answer to yet, however, is whether and how the new administration will put aside partisan considerations and focus on how we can stop future influence operations from Russia and other actors. We have heard a heavy focus on threats to critical infrastructure, which has always been the priority in U.S. cybersecurity thinking. But with critical infrastructure targeting still mostly theoretical (the doomsday scenarios that so captivate public debate have–at least so far–failed to materialize), and national-level influence operations happening today, hopefully we will work to combat both.I'm reading: "What Trump's Cabinet Picks Say About Cybersecurity."
- Focusing Security Where We Have the Advantage: I have a piece in Dark Reading this week that draws security lessons from Admiral Rogers’ recent Senate testimony. It focuses on a distinction that Rogers drew between security designed to keep intruders out, and security designed to capture them after they get inside. Even today, we still heavily invest in efforts to keep attackers out, instead of efforts to catch them once they get inside.
This is problematic for many reasons, but the most significant is that attackers historically have an advantage when they are trying to get in (they control the environment and can hammer on defenders’ defense until they crack), while defenders have an advantage once they’re inside (because the defender controls the environment, leaving the attacker exposed). This classic “defenders’ advantage” doesn’t exist on the network today, because we don’t understand or control our networks as we should–if anything, attackers understand our networks better than we do. If we’re trying to turn the tables on attackers, we’ll make the most progress by investing where we have the advantage, not where they do.
I’m reading: “Cyber Lessons From The NSA’s Admiral Michael Rogers.”
Responding to Russia: Two interesting, contrasting pieces came out this week on how to respond to Russia. In one, Peter Singer suggests we focus on deterrence and resilience to stop future cyber-enabled influence operations. In the other, Jack Goldsmith argues that we are unlikely to be able to either protect our systems or deter further Russian action, and should instead try to incentivize Russia to back off through negotiation.
For my part, for all the strong arguments Goldsmith makes about how challenging both deterrence and increased security will be, I’m with Peter on this one. Given the spectacular success of their efforts during the 2016 elections, it’s not at all clear what we could offer Russia to get them to put this gun back on the mantelpiece. And even if they did, other actors will almost certainly follow in their footsteps, meaning that we must be ready to deal with this threat in any case.I’m reading: