COVID is accelerating changes that could blur the lines between cybersecurity and national security.
We find ourselves in a digital world of disappearing boundaries and increasing speed. Today, most government agencies, companies, and organizations still run their own networks with their own devices. Over the last few years, chief information officers and chief information security officers (CIOs/CISOs) have been planning gradual moves to the cloud and bring-your-own-device (BYOD) architectures. This is sometimes referred to as “post-infrastructure” and COVID-19 has moved that timeline up by five years.
Military planners know that time can be a strategic asset or a major liability. The immediate result to a post-infrastructure world will be disappearing network boundaries and less visibility into what devices are running on them. There will also be increased demand on high-speed connectivity and 5G network infrastructure. Employers, including the US government, will have to grapple with how to deliver these resources while also protecting people at the individual level, including on their home networks and personal devices, while balancing privacy.
Post-infrastructure also means that every individual is a target and, therefore, a threat vector, greatly increasing the attack surface. There is no doubt that attackers will continue to change their tactics, techniques, and procedures to match the post-COVID paradigm. Unfortunately, security has not kept pace with the evolving threat. Additionally, as intimated above, individual and corporate security are becoming indistinguishable from national security.
As more critical systems come online, the focus of cybersecurity will have to move from just IT (which is how we mostly think about it) to a new realm of telehealth, digital finance, edtech, and other important services. The same can be said of critical national security systems like nuclear command, control, and communications (“NC3”) systems, which are undergoing significant modernization and re-architecture. The challenge, however, is that the private sector generally focuses on developing adequate security quickly, rather than the “near-perfect” security that these complex and essential systems require. What’s needed instead for critical systems is a combination of national security imperatives along with private sector speed.
One of the major problems in today’s national security thinking is that ‘cyber’ is treated as a warfighting domain without the recognition that it is radically different from the other domains. Cyber, unlike space, ground, sea, and air, is entirely human-made and almost entirely private sector owned/operated. That means product decisions made by tech companies create strategic facts that often outweigh national policy decisions.
Take the latest Twitter hack of Joe Biden and others as an example, which was conducted by phishing of engineers who had internal account API access (which allowed Twitter employees to create tweets as if they were made by the account owner). This was a product, policy, and design decision by the company, not a technical flaw. While it turns out that the hacker was likely a kid who did it for some Bitcoin and the “lulz,” that could have just as easily been the prelude to an information warfare attack with serious national security implications. This should not be seen as limited to Twitter, either, because other infrastructure companies upon whom we increasingly rely for communications and collaboration are likely making similar product design decisions.
To solve these issues, the US government will have to move beyond hiring more technical talent and reforming acquisitions. These are necessary but insufficient. The tech sector needs to consider national security issues when designing their products and making business-level or internal policy decisions. At the same time, the government needs to more intimately understand the business dynamics that drive corporate and product decisions. Doing this will require national security leaders with business and product experience, rather than just technical expertise. Product managers are responsible for turning naked technologies into something actually usable. They also build the developmental roadmaps for organizations and make internal design decisions that have major impact.
The good news is that post-infrastructure means continued consolidation and outsourcing to just a few large tech companies, so improvement should be manageable (e.g., if you decide to run your network entirely on G-Suite, you’re basically leveraging Google’s cloud security infrastructure). National security leaders should consider doing the following:
- Build on the Enduring Security Framework, to foster enhanced dialogue between tech execs and the government. This is necessary regardless of the current digital environment induced by COVID-19.
- Include more technical, product, and business information into the interagency process. It’s almost impossible to create meaningful policies without those elements, especially when many important decisions are being made outside of government.
- Find a way to routinely present national priorities to tech CEOs so they can factor those considerations into their product or business decisions. This can be via the framework above or by the designation of a specific “ambassador.”
- Create incentives for tech companies to protect individual consumers on their home networks and personal devices. This is a glaring deficiency and purely market-driven incentives have not gotten us there.
- Consider how to leverage the “foreign policy” apparatuses of private industry. It’s important to remember that the US is often not the largest market for multinationals.
- Spend stimulus funding on retraining the American workforce in areas like cybersecurity, data science, and robotics. We have to make sure that people are prepared to rejoin an industry that might look different from when they left.
- Make serious efforts to build and maintain the public trust in areas of security and technology.
Mike McNerney is the Co-Founder and Chair of the Institute for Security and Technology.