Cybersecurity is a young and immature field, but it cannot remain so for much longer. We are at a point in time when it is clear that the future will be dramatically different just on basis of technologies that are already in the pipeline. Faster communications, faster computers, mobility with smarter devices, cloud computing, massive data stores, and many other technology trends are not science fiction but reality already being played out.
However, there is no clarity but just uncertainty about what will eventually emerge in the next five, 10 or 15 years. As technologists, it behooves us to develop some foundational principles as we look ahead to cybersecurity in this very challenging environment. There are two principles that I believe are intrinsic to the future of cybersecurity.
Security vs. Productivity
The first principle is that security cannot hold back productivity. Technology that makes us more productive will get deployed and used even if it makes information less secure.
This simple-sounding principle has profound implications. In a fast-changing world with new technologies constantly emerging, we will always be susceptible to compromise and leakage of information in new ways. Therefore, cybersecurity cannot just be about protecting information, but it must address the bigger goal of protecting the overall mission and purpose of the organization.
For example, the compromise of a few user accounts in an online banking application is quite manageable in dollar terms, since the cost savings of having most of the customers online outweigh these losses. The much bigger concern should be loss of confidence in the bank by a large fraction of the customers who may walk to another bank, or those who may walk because levels of security create inconvenience. These concerns, among many others, balance out, leading to different offerings in the marketplace.
This leads us to the notion that eventually the marketplace decides how much security versus risk society will tolerate in cyberspace. The analogy is to mechanisms such as stock values that determine the “true” worth of a company. However, the information on which security-risk tradeoff is assessed is much less mature than the information that drives the stock market.
Risk to the individual may be underestimated by naive consumers who believe the “bank will take care of security.” We have seen safety become an important factor in the automobile market — but only after significant effort by consumer advocates. Similar evolution is likely to occur in cybersecurity.
The marketplace, however, does not solve problems of systemic risk. Financial markets are historically prone to periodic meltdown, the most recent of which we are currently living through.
While the consumer has many choices of automobiles in the market, we are faced with dependence on oil and possible damage to the environment that is not sustainable. In cybersecurity, the market may be the best means to decide security versus rick issues at the individual level, but it may expose us to systemic risks leaving the system vulnerable to organized and well-funded attackers on behalf of nation states or terrorists.
How do we, as a society, address this problem? Who will be the regulators or defenders against such systemic attacks? One of the big challenges to our society is to figure out answers to these challenging questions that are deployable within existing political and social structures.
Do we wait for a 9/11 in cyberspace before we take these questions seriously? Can we be proactive in addressing these threats? To summarize, the proliferation of new compelling cybertechnologies drives us to market-based resolution of security-risk tradeoffs, but it leaves us increasingly vulnerable to systemic risks.
The second principle is that cyber and physical space will be increasingly entangled to the point where our activities and their impacts will seamlessly transition from one to the other.
Cyberspace came into existence as a means to support our activities in physical space. Data maintained in cyberspace reflects physical reality and helps us control it. This is especially evident in applications such as inventory control, supply chain management and online retail.
Cyberspace is also a container of information and knowledge, and a facilitator for their creation and dissemination. With the coming proliferation of sensors — be they stationary or mobile — cyberspace will increasingly capture data about the physical and social world. This will enable new applications and services that we can hardly dream of today.
By the first principle, there is no question that these will get deployed, regardless of privacy and security risks to the information. The productivity gains will drive adoption. With this tight integration, attacks in cyberspace will more readily spill over into physical space.
The U.S. military, as often is the case, is the first to explicitly recognize this, and it has declared cyberspace to be a war-fighting domain at the same level as land, sea, air and space. This has profound implications for cybersecurity.
Cybersecurity can no longer be delegated to the IT folks or the network administrators; it must be dealt with holistically in the context of the overall mission and objectives of the enterprise across cyberspace and physical space.
Our field is about to get a lot more complex than most of us are used to. We will need cybersecurity professionals with the depth of technical expertise we expect today and even more.
We will also need these professionals to have the understanding of their organization’s purpose and mission, and how to relate to these as part of the cybersecurity function.
Ravi Sandhu is executive director and chief scientist of the Institute for Cyber Security, UTSA.