Monday, July 20, 2009

Toward a collaborative community for cyber defense?


[UPDATE — March 11, 2015: This update is prompted by just now reading Frank Cilluffo & Sharon Cardash’s “Obama’s cybersecurity initiative: a start but businesses – and individuals – need to do more” (2015). They report that progress is indeed underway “to encourage the private sector to share information to better defend against cyberattacks.” One objective — much in the spirit and substance of this blog post — is to create Information Sharing and Analysis Organizations (ISAOs) that can “serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government.”

This White House initiative lacks the status of legislation — it’s an executive order — and corporate compliance remains voluntary. But it’s still a strong step, building on the fact that “collaboration between and among private entities is already underway” — Cilluffo & Cardash give various examples. I am especially heartened to read that “a group of US companies (including McAfee and Symantec) are banding together to form a “Cyber Threat Alliance” which aims “to disperse threat intelligence on advanced adversaries across all member organizations to raise the overall level of situational awareness to better protect both the ... organizations and their customers.”” That’s definitely fits with this post’s theme: toward a collaborative community for cyber defense.

In addition, I want to add a quote that bears on the topic at hand. It’s from Edmund Burke, Thoughts on the Cause of the Present Discontents (1770): “When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle.” (source) ]

[UPDATE: August 30-31, 2009: I’ve added additional updates in a few spots again, including an addendum at the very end, as indicated by brackets. But so much new activity is suddenly afoot, related mainly to the release a couple days ago of a revised draft of the Rockeller-Snowe bill for comprehensive cybersecurity legislation, that this should be my final update for this post. It now risks becoming overloaded with updates; if I have more to say, it should go in a new post. For a good guide to what’s currently happening in terms of reactions to and questions about the new bill, see today’s post and related links at Tim Steven’s Ubiwar blog and suscribe to his periodic “Infobore” posts.

Besides, a few days ago I added so many updates to this post and to a prior post about Mexico that a Google machine has alleged that this may be a ”spam blog” and placed it under review, while making me go through extra steps to do any posting in order to prove that I am not a machine. I’m amused to suppose that this may be another sign of the “end times” as discussed in an earlier series of posts about millenarianism, also briefly upated today.]

[UPDATE: July 22, 2009 — Many thanks to editor Dion Hinchcliffe for excerpting this post in Social Computing Journal today. Also, I’m adding new references in an updates paragraph later in this post.]


The previous post addressed the concept of collaborative community (or whatever it should be called). One policy area where it appears to be amiss, much in need of improvement, is cyber security.

This post addresses that topic. But readers beware: What follows amounts more to a set of sketchy, inconclusive notes than to a solid, well-structured essay based on an expert literature review. I’ve even wondered about shelving it. Yet, it represents a lot of new work on my part, and I’d rather store it here as a reference point for follow-up posts I might do in the future. Besides, it does contain some points worth posting.

* * * * *

The last time I tried to be current on cyber security was in 2003-2004, while preparing an epilogue to update an article for publication in Japan. By then, in writings with John Arquilla about cyberwar and netwar that began in 1992, we had elaborated on our basic maxims that: “Institutions can be defeated by networks. It may take networks to counter networks. The future may belong to whoever masters the network form.” (1993, p. 40) And these maxims seemed as applicable to cyber security as to other matters that concerned us back then.

In particular — and I will stick to the following three themes throughout this post — we had urged that the U.S. government needed coordinators more than czars (see Appendix A below). We had recommended hybrids of hierarchies and networks to improve interagency coordination (see Appendix B). And in 2003 I optimistically thought that the networks taking shape for cyber defense would continue engaging a range of skilled specialists outside the government, exemplifying public-private partnership (see Appendix C):
“In sum, the United States is evolving a rich, diverse, internetted organizational ecology. Government offices and agencies keep growing, but for-profit and non-profit firms and civic-minded NGOs keep growing as well, even faster — and all are engaged in formal and informal efforts to build webs of cooperation. And that organizational evolution, as much as technical expertise, may prove the best defense against attacks on computer systems, and the best promise for assuring freedom and privacy along with security.”
Thus the actors involved appeared to be well on their way to coming up with multi-tiered, nimble, resilient, adaptive, robust mechanisms for dealing with attacks. A kind of collaborative community seemed to be growing for cyber security.

* * * * *

Today it’s not clear that cyber defense has advanced well in this direction. It’s not my area of expertise; and despite some new reading and chatting, I remain barely updated. But I’ve learned enough to become pessimistically perplexed. Organizational dynamics — formal and informal, governmental and beyond — appear to be more bollixed up than ever.

First, all parties seem to understand that Washington needs a coordinator more than a czar. Yet, we continue to seek czars and czarist solutions. Many officials and analysts — especially the media — can’t stop using the term, reinforcing the tendency. “Where is our cyber-czar?” wails a recent Washington Post editorial! When pressed, all actors may admit that what’s needed is a chief coordinator, not a czar. But a longing for hierarchy and centralization — and hence the czarist lingo — keeps reasserting itself. It’s understandable, but not a good sign.

Second, all parties agree that better interagency cooperation is essential. And efforts to achieve that are repeatedly made, or at least talked up. But turf battles, agency mismatches, classification and other information-control issues, and communications-technology incompatibilities keep getting in the way. And of course, it’s difficult to make progress when it remains uncertain where the key coordinator may be located.

Third, all parties agree that greater public-private cooperation is essential. And mechanisms like US-CERT and the CERT Coordination Center, as well as the SANS Institute’s Internet Storm Center (ISC), help meet this challenge, perhaps better than I realize. But “public-private” appears to refer mainly to “industry,” to large businesses more than small ones who could be helpful in an emergency response, and to subcontracting more than networking. It’s not clear that collaborative networks are still being developed that include an array of specialists from all sectors.

A result of these dysfunctional twists and turns has been to locate the key cyber-security center — lately, the National Cybersecurity Center (NCSC) —in a suboptimal place, first DHS and next (almost) the NSA. If constructing a broad-based collaborative community is desirable for cyber defense, moving the key center from DHS to NSA is inadvisable — as former NCSC Director Rod Beckstrom’s resignation letter indicated in March. [UPDATE — August 12, 2009: Points he made appear to reiterated in two resignations this month, first by Melissa Hathaway, the White House's acting senior director for cyberspace, and now by Mischel Kwon, the director of US-CERT. See this discussion at the IntelFusion blog.]

As befits a change of administrations, a new round of initiatives is underway to rectify these matters. They call for creating a new key office — led by a Cybersecurity Coordinator — in the White House, along with new mechanisms for interagency and public-private cooperation. This latest round gained impetus from a CSIS commission report last December, and a draft bill proposed by Senators Rockefeller and Snowe this April. It progressed with the release of a “Cyberspace Policy Review” by the White House, along with remarks by President Obama, in May. Then, in June, the Defense Department created a new command for cyberspace — USCYBERCOM — inside Strategic Command (USSTRATCOM). Next up, later this month, should be a revised bill from Senators Rockefeller and Snowe that takes interim comments and criticisms into account. Thus, a lot of striking organizational changes are underway, with more to come.

* * * * *

Meanwhile, a curious new trend in strategic thinking is growing, parallel to these developments: a claim that cyberspace is as much a part of the global commons as air, sea, and outer space. This means that cyberspace is a kind of collective good, even a global public good. It also means that access to, if not command of, this new commons is essential for America’s power in the world, and that cyberspace must be defended against state and nonstate threateners. According to its early proponents, Michèle Flournoy and Shawn Brimley (2008, p. 136), “America must take a leadership role to ensure that access to the global commons remains a public good.” They have recently expanded on this theme as Pentagon officials.

Declaring a domain to be strategic commons eases the way for asserting public over private interests. And that may have all sorts of implications. It might help with efforts to foster a “multi-partner world,” as Secretary Clinton urges. But it might also lead to a “cyber Monroe doctrine” or help justify unleashing an “af.mil botnet” (insensibly?) under other circumstances. Whatever the circumstances abroad, declaring cyberspace a strategic commons would surely bolster the organizational clout of cybersecurity officials within the U.S. government and over the private sector.

If/as this notion gains sway, it will surely generate controversy. Adam Elkus sees some Mahanesque qualities, but also that the “fluid and dispersed nature of cyberspace makes it impossible for one power to dominate.” Tim Stevens urges that cyberspace is too social to be viewed as a military commons : “cyberspace is not simply a strategic ‘domain’ like the sea or the air.” More to the point, a social movement is taking shape that views the information commons as a new realm for peer-to-peer social development; and it is sure to raise objections to a strategic military concept of this commons.

* * * * *

While my main concern is organizational, I don’t mean to disregard the many interesting technical fixes that experts recommend: The GAO has long pointed in this direction, as did an earlier commission on critical infrastructure protection. Moreover, Bruce Schneier has often pointed out that attending to “the boring network security administration stuff we already know how to do” would vastly improve our defenses. Sam Liles has offered his own list of what-to-dos for securing the Internet; he even proposes installing a system of “sentinel and centurion nodes around the world.” Ethan Zuckerman has suggested that ISPs exclude compromised computers that the ISPs known to be on their network. And elsewhere, Dorene Kewley, John Lowry, and others with the DARPA Information Assurance Program have raised innovative ideas for “dynamic network defense” and “defense in breadth” for protecting computer systems.

Other ideas I’ve encountered are more in keeping with my organizational concerns. For example, John Robb says that “the US should be building a ‘Network Command’ and not a Cyber Command.” Evgeny Morozov warns, “The problem with the current approach to cybersecurity is that by miring it in unnecessary secrecy, we are shrinking, rather than growing, the number of eyeballs that can find and fix those bugs.” Peter Hodge, criticizing a recent U.K document on cyber strategy for being too top-down, suggests organizing “networks of small and ad hoc groups of experts, loosely tethered to government but operating autonomously within a general framework, which come together for particular aims and dissolve or reconstitute once the aims have been achieved.” And Michael Tanji insists, “We don't need a czar, we need someone with a lot of betweenness and closeness (in social networking terms) to make sure that people who need to are talking, sharing, and collaborating as they best see fit.” Indeed, new approaches, like “social software” for “collective intelligence,” are under construction that could help organize such collaborative attention.

I like all these ideas. There is no dearth of ideas worth heeding.

[UPDATES (Last updated August 30, 2009): In addition, Gene Spafford has provided lots of interesting posts on cybersecurity, including on legislative matters. So has Bob Gourley. Jeffrey Carr has created Project Gray Goose; Shane Harris has written about the Defense Industrial Base (DIB) initiative for providing intelligence to private industry; and Jonathan Zittrain has extolled the North American Network Operators' Group (NANOG) — three activities I didn’t know about that look like valuable expressions of collaborative community. Other interesting efforts at collaborative community appear to include The Shadowserver Foundation and The U.S. Cyber Consequences Unit (US-CCU). Also see the exchange between US-CCU’s director Scott Borg and IntelFusion’s Jeffrey Carr here. Meanwhile, Sam Liles and Adam Elkus have expanded anew on their views. Paul Strassmann has posted a draft paper about "Cyber Security for the Defense Department." Ron Diebert, who is with Citizen Lab and Infowar Monitor in Canada, urges seeing that “cyberspace has now become a domain equal in importance to the other domains: land, air, space and sea,” and proposes finding “ways to protect and preserve cyberspace as a global public commons.”

Favorite recent remarks: Michael Tanji, arguing that “You don't fight a network with an org chart; you fight it with a competing network. That's why a cyber czar is a non-starter...” Marc Ambinder, adding that “the delay in appointing a cyber security coordination director at the National Security Council has contributed to the perception that the White House is a few nodes short of a hub.”]

* * * * *

These efforts to update my sense of cyber security have not led me to come up with new proposals of my own. But they have reassured me about the enduring value of this post’s starting points: We need a central coordinator, not a czar — and the sooner we drop czarist lingo, the better. We need new, better mechanisms for interagency and intergovernmental coordination — and at least there is ferment in this direction. Third, of most concern to me, we may need to rethink public-private collaboration, so that it grows as a kind of far-reaching collaborative community.

I say “may” because, so far, I’ve not been able to gain a good understanding of what is the current nature and status of public-private cooperation in this area. If it mostly amounts to government, plus selected industry, and not much else, I’d suppose there are grounds for concern about our being able to defend against a sophisticated cyber attack. The kinds of threats I have in mind — I’ve not spelled them out in this post, for others have contributed plenty of scenarios — would surely require lots of “eyeballs” to dissect, etc. And coming up with a good response might also require a bit of serendipity. Indeed, responding to a sophisticated cyber attack may require something of a stochastic process [that is also stigmergic]. And the likelihood of that being successful should increase by making sure we have a broad-based collaborative community in place that reaches into all sorts of sectors, ready to be mobilized. Surely this is not a novel notion (see Appendix C for past examples).

These challenges are not unique to cyber security. Washington has steadily acquired — and evidently required — more “czars” than ever. Each is a function of some bureaucratic dysfunction, in one complex issue area after another. Similar concerns about interagency, intergovernmental, and public-private collaboration afflict them all. However, one notion may make cyber security unique in comparison to these other issue areas: the notion that cyberspace is a strategic commons. That line of thinking may bear a lot of watching and maneuvering, for it could have negative as well as positive consequences.

In sum, cyber defense is important on its own merits — right now. But it’s also interesting as a long-term challenge because it may well be one of the pivotal proving-grounds for America’s evolution to developing a cybercratic nexus state that will rule through “government by network” as well as by tribe, hierarchy, and market. Hopefully, this next stage in the nature of the state will be characterized by “guarded openness” and “collaborative community” — but that’s likely only if we get cyber security right.

Onward.

* * * * *

Appendix A: "We need coordinators, not czars." (circa 1996)

The following excerpt from John Arquilla and David Ronfeldt, The Advent of Netwar (1996, Ch. 5, titled “Challenges for U.S. Policy and Organization,” p. 86) reflects our early preference for coordinators over czars, in keeping with our broader view that it takes networks to fight networks. However, I would not persist with the Khan notion that the excerpt mentions.
Exasperation with the operational, bureaucratic, and the various other difficulties of dealing with terrorism, narcotics trafficking, and similar threats, now including those in cyberspace, normally leads to calls to create a “czar” for that threat domain. This may be muted by avowals that, yes, it should be an interagency czar who is skilled at coordinating. But the call — so well symbolized by the very term “czar” — still tends to signify the creation of a hierarchical superior who can centralize disparate activities. And that is part of the problem, as former senior U.S. official Paul Strassmann notes:
“I never understood why everybody called the top man “czar” and not emperor, eminence, lord, majesty, king, pope, kaiser, governor, caliph, shogun, sovereign or shah. I guess that the notorious czarist profligacy, incompetence, inability to govern and dismal endings were the fate to wish on the reigning data center monarchs.” (Strassman, 1995, p. 479, footnote)
Management literature increasingly makes the point that information-age organizations should move away from hierarchical, centralized designs, toward ones that emphasize heterarchical teamwork (e.g., Drucker, 1993). Some of this literature points out that some multiorganizational problems may be best addressed through informal network designs that emphasize “coordination without hierarchy” (Chisholm, 1989), or designs that are tantamount to what are called “virtual corporations.” In this vein, business-oriented literature that talks about the future as the “Age of the Network” puts the focus not on czars but on coordinators:
“[T]he person who makes particular networks happen is the “coordinator.” . . . Coordinators appear everywhere in the Age of the Network. . . . Networks began developing new leaders long before computers enhanced their reach. In a richly connected environment where many potential projects are sparking, growing, diminishing, and disappearing, a new role arises, that of the coordinator, whose distinguishing characteristic is the ability to see “connections” among people.” (Lipnack and Stamps, 1994, p. 173)
Although czar-like leadership may be needed at first to ensure that the members of an interagency network are committed to it, coordinators are ultimately preferable to czars. But if we must use a catchy term, would “khans” not be preferable to czars? Unlike a czar, the Khan ruled with topsight. He saw the “connections” among the diverse, widely separated regions of his dominions. And he took a decentralized approach to leadership, rarely intervening in operations. He was a coordinator as well as a commander.

* * * * *

Appendix B: "It takes networks to fight networks." (circa 1999)

This excerpt is from a subsequent chapter with Michele Zanini as an additional co-author, “Networks, Netwar, and Information-Age Terrorism” (1999, pp. 55-56, italics in original). It reiterates our basic maxims:

Hierarchies have a difficult time fighting networks. There are examples across the conflict spectrum. Some of the best are found in the failings of governments to defeat transnational criminal cartels engaged in drug smuggling, as in Colombia. The persistence of religious revivalist movements, as in Algeria, in the face of unremitting state opposition, shows the robustness of the network form. The Zapatista movement in Mexico, with its legions of supporters and sympathizers among local and transnational nongovernmental organizations (NGOs), shows that social netwar can put a democratizing autocracy on the defensive and pressure it to continue adopting reforms.

It takes networks to fight networks. Governments that would defend against netwar may have to adopt organizational designs and strategies like those of their adversaries. This does not mean mirroring the adversary, but rather learning to draw on the same design principles of network forms in the information age. These principles depend to some extent upon technological innovation, but mainly on a willingness to innovate organizationally and doctrinally, and by building new mechanisms for interagency and multijurisdictional cooperation.

Whoever masters the network form first and best will gain major advantages. In these early decades of the information age, adversaries who have adopted networking (be they criminals, terrorists, or peaceful social activists) are enjoying an increase in their power relative to state agencies.

Counternetwar may thus require effective interagency approaches, which by their nature involve networked structures. The challenge will be to blend hierarchies and networks skillfully, while retaining enough core authority to encourage and enforce adherence to networked processes. By creating effective hybrids, governments may better confront the new threats and challenges emerging in the information age, whether generated by terrorists, militias, criminals, or other actor.

* * * * *

Appendix C: "The United States is evolving a rich, diverse, internetted organizational ecology." (circa 2004)

The following subsection is from the epilogue — titled “Epilogue: The Fight for the Future Continues (January 2004)” — for a reprint in Japan of an earlier article about networks and netwars. This was the last time I paid much attention to cyber security. And this is the first time this excerpt is posted in English.

Concluding Comment about Freedom and Security on the Net and the Web

The Internet and related networks are a new frontier for freedom and security. Many of the issues quickly become technical in nature, since they involve computer capabilities and vulnerabilities. Japan and the rest of Asia should be alert to conflicts on this “virtual frontier” — such as the back-and-forth, cyberspace-based attacks that seem to be occurring between Taiwan and the People's Republic of China. The Republic of Korea, one of the most wired nations in the world, also appears to suffer a steady stream of hacker attacks. These cases suggest a need for enhanced defenses — which we tend to associate with the widespread use of very strong encryption, rather than relying primarily on firewalls.

But technical fixes are only a small part of the solution, and we prefer to conclude by extending our organizational perspective: Protecting commerce, freedom and security on the Net depends not only on the development of (top-down) government policies and offices, but also on the (bottom-up) emergence of private-sector firms and civic NGOs that specialize in information-age issues, and finally on the abilities of all these organizations — in government, industry, and civil society — to cooperate, formally and informally, with initiative coming from whoever has impulse and reason. (12)

The United States is far from being a paragon of achievement in this respect, but it is headed constructively in this direction. In the first place, U.S. government efforts to assure the security of U.S. (and related international) computer networks has led, over the past few decades, to the formation of numerous special offices in all parts and at all levels of government. Some of the most prominent — e.g., the National Infrastructure Protection Center (NIPC); the Critical Infrastructure Assurance Office (CIAO); and the US Computer Emergency Readiness Team (US-CERT) — have been relocated to the new Department of Homeland Security (DHS).

All parties recognize that broad public-private cooperation is crucial for network security. This has led to the formation of other organizations for bridging between government and industry actors, such as the CERT Coordination Center (CERT) and the Internet Security Alliance (ISA). Meanwhile, the array of business and non-profit firms concerned with computer security keeps expanding; examples are the Internet Storm Center, Attrition.org, @Stake Inc. (formerly Hackernews), and the Gibson Research Corporation. In addition, research and analysis centers are being established in university settings.

Some of these computer-security organizations are designed for early warning and rapid response to emergency situations, others for identifying best practices and standards. Many of these efforts are also supposed to be concerned with freedom and privacy issues. But anyone interested in the latter is well advised to turn to another array of activist civil-society NGOs that have sprung up, such as the Electronic Frontier Foundation (EFF), the Electronic Privacy Information Center (EPIC) and Computer Professionals for Social Responsibility (CPSR), not to mention NGOs in other parts of the world. (13)

This is not a smooth system. Relations are often quite contentious among these varied government, business, and civil-society actors. Indeed, it is not unusual for some computer-security firms to criticize some government agencies or corporate actors for deficient performance in regard to preparing for and responding to hacker attacks. It is also quite common for some activist NGOs to oppose some government positions regarding privacy and freedom issues. However, such friction is not surprising, since the networking is creating links between sectors of society that were traditionally kept carefully apart: between what is civil and military, foreign and domestic, and federal, state and local.

In sum, the United States is evolving a rich, diverse, internetted organizational ecology. Government offices and agencies keep growing, but for-profit and non-profit firms and civic-minded NGOs keep growing as well, even faster — and all are engaged in formal and informal efforts to build webs of cooperation. And that organizational evolution, as much as technical expertise, may prove the best defense against attacks on computer systems, and the best promise for assuring freedom and privacy along with security.

Footnotes

(12) For example, read about the efforts to halt the debilitating Code Red worm in 2001 by an individual in the private sector who did take initiative: Steve Gibson, “The Register, Vmyths & My Code Red Advisory” (Gibson Research Corporation, July 30, 2001, at http://grc.com/codered/codered.htm).

(13) Each organization mentioned in this sub-section has a website, whose address usually consists of the organization’s acronym followed, as appropriate, by .gov, .com, .org, or .edu.

* * * * *

[ADDENDUM: “Part of the problem is the term ‘public-private partnership’.”

Pasted below is text from a comment I left at the IntelFusion blog, August 23, 2009, in connection with a post that day calling for inputs for a forthcoming book by the blog’s author. I'm leaving it here today (August 31, 2009) as a final update to this post:
I’d like to just posit a comment, irrespective of the more formal inputs you’re inviting.

Part of the problem may be the very term you emphasized in the former title of your final chapter: “public-private partnership.” This concept sounds so sensible, and it slides into place so easily in recommendations everywhere these days. But perhaps it’s an aging legacy concept, more suited to the passing industrial era than to the emerging information age, even though the latter’s proponents keep embracing it (which I’ve done at times too).

Consider its meaning(s): It divides matters into public (i.e., governmental) and private (i.e., business), as though they’re the only two sectors that exist. Good governance then mostly means finding the right mix of public and private measures to enable government and business, plus sometimes an occasional non-profit civil-society actor, to work hand in hand. And this usually ends up meaning key/big government agencies allying with key/big business corporations, often through subcontracting and outsourcing.

I doubt (and I hope others doubt) that this is the wisest direction to keep trying to go in. For one thing, the two-sector/public-private model is headed for obsolescence. An additional sector has been emerging for years now, though its nature remains unclear and it still lacks a good name (Drucker called it the social sector, and I like that name best so far; but others call it the third sector, the citizen sector, or the social benefit sector). Whatever, it seems to consist mostly of relatively small, agile, non-profit organizations that pertain more to civil society than to government or business, and that are suited to operating in sprawling collaborative networks with each other, as well as with traditional public and private actors.

While this deep re-organizational trend bears mainly on the future of social issues (e.g., health reform?), it may also be significant for cybersecurity, especially cyber defense. Indeed, the way I see matters, your Grey Goose Project is in this new sector.

I’m not disputing that the big government and industry actors have crucial roles to play. They do, and they must improve at operating in partnerships. But my country is going to need a multi-tiered, multi-sectoral cyber defense system (or set of systems) that is not adequately denoted, or properly motivated by, the prevailing notion of public-private partnership.


Onward.]