Playoffs Time: What Can Cyber Policymakers Learn from the NFL?

January 17, 2022

This blog series began by asserting that in the new year, given the obvious ineffectiveness of our current cyber policies it’s time for policymakers to begin focusing on issues that might really matter in terms of creating a sustainably secure system.  We then moved forward to identify two major areas where government could really make a difference but have spent comparatively little time and resources in addressing them – specifically workforce development and enhanced law enforcement.  These posts suggested a range of directions government could take in these areas to address these deficiencies both in the short and longer terms.

However, many in government, while largely ignoring issues like improved law enforcement and workforce development, instead focus on government regulation of industry as the answer. So, before proceeding with outlining a plethora of more practical and effective policies government could pursue, it is probably prudent to focus on why the default solution to cybersecurity (i.e., regulation) is – at least in its traditional form – inappropriate to successfully addressing the cybersecurity threat we currently face and will continue to face in evermore dire circumstances unless we fundamentally rethink our approach. 

So, in successive series of blogs we will discuss the following:

  • The long history of cybersecurity regulation and the fate that it has never been shown to actually enhance cybersecurity.
  • The core mythological assumptions of cybersecurity regulation and why they are inappropriate to the realities of the digital age and the cyber threats raised by digitization.
  • The fact that government regulation, in addition to not having a record of success, actually is often anti-security – yes, that means that the current regulatory structure is more harmful that helpful in terms of actual security.
  • There are more modern and appropriate methods to create regulations that, where appropriate (and regulation is appropriate in some instances), hold the promise of actually enhancing security.

But, before getting into these – admittedly wonky – discussions it might be helpful to start with the broader, basic discussion.  Specifically, we need to be clear what exactly we are talking about because the reality is that most cyber policymakers are – I’m sorry – old. Our cyber policymakers are, for the most part, digital immigrants who weren’t born into the digital age they currently live in. So, it may well be understandable they really don’t “get” cybersecurity and why it’s actually pretty different than traditional security discussions and why the fundamental changes brought on by the digital age require a fundamental rethinking of core issues such as the relationship between the public and private sectors. 

Given the digital immigrant status of many, if not most, policymakers, it is not surprising that they would go to the default answer of government regulation and assume that model –created in the 18th century – would be sufficient for the 21stcentury threats (including cybersecurity)

Personal note: I myself am, ah, well… old. – 70.  Ok, 70 and a half – well really 70 and 3/4 – I’m dealing with it. Maybe age itself isn’t that much of an excuse. Hopefully you can teach some old dogs some new tricks. But I digress.

Most cyber regulatory structures are comprised of a list of government directives. The essential model is for industry to go through the government-determined list of requirements and check them off as they comply. In earlier eras, cyber checklists were state of the art. In the early days – say at the turn of the century – these modalities were the best we could do. However, early cyber-attacks may have been fairly generic in nature, and hence generalized procedures could be expected to mitigate them. However, the attack community has long ago moved on to uniquely designed attack methods often using “designer malware” crafted for a specific attack. So, while generalized frameworks might be helpful to fend off unsophisticated attacks – and can provide the basis for more sophisticated structures – simply following good “hygiene” (usually an undefined term) will not be sufficient to address the attacks we really need to focus on within a rick management structure. 

For this reason (as well as several others), designing an effective cyber risk management design cannot be expected from a generic set of federal or state regulatory mandates – that 20th century variation of the model was designed to regulate more stable issues such as product safety. So, for example, once you had determined the correct amount of lead to allow in the paint for children’s toys, or the proper degree of friction to make car breaks effective, you were good to go. So long as industry followed the specified requirements, we were safe. The purpose of government oversight was to police bad actors who were not complying with the proper design requirements. Essentially, the targets of the regulations were those engaged in corporate malfeasance.

However, in the cybersecurity domain, simply following the guidelines does not mean you, or the public, are safe. The issue is not that the products the companies are making are unsafe, it is that the companies are under attack—often by very sophisticated attackers. In fact, the government itself is attacked just as readily as industry and presumably the government follows their own guidelines (actually they often don’t – a separate discussion for later).

In the cyber world, we cannot rely on the outdated consumer product safety model because we are dealing with an entirely different problem.

We need to evolve a new model wherein defensive strategies have to be aligned to unique threat perspectives of the targets, understanding that these may well change.

By analogy, traditional cyber defense conceives the defensive structure sort of like a dyke. If properly maintained the dyke will prevent compromise and we will be safe.

Cyber defense is actually much more like a football game.  In football the offense comes to the target with a carefully designed plan of attack. Where it is ready to engage, the first thing it does is observe the target’s defense. At that point, it often alters the attack to account for the specific defenses it sees. The attack then proceeds in conjunction with numerous fakes and false indications. The casual fan might think this is just the quarterback faking a handoff before throwing a pass, but actually the fakes and false fronts are happening all over the field. The linemen are engaged in various “stunts” to fool those who are blocking them, and the defensive backs are disguising “man” coverage with complicated zones. Meanwhile the offense is running “fakes” and crossing patterns only sophisticated players in the system can detect – all designed very carefully to mislead the defender away from the real attack.

And all that is just football. In the field of cyber-attacks, the stakes are far higher, and the sophistication of the attacks is much more complicated. In the cybersecurity world, the goals are far more than reaching the Super Bowl. The goals of cyber attackers are to steal trillions of dollars. Or, in the case of Russia, the undermining of the entire democratic system (not just in the U.S. but everywhere). Or China, where the goal of the multi-trillion dollar “Digital Silk Road” program is to fundamentally change the world order from the U.S.-western European-dominated system that has existed since the two world wars and to replace it with a Sinocentric system – and they are making real progress.

And much like the cyber world, that attacker in football (the offense) almost always succeeds. It is unusual for an offensive play not to gain yardage. It is also unusual for an offensive team (think, attacker) not to reach their goal –and score. Of course, they don’t do it on every play – but they don’t have to succeed on every attack – just like in cyberspace.

All this is pretty comparable to cybersecurity. The attackers will almost invariably score because defense against them is so hard. The defense needs to mitigate these losses as best as possible and attempt to win the broader contest with a grander overall strategy.

Sadly, we in the U.S./West don’t have such a strategy, and our policymakers seem more interested in discussing the hours between in attack and report (to undetermined benefit) than in creating a sophisticated defense.

In their recently published book The Fifth Domain, Dick Clarke and Robert Knake – two people who would know – comment that we essentially haven’t changed our cybersecurity strategy since the Clinton Administration.

I have to agree with Clarke and Knake, and that needs to change.  Putting more focus on improving law enforcement and developing a capable cyber workforce are good first steps, and stepping away from the default regulatory approach to cybersecurity is another move in the right direction. Subsequent posts will detail specific design flaws in cyber regulation.  Time to kick-off a new direction in cybersecurity.