Cyberspace is characterized by a massive convergence of people, technology, and data on an exponential scale. The model would suggest that this convergence occurs on any given layer and between all the layers. More importantly, when you connect to cyberspace, it may be understood that the whole of it connects to you. Security professionals strive to reduce or mitigate unwanted connections, but the drive to connect is an unstoppable force within cyberspace. This leads to the increasing use of the term IoT to describe a seemingly inexorable trend to connect everything to everything—refrigerators, cars, power plants, and more—all connected to, in and through cyberspace. As a result, system designer and user choices about whether and how to connect must be driven by an up-front consideration of the implications of convergence versus an approach that says “I'll solve that problem when I get to it” (users get that problem when they connect to it). Furthermore, as previously noted, convergence and geography do not easily mix in a world that applies distinct and different rules based on physical location. Cyberspace will require both collaboration and normalization across these boundaries, though clarity on the part of those wielding jurisdiction based on geography regarding locally expected behaviors and consequences would be a valuable down payment to reconciliation across locales.
Wealth, Treasure, and More
Cyberspace quite literally contains—more than simply referencing or coordinating the management of—wealth and treasure. And given the enormous efficiencies offered in synchronizing the aspirations and actions of both people and systems, cyberspace is increasingly used to coordinate and carry out essential functions of critical systems, from electrical power generation to financial markets to diplomacy, collaboration, and even the conduct of war. As noted by Dr. Mark Hagerott of the United States Naval Academy's Cyber Center, a transformation in human affairs is taking place in which sensing, thinking, and acting, even in physical space, are increasingly delegated to the web of hardware and software serving human endeavors across the length and breadth of cyberspace. Humans' natural desire to impose rational controls on the result will succeed only if we move beyond creating rules about technology to crafting broader rules of governance for the interaction of people, technology, and systems (taking into consideration rules and policies rooted in geography).
Ever Changing, Never Secure
The impressive performance of technology in massively improving processing power, bandwidth, and user experience across the past 50 years of the silicon revolution is widely understood as an iconic representation of the times (sometimes referenced as Moore's law for hardware, but there have also been exponential improvements in software, visualization, and the collaboration that collectively aids in pushing cyberspace capacity to new heights). Less well appreciated is the fact that changes in features, capabilities, and behaviors are driven as much or more from the bottom up as from the top down by a virtual army of entrepreneurs. The result of this and unsynchronized changes in user behaviors and software (which often lag behind or precede changes in hardware) make it almost impossible to define and impose a comprehensive and enduring description of how things behave, let alone work, in cyberspace. This can rightly be considered a feature for those who await the next marvel from their favorite technology providers, but this same attribute makes the prospect of defending the wealth and treasure held within cyberspace, and the critical systems and processes dependent on the resilience and integrity of cyberspace, a virtual tail chase. Every change to technology, software, or user behavior portends a possible tear in the fabric of security overlaying the whole. The reality of this inexorable and unsynchronized change offers a fundamental choice as to whether security will be considered as a primary or a secondary feature in the continued transformation of cyberspace. This author suggests that it must be the former and that the security implied by the services of confidentiality, integrity, and availability must be thoroughly considered when any technology, service, or capability is being designed or introduced. Moreover, security must consider all of the contributing factors, encompassing all five layers of the model. Issues of policy, law, and ethics attach to the people and geography layers, which cannot be separately defined from the middle three (technology-only) layers.
But although the challenge of securing cyberspace may be a bridge too far, it is a domain of extraordinary interest that can and must be made defensible and, in turn, actually defended and supported through the employment of means and methods both in and outside of cyberspace itself. Useful analogs may be found in other complex manmade systems, such as those employed by the aviation industry, which has, over time, introduced a system of both technology innovation and governance that fosters continued transformation and capacity generation while imposing a requirement that the security implications of each new addition be considered and thoroughly engineered up front and by design, rather than after the fact. Cyberspace would do well to emulate this approach, though the immediate problems will be that domains do not govern themselves and that the present roles and responsibilities for driving and implementing security solutions remain fractured across organizations and sectors.
As stunning as the changes wrought by cyberspace have been to date, trends suggest an even greater transformation ahead. The pace will only increase anywhere and, increasingly, everywhere on the planet. And while the cyberspace domain can and must continue to be an engine of innovation and a means of global collaboration in support of private or public interests, the opportunities afforded by these trends must be accompanied by the exercise of responsibility across engineering, operations, and governance in fair measure to the value that is derived from, stored in, and leveraged from cyberspace.
ABOUT THE CONTRIBUTOR
John C. (Chris) Inglis – Former NSA Deputy Director
Chris Inglis is a former deputy director of the National Security Agency, currently serving as the Looker Distinguished Visiting Professor of Cyber Studies at the United States Naval Academy. He began his career at the NSA as a computer scientist in the National Computer Security Center and was promoted to the agency's Senior Executive Service in 1997. While at the NSA, he served in a variety of senior leadership assignments, including eight years as its chief operating officer, responsible for guiding strategy, operations, and policy.
A 1976 graduate of the US Air Force Academy and retired Brigadier General in the US Air Force, Inglis holds advanced degrees in engineering and computer science from Columbia University, Johns Hopkins University, and the George Washington University. From 2014 to 2018, Inglis served on or co-chaired Department of Defense Science Board Studies on cyber-resilience, cyberdeterrence, and cyberstrategy. He is a member of the Strategic Advisory Groups for the United States Strategic Command, the Director of National Intelligence, and the National Security Agency. Inglis is a managing director at Paladin Capital Group and serves on the boards of FedEx, KeyW, and Huntington Bank.
SECTION 2 ELEMENTARY SHORTFALLS:THE THINGS WE DIDN'T GET RIGHT AT THE BEGINNING
Because the Internet represents one of the most astounding innovations in the history of human evolution, its originators are often so revered that their staggering shortsightedness gets a pass. But when we pause to reflect, it is baffling that such visionary computer scientists—whose insights into the power and possibility of digital connectivity were powerful enough to change the course of history—could overlook or not address the most basic question about their invention: what if this really catches on?
It is sadly ironic that the three things that cause the most havoc in the cybersecurity domain are ones that network operators have the most control over.
