This article can also be found in the Premium Editorial Download "Information Security magazine: Establishing an effective internal security pen testing methodology."
Download it now to read this article plus other related content.
There are several pre-eminent facts that stand out when one is examining cyberspace. For starters, success in today’s dynamic cyberspace domain requires immediate access and advanced
awareness to leading-edge technologies and thought leaders. This becomes extremely important in a man-made domain where attacks are constant. Having the ability to determine what capabilities are available in commercial technology (COTS) to support government or private sector requirements is critical for cyberspace protection. Appreciating that the majority of this intellectual capital resides with the global communities of the private sector makes collaboration with industry paramount. As this domain demands speed and where latency breeds contempt, how do we effectively bridge requirements with capabilities?
The interconnectedness of cyberspace with its man‑made origins presents both enormous challenges and significant opportunities, neither of which have been effectively leveraged. With the advent of the Internet more than 40 years ago, we have created an environment where opportunity and risk coincide. Candidly, the public and private sectors share both risk and vulnerability. The value-add would be our ability to bridge the greatest possible combinations of technology and human skills against a clever adversary. So how do we tap into this global force for innovation sharing? How can we benefit from leap-frogging development between today’s seekers and where the thought leadership resides? Lastly, how do we challenge existing traditional perspectives? We need a mechanism to track and broker these good ideas and vetted solutions. This environment, which demands collaboration, can no longer endure lip service.
While numerous efforts exist to protect and understand this domain, most government investments represent “the wisdom of the moment,” which isn’t conducive to surviving in this domain. Therefore, the value of having advanced awareness of cyberspace thought leaders and their tools and solutions, must be understood. The efforts of cyberspace require the concerted work of many. We must know where the expertise resides, which solutions and/or tools work, and for what purpose. Collaborating on technological challenges or gaps is also advantageous. Having a platform that tracks and matches cyber capabilities and their capacities will be paramount. This “trusted clearinghouse” would facilitate matching a seeker’s requirements with potential solutions from the solver community. This can be accomplished in a sanitized fashion if preferred. I successfully tested a proof-of-concept of this process during two major Department of Defense-related war games in 2010.
Assessments to date indicate that in cyberspace we have limited capabilities, both defensively and offensively. To address this issue effectively, we must be prepared to prevent an attack by exploring the outer bounds of existing capabilities and understand what capacities exist beyond our traditional reach. Having advanced awareness of best-of-breed cybersolutions found in both the public and private sectors will be critical. A trusted clearinghouse will serve as the broker, providing and maintaining the bridge of awareness between seekers and solvers on operational, scientific, safety, and security needs.
In cyberspace, the best and worst indeed occupy the same time – the challenge of managing information age commodities with industrial age processes. Therefore, having the awareness or ability to vector requirements, ask questions, confront challenges, and propose new ideas or concepts seems non-traditional to many. Though not rocket science, and despite billions of dollars of investment and the concerted efforts of countless dedicated individuals, why does it still feel like we are losing ground? I believe we live in a time where distributed attributes rule. Traditional thinkers are unwilling to appreciate that cyberspace will challenge organizational constructs, and laws and norms will certainly suffer. The world today is hyper-connected, socially networked and incredibly global. It is sheer foolishness to assume the U.S. government has more answers in this domain than the private sector, or vice versa for that matter. Though the means by which we address cyber challenges from a technological or policy perspective is still evolving, regimented thought processes contribute nothing. Remember the cyber adversary only has to win once; we must win every time. Collaboration and awareness will leverage our odds! Let me be clear, cyberspace demands a mix of technical expertise at unprecedented levels. The true cost will be felt by not knowing “where to throw the pass” for cyber expertise.
There is huge value in having the ability to describe, locate, and match non-traditional innovators -- the many non-advertised new ideas and/or developments that meet current or future private- or public-sector cyber requirements. Knowing where the talent mix resides and leveraging a platform such as a trusted clearinghouse will serve to bridge seekers with solvers. In cyberspace, the best and the worst occupy the same time; wisdom and foolishness appear in the same age. This domain is about partnership. So if you want the right fix, include the right mix.
About the author:
Riley Repko is a senior research fellow at Virginia Tech providing strategic guidance to the University on cyber-specific issues and is also CEO of Trusted Cyber Solutions, which is developing the awareness engine to connect cyber seekers to solvers in real-time. Send comments on this column to email@example.com.
This was first published in June 2012