The Cyber Safety Review Board – the Prequel
It sounds a little conventional and almost routine to say it, but it’s true - I am really, really honored to be a member of the initial Cyber Safety Review Board (CSRB). A glance at the names involved makes it evident that this is not a ceremonial activity to write yet another lofty paper filled with earnest recommendations (Been there, done that, no T-shirt. But I did get a coffee mug!). Instead, it’s a serious and honest attempt to bring together multiple viewpoints and people who are responsible and willing to act.
Before our first meeting, I wanted to offer a few thoughts. These are just my personal opinions and do not reflect any CISA guidance or position of the CSRB.
The “Wizardry,” do-it-yourselfer model of cybersecurity that I grew up with is excellent job security for old cats (like me), but it’s terrible Public Policy. It’s not repeatable, scalable, or even explainable to others. Over the last several years, our entire industry has started shifting to the “mainstreaming” of cyber security, from a technology/wizardry focus to risk management and decision-making. This shift can make wizards uncomfortable, but this is the correct answer for all of us, to see cyber risk with a lens like how we manage other risky domains (transportation, safety, public health, etc.) – imperfectly, but with a mix of mandatory, market-driven, and individual actions; each of which is underpinned with some level of science or analysis that is translated into action.
But while there’s a lot to learn from how we manage risk in other domains, cyber incidents and attacks are not the same as transportation events. Cyber attacks are frequent, often pervasive (because of shared technology, connectivity, and business relationships), and actively manipulated by a vast and complex web of criminality and national interests, riding on top of fragile, dynamic technology. We do not have general agreement on the cyber equivalent of building codes, construction rules, best practices, or acceptable credentialing. Moreover, in cyberspace, “root cause” is often in the eye of the observer: failure to patch, insufficient enterprise tooling for visibility and change control, lack of meaningful enterprise policy and enforcement, wrong priorities in the security improvement program, vulnerable architecture, poor programming practices by IT vendor….? It goes on and on; pick your poison.
The CSRB is a unique opportunity for our Nation. With all respect to the fantastic people on the CSRB, I doubt that we will find some startling new technical result or idea for any given incident. For any incident of consequence, lots of brilliant people are already doing great work to unravel it and make sense of what happened.
But in the face of rising “crisis fatigue” across our industry, we will have more “dwell time” for thoughtful analysis of complex problems. In a noisy and confusing marketplace, we can bring weight and authority to recommendations and action. In a flood of point claims and point solutions, we can take a holistic view and develop a comprehensive plan for both specific as well as systemic solutions. Through the designed-in public-private membership, we can identify the important lessons and the most effective actions for a full range of stakeholders.
You cannot survive in this industry for decades unless you are a hopeless optimist or a complete cynic. And each has plenty of evidence to convince themselves that they are right. So when the Solarium Commission report came out, and the Executive Order, and the announcement of the CSRB, I heard the usual bi-modal reaction from my network and the industry at large: from “the same old stuff,” “another paper study coming,” “we solved THAT problem in the ’70s, but no one listened” to “great roadmap for progress,” “inspiring, whole-of-nation approach,” and everything in-between.
I already know many of the people who will serve on the CSRB, from both industry and government. I see optimists, people who are constructive, positive leaders, activists and “do-ers”. I know most of the rest by reputation, and I look forward to working with them as new friends and colleagues. It reminds me of a point that I have made many times in public talks. This industry is filled with people of great skill and goodwill - people who give tremendous amounts of their time and talent to industry “community service” causes. For example, that’s what powers the work of my current (and last) professional home, the Center for Internet Security. Seeing the members of the CSRB, and my 45 years of experience working with such people, gives me hope that we will do something meaningful and effective.