On 5 October, I had the pleasure of speaking at the New York Metro Joint Cyber Security Conference, which brings together a community of security practitioners from the New York Metro area. Two talks stood out for me. First, the keynote by Maria Vullo, Superintendent Financial Services for the state of New York, who explained her drivers for regulating cybersecurity requirements for the Financial Sector. Second, Pete Lindstrom from IDC, in a presentation on how perimeter security needs a thorough rethink, kept returning to the economics of security.
The reason I refer to these two talks is because I can appreciate them for their own, almost diametrical approaches for improving security. Pete Lindstrom making a strong economic and risk-based approach, questioning whether patching every vulnerability that comes along makes any sense from an economic risk and scale analysis. Maria Vullo, on the other hand, using capacity-based regulation to incentivise stronger security controls.
Those two points resonate strongly with what I was trying to get across: There is no magic security bullet, there is no security czar, and maintaining trust needs an active approach from all stakeholders.
Starting off with how our community thinks about the future, I zoomed in to what is seen as one of the most important cyber threats. In order to tackle this, we need to work in in a distributed matter. That is what the Internet is still about. We need creative ways for agreeing on what needs to be done; some call this norm entrepreneurship. In the presentation, I give three examples of trying to deal with the hard security problems on the Internet that were identified in the futures report.
- Risk that online freedoms and global connectivity will take a back seat to national security
Cyberstability is a piece of the puzzle, a traditionally interstate debate, but now seeking to be broader. The work by the Global Commission on Stability in Cyberspace is an example – an experiment in opening up the creation of cyberstability norms in a multi-stakeholder setting.
- Need for new accountability, incentive, and liability models
These are tricky, specifically when we talk about externalized risks. Where taking action has no immediate individual reward, and remaining passive imposes great risk to the environment. Where do incentives come from and how can we be creative in an environment where one does not want to stifle innovation? In this context, I talked about MANRS as a creative incentive developed by the network operator community. - The Internet of Things will create new security challenges
We believe that innovative approaches like the OTA Internet of Things framework contribute to establish broadly carried norms around the security of these devices. The framework provides 40 measurable principles around security, privacy, and sustainability. Not only from a device but also from a data and supply chain perspective.But even then, there will always be security issues to which we may not have good answers. The recent BlueBorne vulnerability is an example. How do we deal with these sort of vulnerabilities? At this moment, I do not know of any attacks that exploit this vulnerability, but I think we all agree that these sorts of new challenges will be popping up.On the other hand, there will also be positive evolution in IoT and security, as my colleague Andrei Robachevsky wrote about recently.
Internet security is more than cybersecurity, because we focus on the security of the Internet as a whole. And if that landscape seems complex and confusing, then that is indeed the case.
There are no ready-made answers and that is the Internet Way: distributed, with good approaches winning from the worst ones, piecemeal, and informed. This is the path to good security, to learn from each other’s experiences, and get better.
All the easy problems were solved 20 years ago.