Poisoned fruit is an apt metaphor used by the Honorable Richard Danzig in the title of his latest report for all things cyber that today we can’t live without, yet bring ever increasing risks. The Center for a New American Security (CNAS) sponsored an event showcasing Danzig’s report and to discuss proposals for U.S. government responses to cyber insecurity. Panelists included: Mike Walker (DARPA), Melissa Hathaway (President of Hathaway Global Strategies), Gary McGraw (CTO, Cigital), and Ben FitzGerald (CNAS) who also moderated the session. Introductory comments where provided by Dan Kaufman (Director of the Information Innovation Office, DARPA). The panel discussion was followed by Richard Danzig who responded to comments by the panel as well as the audience.

Although a blog on Danzig’s 55-page information dense report, will have to be necessarily summary, you can get the full report “Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies” from the CNAS web site.

Danzig’s report is a high-level policy document. However, it also provides some concrete ideas to be considered by U.S. government decision-makers for surviving on poisoned fruit. Briefly, these recommendations include:

  1. A national security standard defining “red lines” in cyberspace
  2. Sacrifice some cyber benefits to ensure greater security for key systems
  3. Some private-sector systems fall within the national security standard
  4. Bolster cyber strategic stability between the US and other nation-states
  5. A regime of mutually unassured destruction (MUD), ensures insecurity for all
  6. Map the adversarial ecosystem of cyberspace in anthropological detail
  7. Use the model of voluntary reporting of nearmiss incidents used in aviation
  8. Provide an elite cyber workforce for the federal government

There is substantial agreement between elements of Danzig’s report and The Langner Group’s philosophy as expressed on the web site, various whitepapers, and the Robust ICS Planning and Evaluation (RIPE) Program. One example of this alignment can be found on the very first page of the executive summary: “…these strategies [better cybersecurity strategies] are typically costly, and users will commonly choose to buy less security than they could obtain because of the operational, financial or convenience costs of obtaining that security.” The message is clear; better cyber security will cost more and be less convenient.

Another major point made in Danzig’s report is the idea that the way we’ve been doing cybersecurity is not working and it’s time to rethink the problem “The deficiencies in the existing methods of cyberdefense have been increasingly exposed as state-sponsored and state-run attacks have become more frequent and use more sophisticated and extensive resources.” At The Langner Group, we have rethought the problem and more than a year ago we expressed a similar sentiment in a paper published by Brookings: Bound to Fail: Why Cyber Security Risk Cannot Simply Be “Managed” Away. In this February 2013 paper we state that putting the emphasis on establishing a framework for risk management and relying on voluntary participation of the private sector have been attempted for more than a decade without measurable success.

For those who think deeply about the problem of cyber security as it relates to national security and critical infrastructure, they should read this report. In fact, they should read it more than once and ponder the implications of doing nothing. Richard Danzig has been working on this effort for over a year and it encapsulates the thinking from a long list of industry thought leaders in an effort to bridge the gap between policy and operational concerns. We sincerely hope that decision makers at all levels from public and private sectors are paying attention.

If you read Richard Danzig’s report and come away thinking that you would like to see a cyber security program for protecting critical infrastructure that incorporates key elements of his report, look no further than The Langner Group’s Robust ICS Planning and Evaluation (RIPE) Program from the Langner Group. Contact us for more information.