Last week, MIT and its Center for International Studies along with its Internet Policy Research Initiative released a report titled Keeping America Safe: Toward More Secure Networks for Critical Sectors. The report is focused on strategic challenges that are needed to enhance cybersecurity for critical infrastructures and sectors. Moreover, the report outlines research agendas and proposes policy initiatives for each of the strategic challenges. These results were partially due to a series of workshops hosted by MIT, which focused on the electricity, finance, communications and oil-and-natural gas sectors. The workshops were attended by sector-specific experts, academic researchers and government officials. From a policy perspective, this is a good and interesting report. The challenges, findings and research questions are not necessarily novel. In fact, some are actually well known within the cybersecurity industry, especially for those who conduct cutting edge cybersecurity research. However, using these challenges, findings and research questions to formulate policy recommendations for the President is a very good step in the right direction. The report points out some important challenges and findings. However, one area I would caution against is that of encouraging complete airgaps. The authors of the report state, based on an article at CNN, that “it’s important to move controls for transportation, the electricity grid and gas pipelines off public networks.” But creating complete airgaps is not a long-term solution, if technically feasible at all. Our modern day digital systems are far too complex as a whole to assume that we could create a reliable airgap for these critical infrastructure systems. It would be like adding an extra lock to a door on a house that has windows that cannot be locked. The report addresses the problem of system complexity at the unit level, such as with overly complex chips. However, system-level complexity will still exist even if the individual components have reduced levels of complexity. The point I’m trying to make here is that we cannot approach the cybersecurity problem assuming that we can completely lock down and airgap a network, which if attempted would lead to a false sense of security. This is not to say that we should just open the gates. Indeed, network isolation is a good thing. Fortunately, the report includes the language “levels of isolation”, which is a more realistic approach. Future critical infrastructure systems will need Internet connectivity for advanced operations such as predictive maintenance. Working with levels of isolation can help achieve this in a more secure and robust fashion. Another area of concern I have in the recommendations is related to the eighth challenge: Accelerate and improve the training of cybersecurity professionals. My particular concern is their language in the recommendation:
"The President should appoint a blue-ribbon commission on the feasibility of increasing the supply of highly trained computer scientists and engineers and developing model curricula for training computer scientists and engineers in the defense of critical systems."
This is a very good piece of advice. But the suggestion of focusing on training for the defense of critical systems is too narrow. In particular, it is really only a partial short-term solution to a long-term problem. This is not the only report that makes the naïve assumption that providing more cybersecurity professionals will alleviate the problem. It will help, but the problem we face is scale, and it’s a level of scale that we cannot solve by continuously training and hiring new cybersecurity professionals. The scale problem here is that the sheer volume of digital technology being developed and deployed on a daily basis is mind boggling. When you couple the average amount of cyber weaknesses contained per unit with the rate of development and deployment, you have a very large scale problem with exponential complexity. A key approach to addressing this problem is not just in training cybersecurity professionals to help with defending our systems but also in tackling this problem at its core. The core resides with the very people who develop our technology, and these are not just computer scientists and engineers. In particular, the curricula we have to formulate should start teaching our children at very early ages the consequences of using digital technology in an unsecure fashion. Then, most importantly, we must integrate cybersecurity fundamentals into our science, technology, engineering and mathematics (STEM) educational programs. I’ve said many times that STEM students should have to study the how, where and why of cybersecurity just like they do for calculus, chemistry and physics. Obviously, further than this, we need to have better specialization courses in cybersecurity across the board. Until we move in this direction, our technology industries will continue to develop highly insecure software and hardware, which will, in turn, continue to generate highly insecure systems and networks.
