Long term measures of Cyber Security for a Digital Economy
The last two blogs of these series had dealt with near- and mid-terms measures of cybersecurity for a digital economy. The September 11 attacks have changed many things – among them, how attack on utilities can be used as vehicles to disrupt an economy. The long term approach to avoid such an attack is through constant fundamental research with fast development of simulated prototypes for analysis, experiments and trial deployments.
The economy is made on industry, and industry is made of individuals. These three levels contribute to the digital economy. In interpreting cybersecurity – it follows, national security (including state-sponsored security relevant intelligence gathering), industrial espionage, and cybercrime, all differ dramatically in terms of scale, stakeholders, timeframe and level of economic importance.
The idea is to create tall barriers and create a cyber-defence that will make the enemies expend huge amount of energy to pose threats. One simple example is how easily a hacker can invest in a modest computing setup, and then spend little human effort to launch an attack that can cripple an organization, or even a state. A common example that one can think of is the ‘ex- chief of security of computer infrastructure, Gabriel decides to bring down the entire Eastern United States down by both crippling power grids and natural gas distribution systems’ in the 2007 movie ‘Live Free or Die Hard’, the fourth of the Die Hard Series. Such attacks are normally launched by combination of very smart hacking capabilities and insider knowledge, but more than identifying the cause, what is key is to know how to create a long term solution – that is to prevent such a situation from happening.
Enterprises anyway need to mitigate risk – but the threats are still contained through risk management. What is key is for the enterprise, or an economy in whole should focus on how policies assess vulnerabilities at different levels of the systems, and also identify frameworks, collaborations and funding to address vulnerabilities. Threat intelligence covers the entire spectrum from reactive intelligence through post mortems, proactive checks like audits, and then anticipating threat through fixes, and also social engineering to eliminate the insider issue. Anticipating threats and assessing vulnerabilities at all levels is not only a long term issue, but also a continuous effort. The steering committees of the enterprises, communities and countries should meet regularly to review the progress and the way forward. The short point here is that, the long term policy planning of cybersecurity affects at all levels, and the steering committee should drive a multi-pronged approach to securing the digital economy.
The wide range and diversity of threats prompt us to look at policy framing differently. Instead of offering solutions or plugging vulnerabilities, a very single focussed approach might be to study the causes or motivation of the threat source. This is more of a policy question – as this will decide the key optimization point between investments in proactive and reactive measures, defining tolerable risks and the acceptance of fallouts. What is key is to establish long term accountability to a comprehensive cybersecurity policy for a digital economy in the long term.
This concludes our first series of ‘Cyber Security for Digital Economy’.