Scholar suggests new strategy for improving cybersecurity.
Cyberattacks can cause potentially massive costs, but the United States may not be adequately prepared to face them. Keith Alexander, director of the National Security Agency, estimates that each year, $1 trillion is spent globally on preventing cybercrime and cyber espionage. Former Central Intelligence Agency director and outgoing Secretary of Defense, Leon Panetta, recently warned that “a destructive cyberattack could paralyze the nation,” likening the threat to a “cyber-Pearl Harbor.”
In light of these costs and difficulties in preventing cyberattacks altogether, University of Arizona law professor Derek Bambauer suggests in a recent article that the U.S. cyber security strategy should focus on mitigating the harm from attacks, rather than preventing them.
According to Bambauer, the U.S. government should encourage organizations to embrace a “divide and differ” strategy to cybersecurity. Utilizing a “divide and differ” strategy, organizations would store their data in a variety of separate compartmentalized systems and would use more than one type of hardware or software system. By diversifying their data storage and operating systems, organizations would be in a better position to avoid catastrophic harm from any one particular form of cybersecurity attack.
The cyberattack threat may be growing more severe and may lead to unexpected harms. For example, the United States and Israel employed the Stuxnet worm against Iran’s nuclear program and caused severe damage to its physical infrastructure while spying on Iranian data. For years while Stuxnet interfered with its programs, Iran had no idea what was causing these problems.
Despite these significant risks, market failures prevent private sector actors from addressing vulnerabilities independently. When products go to market with security flaws, it is consumers, not vendors or manufacturers, who bear burden of potential cybersecurity costs. Vendors avoid internalizing these costs through end-user agreements that “disclaim all liability on the vendor’s part.” In addition, courts have “refused to impose a duty of care on software manufacturers.”
Moreover, cybersecurity threats are difficult to contain. Users may create additional threats if they do not take advantage of available precautions, such as installing security updates when they become available, because attackers may use unprotected systems as vectors to target other victims.
Information gaps also contribute to a lack of cybersecurity planning. Consumers often lack the sophistication to know whether their products are secure, and producers have little incentive to provide consumers with full and accurate information.
According to Bambauer, many organizations do not perceive cybersecurity as adequately threatening. He contrasts current approaches to cybersecurity to those used in protecting other complex systems, such as air traffic control and nuclear reactors. He suggests that organizations relying heavily on information technology are not singularly focused on preventing cyberattacks in the way that nuclear power plants are on preventing a nuclear meltdown. Furthermore, cyberattacks often do not lead to catastrophic outcomes, leading organizations to adopt a dangerous “trial-and-error learning” approach to the issue rather than taking adequate preventative measures.
Although these circumstances make cybersecurity an ideal target for regulation, Bambuaer explains the current lack of cybersecurity regulation by pointing to a number of political factors. Producers, who would likely bear the cost of cybersecurity regulation, are small in number but politically organized. On the other hand, consumers who would benefit from regulation are diffuse, lack awareness, and face coordination costs that prevent them from effectively advocating for their interest in regulation.
According to Bambuaer, legislators may be too “timid” to regulate cybersecurity because they lack technological information. Exacerbating matters, firms may behave strategically to take advantage of their information advantage over regulators by “revealing information . . . when it benefits them and concealing it otherwise.” Additionally, rapid changes in information technology make it expensive for regulators to maintain up-to-date regulations.
Bambuaer acknowledges some current efforts to address cybersecurity. President Obama has called cybersecurity threats “one of the most serious economic and national security challenges we face as a nation.” The president recently issued an executive order that calls for increased information sharing and development of a cybersecurity framework to protect critical infrastructure. Bambauer, however, asserts that these efforts are insufficient because in any complex system, errors and accidents are inevitable, making it impossible to craft a cybersecurity framework that will prevent every attack.
Instead, Bambauer advocates that the federal government adopt a “divide and differ” strategy that focuses on minimizing the impact of cyberattacks rather than one that tries to prevent cyberattacks altogether. He also notes that minimizing an attack’s payoff might deter some hackers from attempting cyberattacks altogether.
Under Bambauer’s preferred “divide and differ” strategy, the government would require that “key” organizations, including financial institutions, defense contractors, transportation systems, utilities, and hospitals as well as federal, state, and local governments, use software and hardware from different sources following a “rule of thirds.” For example, an organization that currently runs Windows operating systems on all of its computers would be required to switch to Apple, Linux, or some other operating system on at least one third of their computers. That way, an attacker who exploits a security flaw in one of these programs or machines would be unable to bring down an organization’s entire system in one cyberattack.
According to Bambauer’s proposed strategy, organizations would also be required to store data in different compartmentalized systems, so that an attacker’s breach of one compartment would not lead him to a complete treasure trove of information. For instance, if an arms manufacturer divides a blueprint for a top-secret weapon into a number of pieces which it stores in a number of different vaults, stealing that information becomes far more challenging and perhaps less attractive a task to potential thieves.
Bambauer suggests that his “divide and differ” approach avoids some of the pitfalls that have prevented regulators from imposing security standards on information technology in the past. A regulator does not need to be a computer whiz to count an organization’s total number of Apple or Dell computers. Similarly, regulators would not necessarily have to update rules requiring organizations to store data in separate compartments every time technology changed. Bambauer proposes regulations that focus on separating data, not mandating particular technologies that may become obsolete.
Bambauer also addressed a number of possible objections to the “divide and differ” strategy. One possible objection to his proposal is that implementing this strategy would be extremely costly. Requiring different operating systems would limit organizations’ ability to take advantage of economies of scale, and a required division of data storage might make it more difficult for people with legitimate needs to obtain information. Although Bambauer suggests that using a notice-and-comment process to obtain feedback in establishing rules might help develop suggestions to lower some of these costs, he recognizes that cost is a concern. However, he asserts that the threat of cyberattacks is serious enough to justify these expenditures. Moreover, he suggests that the government could subsidize private organizations’ efforts to comply with regulations.
Bambauer also acknowledges that a “divide and differ” approach may increase the probability that some form of attack will occur affecting a particular organization. With documents stored in multiple locations and on different types of machines, an organization’s task in identifying and defending its weaknesses grows substantially. If an organization’s data is stored on both Microsoft and Apple computers, it will be exposed to cyberattacks on either system. However, Bambauer maintains that the “divide and differ” approach facilitates an organization’s ability to shield itself from disastrous effects in the event of an attack because any one given attack will only affect some of the organization’s assets.op-secret weapon into a number of pieces which it stores in a number of different vaults, stealing that information becomes far more challenging and perhaps less attractive a task to potential thieves.
Bambauer suggests that his “divide and differ” approach avoids some of the pitfalls that have prevented regulators from imposing security standards on information technology in the past. A regulator does not need to be a computer whiz to count an organization’s total number of Apple or Dell computers. Similarly, regulators would not necessarily have to update rules requiring organizations to store data in separate compartments every time technology changed. Bambauer proposes regulations that focus on separating data, not mandating particular technologies that may become obsolete.
Bambauer also addressed a number of possible objections to the “divide and differ” strategy. One possible objection to his proposal is that implementing this strategy would be extremely costly. Requiring different operating systems would limit organizations’ ability to take advantage of economies of scale, and a required division of data storage might make it more difficult for people with legitimate needs to obtain information. Although Bambauer suggests that using a notice-and-comment process to obtain feedback in establishing rules might help develop suggestions to lower some of these costs, he recognizes that cost is a concern. However, he asserts that the threat of cyberattacks is serious enough to justify these expenditures. Moreover, he suggests that the government could subsidize private organizations’ efforts to comply with regulations.
Bambauer also acknowledges that a “divide and differ” approach may increase the probability that some form of attack will occur affecting a particular organization. With documents stored in multiple locations and on different types of machines, an organization’s task in identifying and defending its weaknesses grows substantially. If an organization’s data is stored on both Microsoft and Apple computers, it will be exposed to cyberattacks on either system. However, Bambauer maintains that the “divide and differ” approach facilitates an organization’s ability to shield itself from disastrous effects in the event of an attack because any one given attack will only affect some of the organization’s assets.