|
Videos
December 16, 2012 By Dan Lohrmann
Our nation has developed a fairly long list of doctrines that have historically provided statements of what we believe and the principles by which we’re going to base our future actions. Two examples that come to mind are the Monroe Doctrine and the Reagan Doctrine, but there have been many others. In addition, military doctrine has long provided a guide to national defense actions.
Do we need such a national doctrine on cybersecurity? If so, what needs to be included? How will the rest of the world view this doctrine? Can a cyberdoctrine help guide our actions?
Earlier this week, I was contacted by Sarah Rich from Government Technology Magazine and asked to comment on recent efforts to develop a national doctrine on cybersecurity. Sarah wrote this article entitled: Should the U.S. Develop a National Cyberdoctrine? Here’s an excerpt:
“Earlier this month, the Potomac Institute Press released a new book #CyberDoc: No Borders – No Boundaries, which addresses the rising concern of cyber-related disasters and the growing need for such a doctrine.
‘The book is a call to action,’ said Tim Sample, vice president and sector manager of special programs at Battelle and co-editor of #CyberDoc.”
I won’t reiterate my comments to Sarah here, except to emphasize that I support the overall call to action in the book for a national discussion on key cyber issues. Nevertheless, I also think that getting a meaningful national consensus on the answers to key questions will be very difficult. (See Sarah’s article in the gray box for some of the key questions, beginning with ten questions that are foundational.)
Further Analysis
But I am highlighting this topic again for another reason. I urge readers of my cybersecurity blog to take 15-20 minutes and ponder the transcript of the Potomac Institute for Policy Studies event on cybersecurity held in early December.
This transcript for the event covers many excellent topics of discussion and provides a wealth of information regarding why a doctrine for dealing with cybersecurity is important. It also discusses many relevant topics that should guide our thinking on dealing with the new cyber environment moving forward.
Here is a brief sample of intriguing statements from the panel discussion:
- “…Nobody thinks that the government can provide cybersecurity. We don't want to turn it over to the government; it doesn't do that well. We must recognize that cybersecurity costs money and that somebody has to do it.
- I think one of the things that came out of the conference is that there clearly needs to be someone in charge.
- Somewhere along the line in the last four or five, six, seven years, this thing has changed from essentially "isn't this cute," to "gosh, this is useful," to a public utility. And the question becomes, how does a government deal with that?
- So what do you need to know? Well, you need to know what are you trying to deter. You need to know who are you trying to deter. And you need to know how.
- If somebody attacks you and you notice that and people die and buildings come crashing down, it's a pretty obvious thing. But what if they don't attack you? What if all they do is put in place the ability inside all your infrastructure to take it down if they wanted to at some point in the future? It's all benign, nothing's happening, nothing's being taken down; it's just sitting there.”
I also found this article written by well know cybersecurity policy expert and author, Dan Verton, to be very helpful. Here’s an excerpt from that piece:
“President Barack Obama’s signing last month of Presidential Policy Directive 20 (PPD 20), a classified directive that establishes guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber attacks, may have finally laid the foundation upon which a national doctrine governing cybersecurity can be built….
“The issue here is that the status quo is no longer acceptable,” said Rear Admiral Jamie Barnett (USNR-Ret.). “We’re no longer going to simply defend the networks and continue to take the attacks and intrusions. We’re not going to be in a corner with our boxing gloves over our face. We’re going out and we’re going to swing at people who are attacking us.”
One more things on this topic: There are several additional classic questions that are particularly useful when setting forth a doctrine. These were sent to me by Andris Ozols, who is an excellent researcher and adviser on our Michigan CIO’s staff.
- What is it that we don’t know (regarding cybersecurity)? This question is not a logical impossibility, but an ongoing open inquiry.
- What happens if we under or overreact (to cyberattacks)? Risks in both – how to choose.
- What is plan B, C and so on? No plan in effect is a plan, but can it ever be a good plan? Perhaps better than some plans.
All of this is thought-provoking stuff that makes for important dialogue as we consider the future direction of cybersecurity in America and around the world. I agree with the sentiment that we can’t keep doing the same things and expect different results. We all know that we need to be taking new actions to protect critical infrastructure as a nation, as states, as local governments and as private companies.
Now if we can just agree on the right questions (and the same answers.) Perhaps an open process of building a cybersecurity doctrine can help.
What are your thoughts?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.
RSS
CONTACT
Dan, Excellent piece! Very insightful. As you know, I’ve recently written a piece on the taxonomy between strategy and doctrine, and ultimately my belief that this new cyber realm requires its own disciplinary construct. I would be concerned that doctrine without a full understanding of the field might add further confusion, and ultimately lead to correction. The Monroe Doctrine, by comparison, did not change; but, the field of international diplomacy and sovereign regional interests was not a new field in the early 1800s. Thomas Kuhn's The Structure of Scientific Revolutions sets out a useful model for understanding the nature and evolution of new beginnings. Kuhn wrote about how outliers, first rejected, eventually become studied and result in recognition of a new field, a new science. So, I believe academia needs to play a significant role in helping us first understand the cyber domain, and to shape its contours and interdisciplinary dimensions. For example, the dust really hasn’t settled on which federal department is in charge of cybersecurity. Until we have fashioned the domain as either homeland security, defense, intelligence, law enforcement, or even some new model (e.g., a public-private partnership), it would be impossible to set down a doctrine. How, for example, could we assert a Monroe-like doctrine about protecting sovereign cyberspace rights – implicitly invoking a defense model – if the responding department to most incidents were law enforcement or homeland security? National policy is not yet firm even on what constitutes an armed attack in cyberspace. My further thoughts on this attempt at fashioning a doctrine will be blogged elsewhere, but I wanted to offer my thoughts under this thread as well. I definitely agree, however, that a national dialogue must ensue. No disciplinary construct can develop without improved understanding of the cyber domain.
Thanks Doug for sharing your perspective. I know you have quite a bit of experience in this area, and I welcome you to write more on this topic - either here or in another form that I can link to.
Dan, Here's the piece I referenced on this topic: http://www.csoonline.com/article/727099/a-taxonomy-for-the-national-cybersecurity-doctrine