Sometimes we come across a new word or phrase that is not only different, but intriguing. Occasionally these new terms or ideas really catch-on and become a part of mainstream thinking and/or technology adoption. While it is rare, these terms can even become a part of everyday language for technology or even non-IT professionals. For example, concepts like “the consumerization of IT” (initially coined by Gartner) are becoming more well-known to techies and phrase like “cloud computing” are showing up in everyday TV commercials. These terms were virtually unknown a decade (or less) ago.
Which brings me to the topic of today’s blog: What is a healthy cyber ecosystem? If you haven’t yet heard people using these words, I suspect that you will soon. The Department of Homeland Security (DHS) published a white paper in March 2011 entitled, Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action. What got me thinking about this even more was the term “ecosystem” showing up in recent meetings with technology vendors.
I know, I know, when we think of “ecosystem” we generally see a mental picture of various water sources with plants interacting with wildlife roaming in protected reserves. But this new approach takes the concept into our virtual cyber worlds.
According to the DHS white paper:
“Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non]profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) – that interact for multiple purposes….
This discussion paper explores the idea of a healthy, resilient – and fundamentally more secure – cyber ecosystem of the future, in which cyber participants, including cyber devices, are able to work together in near]real time to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state. In this future cyber ecosystem, security capabilities are built into cyber devices in a way that allows preventive and defensive courses of action to be coordinated within and among communities of devices….”
While this may seem a bit like “cyber utopia,” I certainly agree with the overall goals. Helpful analogies are provided in the paper such as our human immune system’s ability to fight off disease or the Center for Disease Control and Prevention’s (CDC’s) approach to a flu outbreak.
If a global system of Internet protections are put in place, we “could enable the ecosystem to continuously strengthen itself against the cyber equivalent of autoimmune disorders.”
According to the DHS white paper, there are three main components (or building blocks) to a healthy cyber ecosystem, including automation, interoperability and authentication. Excellent identity management is essential to building the required trust online. The white paper points to the National Strategy for Trusted Identities in Cyberspace (NSTIC) to build the foundations for this trust. The paper also suggests that traditional notions of “command and control” must be recast in the direction of “focus and convergence.”
In my opinion, the section on "focus and convergence" is an area where I have many questions regarding technology and process. Military forces have seen “command and control” working for millenniums whereas focus and convergence seems to me to be much harder to implement with diverse audiences and interests worldwide. For example, it is difficult to get agreement at the United Nations. And yet, I see the numerous benefits associated with this distributed approach, if we can implement a coordinated response to global cyber threats.
I especially like the ideas in a Enabling Distributed Security in Cyberspace white paper that promote more user incentives (page 26). We need to develop new opportunities for global buisnesses to grow and prosper in cyberspace. Still, this incentive area needs a lot of work, since organizations and individuals still deem “doing nothing” as being reasonable responses to cyber threats.
What’s been the wider industry response to the cyber ecosystem concept? First, many news organizations published detailed articles on the topic. Here are a few:
US-CERT’s Powerpoint Presentation (from last year) on this topic also provides more technical details regarding early actions needed to head in this directions. This presentation from a Cyber Town Hall Meeting by some federal government security leaders also addresses risk in a related security framework. A test wiki has also been set up on this topic.
What’s my opinion on the goal of creating a healthy cyber ecosystem? For the most part, I like this concept. On pages 22-26 of the DHS white paper, the healthy and unhealthy attributes to this new virtual world are identified. We are talking about what Bruce Schneier calls “The endless broadening of security.”
However, if I were to summarize this goal in a few words in non-techie language, I would say society wants an Internet that allows users to safely surf their values. We want our online world to reflect what we value in our offline world - including all aspects of our interactions with other people, businesses and governments. No doubt, our online and offline worlds are merging together in new ways each day, and meanwhile the bad guys are getting better at undermining Internet safety.
If this healthy cyber ecosystem is to become reality, we need to be building safety and trust in new ways and not just fighting malware and identity theft. This approach requires a strengthening of protections through the same natural defense mechanisms we have in our human bodies and building trust in online relationships and interactions just as in our “real world” communities. Programs like "neighborhood watch" may provide helpful models.
And a healthy cyber ecosystem will go well beyond traditional cybersecurity topics. Individuals and businesses will be incentivized to enable the good and disable the bad in cyberspace, if they feel they personal ownership over the ability to influence online life. Yes, this means both freedom and shared responsibility for all of us. It offers Internet safety and reliable online communications. A healthy cyber ecosystem can enable virtual integrity for web activities.
What are your thoughts on a healthy cyber ecosystem?