COMMENT: All Secure
Secure TestimonyBy Mary Ann Davidson
Advising the United States Congress about cybersecurity
One of the many privileges of my job has been testifying in front of the United States Congress. Recently I testified to the Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. I know it is hard for anyone to be an expert on everything, so I used analogies to try to make “geeky” cybersecurity issues more understandable to legislators, all of whom want to craft good public policy. I also tried to make an impact in my five allotted minutes of testimony.
My first point was that people must consider the threat environment of software before, not after, deploying it. The Navy does not purchase container ships and then deploy them as aircraft carriers, nor does the Air Force buy Gulfstream Vs and configure them as F-22 Raptors. (Nothing is wrong with container ships or Gulfstream Vs, but they are both designed for different operations and threat environments than aircraft carriers and Raptors.) The flexibility of software leads many people to think you can use anything anywhere, but you can’t. The time to figure out what you really need is during procurement, not after, I said. And although price is always a consideration, it is also true that you get what you pay for in software, as in anything else.
My second point was that, for many organizations, information technology (IT) really is the backbone of their business. Therefore, these organizations absolutely need people who understand what technology can and cannot do. They need to know what technology can do in order to fully utilize it in support of their business, and they need to know what it cannot do so they do not take asymmetric (and unmitigatable) risks. The U.S. military’s entire ability to prosecute war rests upon an IT backbone: the military cannot outsource IT, which has become a core mission. It also needs career paths for offensive cyberwarriors as well as those who must maintain and defend their IT systems. General George Patton understood that if the Third Army ran out of gas, it would not be able to perform its mission. Today’s net-centric armies run on information and are equally out of business if the informational supply chain is disrupted.
My third point was that the U.S. is in a conflict—some would say at war—and should call it what it is. Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing U.S. systems for weaknesses, infiltrating U.S. government networks, and making similar attempts against American businesses and critical industries, is there any other conclusion? Whatever term one uses, there are three obvious outgrowths from the above statement. One is that you can’t win a war if you don’t admit you are in one. The second is that nobody wins on defense. And the third is that the U.S. needs a doctrine for how it intercedes in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world. In short, I said that Congress should consider developing a twenty-first-century application of the Monroe Doctrine.
The Monroe Doctrine stated that efforts by European governments to interfere with states in the Americas—the Western hemisphere—would be viewed by the U.S. as acts of aggression and that the U.S. would intervene. The Monroe Doctrine is one of the longest-standing U.S. foreign policy tenets, invoked on multiple occasions by multiple presidents. The U.S. has, as the expression goes, sent in the Marines—and the rest of their armed forces—to support it. I noted that the Monroe Doctrine did not detail the same or even specific intervention for each perceived act of aggression but merely laid out “Here is our turf; stay out or face the consequences” language that allowed great flexibility for potential responses. Some may argue that cyberspace is virtual and unsuited to declared spheres of influence, but even Internet Protocol addresses map to physical devices in physical locations—a server for a utility company in New York or a bank in California, for example. Invoking a Monroe-like doctrine in cyberspace would put the world on notice that the U.S. does have cyberturf and will defend it.
Not all of the above advice is relevant to all organizations, but for many of them, IT is mission-critical. That means that these organizations must know their threat environment, train both warriors and defenders, and draw a line in the cybersand. Too many of us are at war and don’t know it.
Mary Ann Davidson is the chief security officer of Oracle, responsible for secure development practices and security evaluations and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC), has served on the U.S. Defense Science Board, and is on the editorial review board of SC Magazine.