A few weeks ago, the White House released its International Strategy for Cyberspace . To a technical audience, it’s a pretty thin document. But that’s fair enough – it’s intended for consumption by politicians, diplomats and policy wonks, not technologists.
However, the strategy does make it pretty clear that the private sector has a big role to play here. And within industry, electronics is obviously one of the most affected areas. IP theft is already a big concern, cross-border collaboration is both necessary and widespread, and the Internet is a powerful vehicle for reaching international markets at low cost. Those are just three of a plethora of issues our business faces specifically.
So what can we offer? Not surprisingly, there’s a lot of discussion in the strategy about standards—their development, their maintenance and their distribution. Well, we’re pretty good at that. Indeed in the case of the IEEE, we have an organization that is learning about how to fast-track the standardization process. Given how quickly cybercrime techniques morph, any secure global infrastructure will need that capability.
But I’d say that we can push even harder on getting the politicians to give priority to the concept of methodology. Here’s why.
Any security standard becomes a red rag to the dark side of the hacker community as soon as it’s released (indeed, even the bright side will batter such technologies in order to not just identify but also alert the world to their flaws).
What you really want to build around that is a way of disseminating the nature of any new risks as they arise and then implementing safeguards across as much of the network as possible. If you’ve got a chip design being specified in the Valley, verified in India and manufactured in Taiwan, you want all those supply chain components to have identical, best-in-class security.
Now, given the millions invested in today’s system projects, I’m fairly sure in guessing that plenty of you reading this already have a methodology in place to ensure that (or a best practice or an IT manager who scares even the CEO—call it what you will). The question we need to consider, then, is whether there are core ideas within these strategies that can be shared, both within the business itself and more widely? Though, of course, you can’t lift the lid on exactly how your security systems work (or those shared with partners).
Standardizing the methodology for response is something that is easier to lock down over time even if the technology within the tools that implement has to remain closed. Funnily enough, that also sounds a lot like how EDA and hardware/software design work.
There’s another reason why I think it’s worth pushing this angle ahead of technology standards. One thing worried me about the national cyber strategy that the White House proposed for legislation before releasing its international policy. There is, inherent within it, an idea of a minimum benchmark for cybersecurity standards, one that could even be enforce upon companies running sensitive sites or conducting sensitive work (and similar in some respects to what the military already demands).
I can see how some apparently good reasoning might have brought the Department of Homeland Security to that position but the fundamental flaw with it is that once a company meets that minimum, it could think it’s safe. As we know, because of those morphing cyberthreats, that is far from the case. Instead, practices are needed that encourage continual vigilance and fluid reactions.
The best solution, probably, is for industry to create the standards and practices, particularly hi-tech companies. It is not just that the private sector always better understands the technology—be serious, here, I’m not about to diss the NSA—but that it has a better idea of what is at stake in the commercial (as opposed to national security) context. And, as noted, many companies will have started on this work already.
Certainly, some high profile semiconductor industry, international initiative on cybersecurity for internal use might not be a bad idea. Just planting seeds.