Skip to content ↓ | Skip to navigation ↓

Last week, MIT and its Center for International Studies along with its Internet Policy Research Initiative released a report titled Keeping America Safe: Toward More Secure Networks for Critical Sectors. The report is focused on strategic challenges that are needed to enhance cybersecurity for critical infrastructures and sectors. Moreover, the report outlines research agendas and proposes policy initiatives for each of the strategic challenges.

These results were partially due to a series of workshops hosted by MIT, which focused on the electricity, finance, communications and oil-and-natural gas sectors. The workshops were attended by sector-specific experts, academic researchers and government officials.

From a policy perspective, this is a good and interesting report. The challenges, findings and research questions are not necessarily novel. In fact, some are actually well known within the cybersecurity industry, especially for those who conduct cutting edge cybersecurity research. However, using these challenges, findings and research questions to formulate policy recommendations for the President is a very good step in the right direction.

The report points out some important challenges and findings. However, one area I would caution against is that of encouraging complete airgaps. The authors of the report state, based on an article at CNN, that “it’s important to move controls for transportation, the electricity grid and gas pipelines off public networks.” But creating complete airgaps is not a long-term solution, if technically feasible at all.

Our modern day digital systems are far too complex as a whole to assume that we could create a reliable airgap for these critical infrastructure systems. It would be like adding an extra lock to a door on a house that has windows that cannot be locked.

The report addresses the problem of system complexity at the unit level, such as with overly complex chips. However, system-level complexity will still exist even if the individual components have reduced levels of complexity. The point I’m trying to make here is that we cannot approach the cybersecurity problem assuming that we can completely lock down and airgap a network, which if attempted would lead to a false sense of security.

This is not to say that we should just open the gates. Indeed, network isolation is a good thing. Fortunately, the report includes the language “levels of isolation”, which is a more realistic approach. Future critical infrastructure systems will need Internet connectivity for advanced operations such as predictive maintenance. Working with levels of isolation can help achieve this in a more secure and robust fashion.

Another area of concern I have in the recommendations is related to the eighth challenge: Accelerate and improve the training of cybersecurity professionals. My particular concern is their language in the recommendation:

“The President should appoint a blue-ribbon commission on the feasibility of increasing the supply of highly trained computer scientists and engineers and developing model curricula for training computer scientists and engineers in the defense of critical systems.”

This is a very good piece of advice. But the suggestion of focusing on training for the defense of critical systems is too narrow. In particular, it is really only a partial short-term solution to a long-term problem. This is not the only report that makes the naïve assumption that providing more cybersecurity professionals will alleviate the problem. It will help, but the problem we face is scale, and it’s a level of scale that we cannot solve by continuously training and hiring new cybersecurity professionals.

The scale problem here is that the sheer volume of digital technology being developed and deployed on a daily basis is mind boggling. When you couple the average amount of cyber weaknesses contained per unit with the rate of development and deployment, you have a very large scale problem with exponential complexity.

A key approach to addressing this problem is not just in training cybersecurity professionals to help with defending our systems but also in tackling this problem at its core. The core resides with the very people who develop our technology, and these are not just computer scientists and engineers. In particular, the curricula we have to formulate should start teaching our children at very early ages the consequences of using digital technology in an unsecure fashion.

Then, most importantly, we must integrate cybersecurity fundamentals into our science, technology, engineering and mathematics (STEM) educational programs. I’ve said many times that STEM students should have to study the how, where and why of cybersecurity just like they do for calculus, chemistry and physics. Obviously, further than this, we need to have better specialization courses in cybersecurity across the board.

Until we move in this direction, our technology industries will continue to develop highly insecure software and hardware, which will, in turn, continue to generate highly insecure systems and networks.

SANS White Paper: Security Basics
  • Rob Sisco

    I wasn’t in much ageement with you on some of the first paragraphs other than airgaps not being the end all full solution. But then you mentioned your concern with the ambiguous statement of accelerate and improve the training of the cybersecurity professional. I couldnt agree more, infact,it is the only soluton that is even has a heck of a chance at being sustainable. I would add that cyber security professionals and those who develop their tools as well as need to consider how to operate and analyze, modify and most of all defend at scale while still allowing for extreme fidelity. The attackers have surely learned this, why are we expecting for cyber professionals to defend huge networks without having more integration in their tools, and scaled computing in their training. Specifically on the tools, we need secure APIs with high fidelity and tools that integrate them all and spit out temporary responses that then require a follow up full or long term solutons in the near future by the user. I would say user interface needs to be an extremely versatile solution. And of course some of it all comes down to preperation, like any good defense as well as offense.

  • M.L.Sachdeva

    The Article is inspiring and knowledge spreading.
    It is understood that Cyber security techniques / science is already forming a part of science, technology, engineering and mathematics (STEM) educational programs. Each Institution has their own software organisation which in addition to making/ maintaining software also implement cyber security devices . There are professionals who find hole (s) in the Commercial software and supply Cyber protection solution against a good cost.
    As the industry spreading, software industry is also expanding as also and Cyber security efforts are also improving.

    It is never ending cycle as more more industry is developing and more operating soft wares will be developed ,more Cyber threats will appear. Depending on financial impact of cyber theft in an industry, the protective devices (Cyber Security inputs, intricacies and in-depth study) & financial impact will vary.

    National Level Organisations shall also be equally responsible to put in place frame work to reduce cyber threat.
    In UK, Two popular frameworks ISO 27001 and Cyber Essentials are in use