Crossroads Blog | Institute National Security and Counterterrorism

technology

Cybersecurity reboot: Two game-changing ideas (FederalComputerWeek)

On April 9th, 2012, Brian Robinson wrote for FederalComputerWeek on two new strategies that could revolutionize cybersecurity.  To open, Robinson noted that cybersecurity is currently arranged in "slapdash fashion" with a mess of firewalls and "inadequate identification and authentication protocols and . . . piecemeal [security] policies . . . ."  However, we might be able to address that cybersecurity mess with two novel ideas currently on the table:

1.  Moving target defense (MTD).  MTD involves turning static cyber defenses that hackers can map and exploit into movable and chaotic cyber defenses that hackers can't keep up with.  The idea hinges on presenting hackers with a cybersecurity system that is always changing.  For example, a company's cybersecurity system could randomly switch hosting services, instantly change the structure of software while maintaining its functionality, or deploy fake servers as decoys to confuse and slow hackers. 

The FederalComputerWeek article noted that some of the technology behind MTD is already around, but there is still a ways to go.  Coordinating such a chaotic system would take a lot of effort.  Nevertheless, the White House, DHS, and other federal agencies have already allocated a nice chunk of money towards MTD research, so it's coming.  Robinson suggested that DOD and other intel agencies are already trying MTD out. 

2.  A Cyber Center for Disease Control (Cyber CDC).  The idea here is to develop a government organization that would inform the public about malware outbreaks, research how to prevent them, and "develop public health policies" that communities need to protect their cyber health.  Essentially, take everything the CDC already does and slap a cyber in front of it.  The FederalComputerWeek article explained that the Cyber CDC could be instrumental in preventing communicable cyber diseases.  The problem is creating a body that could share all of that threat information: private companies (like Symantec) have a business interest in disclosing threat information solely to their clients, and have no legal obligation to turn that information over to a government entity.  Thus, it's unclear whether the Cyber CDC would have reliable access to cyber threat information.

Two interesting ideas, but it's unclear whether either proposal is practical.  You can find the FederalComputerWeek article here.

Leave a Reply

Bitnami