Agility & Evolution:
Two Key Attributes of an Effective
and Efficient Cyber Security Center
James Bret Michael, Ph.D.
Professor of Computer Science and Electrical Engineering
U.S. Naval Postgraduate School
12 September 2013
International Seminar on Cyber Security: An Action to Establish the National Cyber Security Center
Disclaimer
• The views and conclusions in this presentation
are those of the speaker and should not be
interpreted as necessarily representing the
official policies or endorsements, either
expressed or implied, of the U.S. Government
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
2
“Reversal of defaults”
• “What was once private is now public, what
was once hard to copy is now trivial to
duplicate, and what was once easily forgotten
is now stored forever.”
– Ron Rivest, Cryptographer and Professor at MIT
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
3
Aiming at a moving target
• Answers to the following and other relevant
questions will change over time:
– What are you trying to protect against whom?
– What levels of trust in a specific service, system,
application, device, component, or system of
systems is adequate?
– What types and levels of communication and
collaboration are needed domestically (public-topublic and public-to-private) and between States?
– What resources are needed?
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
4
Change in technology and its use
• Accelerating rate of innovation in Information
and Communication Technology (ICT) with
attendant new and sometimes unexpected:
– Opportunities
• Example: improving product manufacturing workflow
processes through leveraging the Internet of Things
– Risks
• Example: exposing large amounts of valuable
intellectual property to theft from “bring-your-own”
always-on personal mobile computing devices
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
5
Change in law and policy
• The “permissible” (law) and “preferable”
(policy) change in response to the “possible”
(technology), albeit slowly
– Need resources such as a corps of subject matter
experts who can facilitate collaboration and
communication among lawmakers, policy-makers,
technologists, and laypeople (i.e., everyone else)
• Provide for informed public debate, legislating, policymaking, and introduction (by producers) and use (by
consumers) of ICT
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
6
What are you trying to protect
against whom in outsourcing?
• Protecting the confidentiality, integrity, and
availability of a user’s or enterprise’s data
from:
– Service providers
– Unauthorized user of the service provider’s
services (in a public cloud) with different motives
and levels of capability (e.g., script-kiddies, Stateactors)
– The insider threat (authorized users) within the
enterprise providing or consuming the services
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
7
Consider trust related to
outsourcing of ICT
• What level of trust should/can users of cloudbased (i.e., provisioned) services?
– Will the service provider adequately protect the
user’s data and privacy?
– Will the provider respect civil, cultural, and other
liberties (e.g., not suppress free speech)?
– What are the service providers’ security policies
and enforcement mechanisms? Are they
effective?
– What are the service providers’ privacy policies
regarding collection, data retention, and uses of
user-owned data and associated metadata?
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
8
Evolutionary path for the National
Cyber Security Center (NCSC)
• NCSC must crawl before walking, walk before
running, based on experience of U.S. CERT
– Standing up the full set of core capabilities will
take: time, hard work, funding, patience, and
leadership buy-in
• Start with a subset of capabilities and tasking for which
the participants have expertise and available resources
• Gradually add capabilities (e.g., expand beyond
operations and analysis to education & training and
research & development)
• Continuously improve level and quality of capabilities
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
9
NCSC needs to be agile
• NCSC will need the flexibility to adapt to the
changes in ICT and its use
– We do not know a priori what those changes will
be or what effects they will have on security,
privacy, policy, law, etc.
– Adaptation will require reprioritization of
capabilities and tasking at the:
• Tactical level, such as adjusting triage policy in response
to a short-term spike in security incidents
• Strategic level, such as to address new uses of ICT or
shifts in the severity and frequency of occurrence
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
10
No time like the present to start
• The facility, subject matter experts, and an
initial self-study are available
• The learning curve cannot be avoided and
metrics can be tied to current maturity level
• The types of nature of the opportunities and
risks we face today cannot be efficiently or
effectively addressed without cross-domain,
cross-organization orchestration of
communication and cooperation
– National and international obligations to act
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
11
Summary of key points
• Big Bang approach is untenable
– National Cyber Security Center must rely on an
evolutionary approach to building and improving its
core capabilities and those of its sister centers
• Non-stationarity is a reality
– National Cyber Security Center must remain agile to
address the changing opportunities and risks posed
by ICT and its use
• Waiting to start is not a realistic option
– NCSC itself is needed to address current obligations
for orchestrating communication and cooperation
among the spectrum of stakeholders operating in
cyberspace
International Seminar on Cyber Security: An Action to Establish
the National Cyber Security Center
12