Who should be doing what for Cybersecurity
The Los Angeles Times reported yesterday that "Public, private sectors at odds over cyber security". It seems that there are high expectation in the US that the government should play a central role in Cybersecurity, and if the current and/or incumbent US President gives focus on this topic, and government regulations and laws are in place, organizations and people will do the "right" things. On the other hand, according to the newspaper report, businesses do not wish to tackle the problem until the government steps up. While both sides seem to have valid points, the issues involved in Cybersecurity is more complex than just a tussle over priorities and budgets between public and private sectors. It is something that has a much broader audience group, and more that just the US or any specific country per se (as in this other report from the Network World that "Cybersecurity lacking in Africa"). Partnership, cooperation, and collaborations are key among the stakeholders, including individual users of the Cyberspace.
Cyberspace does not exist in just a particular country per se. Even if the entire US industry and government put all their resources into doing their individual parts and march off to "secure the Cyberspace" (if there’s such a thing that can be done once and for all), the problem will still not solve. There are many other countries, businesses and individuals outside of the US that do not play their roles or simply ignorant of their roles for Cybersecurity, given other priorities that they have on hand, and also weaknesses in Cyberspace that they could possibly leverage for certain economical or political advantages. At the same time, Cyberspace is a constantly changing thing. It evolves every moment when someone plug a computing device to the Internet, introduce a new piece of program on it, upload certain information (such as vulnerability or exploit code) and when someone get connected and start to learn about the space, and do all kinds of things in it, for good or otherwise. Security is only as strong as the weakest link. This applies to Cybersecurity as well. If we look at the recent DNS security issue, all it takes for an attacker to succeed is just to have one DNS server poisoned and he/she is on the way to make many other people suffer, and that particular DNS server does not need to be in the US to inflict losses or cause inconveniences to Netizens in the US or anywhere around the world as long as they are connected.
Yes, the government (in all countries, not just the US) needs to give priority to the security problems in the Cyberspace. There must be laws in each sovereignty and programs initiated to protect their citizens and assets on the Cyberspace and deter if not stop the conduct of Cyber-fraudulent, criminal, and other undesirable activities. More importantly, every organization and individual on the Cyberspace must also recognize their roles and responsibilities for Cybersecurity, and do the right things when they use the Cyberspace.
The challenge we have today however is answering the question of what are the right things that organizations (including businesses and governments) and individuals should be doing, over and above those things that they are already doing for information security, computer security, network security, and Internet security. That’s what WG 4 in ISO/IEC JTC 1/SC 27 has set forth to develop in the ISO/IEC 27032 project — "Guidelines for Cybersecurity". I think fundamentally, the question of "What is Cybersecurity" needs to be agreed upon before we can have a useful guideline as a standard to improve practices and systems in the Cyberspace. The draft document for ISO/IEC 27032 therefore works on the basis of the "working definition" and understanding as described in my earlier blog entry on this question of "What is Cybersecurity". I would love to hear from you your views on this working definition, and what should be in the guidelines as well.