Beckstrom on cybersecurity

By William Jackson
http://www.gcn.com/online/vol1_no1/46849-1.html

LAS VEGAS — Cybersecurity is hampered by a lack of understanding about the physics and economics of the networks we are trying to defend, according to Rod Beckstrom, director of the Homeland Security Department's National Cyber Security Center, said Thursday at the Black Hat Briefings.

Risk management is a process of balancing security efforts against an acceptable level of risk because absolute security is not possible. But Beckstrom, speaking at the Black Hat Briefings yesterday, said we have no method for valuing our networks or measuring the effectiveness of our security.

"Without the economics, we don't have a risk-management function in terms of our investment," Beckstrom added.

Beckstrom, who has been on the job about four months, did not go into detail about his office's plans, although he said the goal is to build bridges between the military, intelligence and civilian communities in government.

"We're a brand-new government initiative, and we are working on our initial plan," he said. "My job is to help foster cooperation and information-sharing between those three communities."

Information sharing is a common refrain in his comments. His mantra is "all of us are smarter than any of us."

To balance cost and returns in risk management, the amount of money spent on security should not exceed the cost of the losses being prevented. Initial investments in IT security typically bring a high rate of return by sharply reducing losses. But finding the point of diminishing returns is difficult without a good economic model.

"We need to do a lot more work in that area," he said. "We may want to invest in protocols because it might be the best investment we can make."

Fixing flaws in the protocols that underlie our networks would give us the biggest bang for the buck in the federal government's security spending, Beckstrom said. Such fixes are relatively cheap and have a wide impact, although they are not necessarily simple to implement, as the current effort to patch the Domain Name System shows. But in times of emergency, keeping network operations functioning is critical to any response.