Phil Quade - The Digital Big Bang

Cyberspace quite literally contains—more than simply referencing or coordinating the management of—wealth and treasure. And given the enormous efficiencies offered in synchronizing the aspirations and actions of both people and systems, cyberspace is increasingly used to coordinate and carry out essential functions of critical systems, from electrical power generation to financial markets to diplomacy, collaboration, and even the conduct of war. As noted by Dr. Mark Hagerott of the United States Naval Academy's Cyber Center, a transformation in human affairs is taking place in which sensing, thinking , and acting , even in physical space, are increasingly delegated to the web of hardware and software serving human endeavors across the length and breadth of cyberspace. Humans' natural desire to impose rational controls on the result will succeed only if we move beyond creating rules about technology to crafting broader rules of governance for the interaction of people, technology, and systems (taking into consideration rules and policies rooted in geography).

The impressive performance of technology in massively improving processing power, bandwidth, and user experience across the past 50 years of the silicon revolution is widely understood as an iconic representation of the times (sometimes referenced as Moore's law for hardware, but there have also been exponential improvements in software, visualization, and the collaboration that collectively aids in pushing cyberspace capacity to new heights). Less well appreciated is the fact that changes in features, capabilities, and behaviors are driven as much or more from the bottom up as from the top down by a virtual army of entrepreneurs. The result of this and unsynchronized changes in user behaviors and software (which often lag behind or precede changes in hardware) make it almost impossible to define and impose a comprehensive and enduring description of how things behave, let alone work, in cyberspace. This can rightly be considered a feature for those who await the next marvel from their favorite technology providers, but this same attribute makes the prospect of defending the wealth and treasure held within cyberspace, and the critical systems and processes dependent on the resilience and integrity of cyberspace, a virtual tail chase. Every change to technology, software, or user behavior portends a possible tear in the fabric of security overlaying the whole. The reality of this inexorable and unsynchronized change offers a fundamental choice as to whether security will be considered as a primary or a secondary feature in the continued transformation of cyberspace. This author suggests that it must be the former and that the security implied by the services of confidentiality, integrity, and availability must be thoroughly considered when any technology, service, or capability is being designed or introduced. Moreover, security must consider all of the contributing factors, encompassing all five layers of the model. Issues of policy, law, and ethics attach to the people and geography layers, which cannot be separately defined from the middle three (technology-only) layers.

But although the challenge of securing cyberspace may be a bridge too far, it is a domain of extraordinary interest that can and must be made defensible and, in turn, actually defended and supported through the employment of means and methods both in and outside of cyberspace itself. Useful analogs may be found in other complex manmade systems, such as those employed by the aviation industry, which has, over time, introduced a system of both technology innovation and governance that fosters continued transformation and capacity generation while imposing a requirement that the security implications of each new addition be considered and thoroughly engineered up front and by design, rather than after the fact. Cyberspace would do well to emulate this approach, though the immediate problems will be that domains do not govern themselves and that the present roles and responsibilities for driving and implementing security solutions remain fractured across organizations and sectors.

As stunning as the changes wrought by cyberspace have been to date, trends suggest an even greater transformation ahead. The pace will only increase anywhere and, increasingly, everywhere on the planet. And while the cyberspace domain can and must continue to be an engine of innovation and a means of global collaboration in support of private or public interests, the opportunities afforded by these trends must be accompanied by the exercise of responsibility across engineering, operations, and governance in fair measure to the value that is derived from, stored in, and leveraged from cyberspace.

John C. (Chris) Inglis – Former NSA Deputy Director

Chris Inglis is a former deputy director of the National Security Agency, currently serving as the Looker Distinguished Visiting Professor of Cyber Studies at the United States Naval Academy. He began his career at the NSA as a computer scientist in the National Computer Security Center and was promoted to the agency's Senior Executive Service in 1997. While at the NSA, he served in a variety of senior leadership assignments, including eight years as its chief operating officer, responsible for guiding strategy, operations, and policy.

A 1976 graduate of the US Air Force Academy and retired Brigadier General in the US Air Force, Inglis holds advanced degrees in engineering and computer science from Columbia University, Johns Hopkins University, and the George Washington University. From 2014 to 2018, Inglis served on or co-chaired Department of Defense Science Board Studies on cyber-resilience, cyberdeterrence, and cyberstrategy. He is a member of the Strategic Advisory Groups for the United States Strategic Command, the Director of National Intelligence, and the National Security Agency. Inglis is a managing director at Paladin Capital Group and serves on the boards of FedEx, KeyW, and Huntington Bank.

Because the Internet represents one of the most astounding innovations in the history of human evolution, its originators are often so revered that their staggering shortsightedness gets a pass. But when we pause to reflect, it is baffling that such visionary computer scientists—whose insights into the power and possibility of digital connectivity were powerful enough to change the course of history—could overlook or not address the most basic question about their invention: what if this really catches on?

It is sadly ironic that the three things that cause the most havoc in the cybersecurity domain are ones that network operators have the most control over.

Today, nearly every cybersecurity expert and executive is living in the havoc of the answer. When a communication platform designed by and for a tight circle of academics and engineers is rapidly expanded for global public use by billions of people, incredible challenges result, along with fundamental questions that should have been more effectively addressed.

For example, authentication. If this really catches on:

How will it be possible to authenticate who is who and what is what?

How can we validate the identity of users to dictate and restrict their access across this vast network?

How will we authenticate software to operating systems, operating systems to hardware, or software to software?