Speed, Scale, and Critical Infrastructure: Three Truths and a Lie, Part OneDecember 2, 2015
My last post focused on the pitfalls of perimeter protection and questioned our traditional understanding of perimeters. Recall the premise: Cyberspace isn’t the same as real estate; it can’t be divided into plots called networks with a mapped perimeter to secure our systems. So, if our perimeter assumptions are – pardon the pun – full of holes when applied to cyber, then how else might we think about securing important spaces?
In this post and the next, we will explore three truths and a lie that lead us toward another construct.
Global Threats and Porous Perimeters
To begin with, traditional network perimeters are intentionally permeable: we all want to interact with people, merchants, organizations, and information providers outside of our perimeter. That external environment is where the good stuff is—but also where shady actors prowl, and the threat context is global. Therefore, ideally, defenses would be seamless and global as well – but they are not.
In reality, limits of human trust, differences in cyber norms, legal structures, language, and business logic combine to stymie global defense. That means other useful approaches must be identified and put into practice.
The Cheese Stands Alone…But Cyber Does Not
The cliché in cybersecurity is that the weakest link offers an attacker entry to wide network access. While the weakest link cliché is true, addressing weak cyber links on their own won’t protect us. In fact, we can’t even address the weakest link until we deal with cyber as part of a bigger picture.
Here’s why: cyber systems underpin and control physical infrastructure; and both cyber systems and physical infrastructure interface with, impact, and are designed, developed, and governed by humans. That means our approach to securing cyber systems must equally take into account the foundational limitations of cyber, physical, and human elements.
Which foundational limitations characterize cyber, physical and human elements of essential systems, or critical infrastructure, if you will? For purposes of this discussion, let’s try these:
- Cyber: We are only as secure as our weakest cyber link
- Physical: Security and resilience have to be addressed where ownership and control reside, which generally falls where physical infrastructure operates – at the local or regional level more than the national or international level
- Human: Trust does not scale (for good reason)
Together, these three key limitations point toward regions as a vital pivot point for protecting the most essential functions of our society. Let’s explore this a bit more.
There is a lot of water already under the bridge on the "weakest link" truism for cyber, so let’s move on to the physical aspects of critical infrastructure.
Physical Infrastructure and Organic Governance
Soon after 9/11, a number of regional coordination bodies formed to strengthen awareness of threats and security about critical infrastructure. These organic self-starters assumed a variety of shapes and sizes, covering anything from 16 counties (the Hampton Roads region in Virginia) to multiple states (the Pacific Northwest Economic Region). Other examples include the National Capital Region, the Bay Area Region, and a number of metropolitan-area based bodies around major urban hubs (Chicago, Atlanta, and Boston).
These groups focused on the physical security of infrastructure and key assets, which made sense given the 9/11 targets and the visual dominance of physical infrastructure in the American mind.
Without prompting – and without national funding – these groups formed around a regional construct. Why? They knew that the physical infrastructure upon which their lives and livelihoods depended is owned, controlled, and protected within their own geographic area. So, owners, operators, citizens, and planning bodies came together because they had an inherent incentive; in this case, these diverse constituencies knew that their shared fate was held within their collective hands.
Today, there is a new reason these groups are so important: from physical infrastructure protection, we need to move to mission-focused infrastructure protection – and infrastructure today is inherently cyber-physical in nature.