Shostack + Friends Blog

 

The Goals of Cyber Public Health

Cyber Public Health is prompting fascinating conversations An AI generate image of someone testifying

Recently I sat down with someone who had read the Cyber Public Health Workshop report. I’ll call him “Dan.” Dan was enthusiastic about the ideas and goals, and pushed me to clarify the goals, and why people should get on board. He wasn’t really satisfied with my answers, and he has a history of changing the way people think about the problems they face. So here’s a second pass, in which I’ll exaggerate his perspective for effect. I’m also exaggerating because answering criticisms is a way to strengthen the arguments I’d like to make.

Before I get to the goals, he was dis-satisfied with some of the claims I made in the report, such as ‘we know what a healthy machine is.’ I’ll agree that there are complex edge cases which are intellectually interesting. While may be able to get usefully more precise, but the vernacular meanings are probably good enough for a conversation, and the edge cases can get deferred.

The ultimate objective is to help people get better ‘cyber health’ outcomes. (I wrote in the report about the need to define the clear harms that could be measured, and this is a place where the definitions question can come in — but roughly that means less attacker ability to control our systems. If I say “less malware,” how does that relate to attackers ‘living off the land?’ If I say we don’t lose our credentials, do credential leaks matter where there’s no use of those credentials? This ties into danger versus harm.)

To Dan’s question of “why would people care?” I have a few answers:

  • Boards of Directors: Boards frequently ask “How are we doing compared to others.” What they really mean is a question of strategy: Are we allocating our resources well? In the case of security, what that means is less than clear. Is it avoiding breaches? Breach reporting? Lawsuits after breaches? Shareholder suits over governance? In some industries, it’s a matter of regulations (you must do this to sell medical devices or that to hold people’s money), while in others, it’s a matter of customer demand (you must do enough to earn our trust as a cloud provider). Enumerating harms and how often they occur would be a useful input into this leadership discussion, and is missing today. As IANS faculty, we regularly get questions about where people can get data on various types of harms, and the answers are lacking.

    In fact, as I was writing this post, Chris Hoff posted to Linkedin:

    “...doing the INCREDIBLY hard work of hitting the balanced fulcrum in the middle and build a risk-enhanced business case. ... As a CISO, you MUST do both: be an advisor with a vote and realize that you have to pick which hill to die on and be able to say “no, and here’s why and here’s what we might be able to do instead.” Sometimes you will be overruled because: business.” (He goes on to discuss the challenges of regulation. These sort of posts help make the case that leaders could be served by more of the right sorts of data. They also make me wonder should I be splitting boards and execs?)
  • Regulators: In an ideal world, regulators want to demand things that promote the good of society. Without even being cynical, determining what that means is hard, but I’ll take it to include “can be operated safely by a customer of normal skill and diligence.” The regulator may want the creator or operator of a system to go further and make it “idiot-proof” or “child-proof.” Knowing what outcomes are happening (along with the “show the threat model that justifies the rules” approach to regulation) allows us to judge if regulatory interventions are having the desired effect. That helps us get to better regulation, and it may even be a necessary precursor. It may or may not be sufficient.
  • Courts: A small fraction of breaches result in extended litigation over what defensive measures the victim took and the choices they made as they decided what parts of a standard to prioritize. Expert witnesses make good money applying 20:20 hindsight to those choices. Statistical evidence to buttress both those choices and the retrospective analysis would make these cases somewhat less complex. This would be the weakest effect, but perhaps the most economically visible because these cases are a very direct cost.

There’s an argument that I hear from smart people: “We know how to do these things!” There’s an extent to which that’s true. There are leaders who are good at defending their systems. There are also leaders who struggle, either to make decisions or to get their decisions funded or implemented across their organization. And I think prospective spending suffers from something like the “advertising effect.” (“I know that half my ad budget is wasted, I just don’t know which half!”) Also, see Hoff’s post above, where he describes it as “INCREDIBLY hard.”

There’s a question of “will it be worth the effort?” And this is why in my presentation to the National Academies Hard Problems group, I suggested working with US Government agencies. (Slide 5, the first three suggested populations are “The US Census Bureau, The Federal Government, The US Critical Infrastructure Sectors.”) We already have public information on spending for the first two, and they have mandatory breach disclosure under FISMA. For the critical infrastructure sectors, they also have incident reporting requirements, and they have varied regulation, which could work as a form of observational experiment to see what influences outcomes.

So we have some data already available. We could make useful progress by analyzing what’s there. To the best of my knowledge, no one has. It’s a lot of work and it would help sharpen the value and illuminate futher questions. I spoke to the National Academies panel because I think it’s time to be doing that work.

Midjourney: I don’t even know how we get a half-transparent person here but I asked for “an impressionist colorism watercolor of someone testifying before a panel of experts who are nerdy scientists and engineers. The perspective is from behind the person testifying, looking at a set of experts behind a long table or desk.The background is an impressive classical greek facade, and the background is light and airy.”