The best way to fix the discrepancies in cyber defense facing the U.S. is to apply techniques used in other military and security realms and to cease viewing cyber as unique, several experts said during a panel discussion Thursday at the C4ISR Journal conference.
The panelists, who focused on cybersecurity and ongoing international threats, pointed to ways in which cyber has been separated from normal practices and as such removed from the lessons learned in other domains.
“Cyber is not an isolated domain,” said Dale Meyerrose, former associate director of national intelligence. “Those of us in this business seem to get all wrapped up in the business of cyber this and cyber that. Cyber is a means to human endeavor, we sometimes have trouble with that.”
Meyerrose, who now runs the MeyerRose Group, said that the development of cyber mirrors that of the domain of space, where ongoing debates lingered into the 1990s until it was integrated into traditional military planning.
“Maybe we need the discussion of cyber as a special topic in order for us to become more educated.” Meyerrose said.
Dmitri Alperovitch, co-founder of CrowdStrike, drew comparisons to law enforcement, saying that experts get too focused on the tools of the cyber trade as opposed to the general principle of apprehension and justice.
“When someone is shooting at you, you’re not asking ‘is that a 20 caliber or a 40 caliber bullet’ that’s flying at you,” he said. “You don’t really care. You care about who’s shooting at you, why they’re shooting at you, what you’re going to do to neutralize that threat. The gun they use is only of interest after they’ve actually killed you and the police are going to arrive to determine from the forensics on the gun who the actor actually was.”
And the focus on tools has led to an exclusive emphasis on improving defense which, if one views cyber through the model of physical security, doesn’t work. Improving locks or putting bars over windows doesn’t create perfect protection, Alperovitch said. Instead, looking at the way an alarm system deters crime shows the limitations of our current cybersecurity approach which is largely unsuccessful in bringing an attacker to justice.
“An alarm system does absolutely nothing to secure your house, people can still break in,” he said. “But what it does is it says, ‘we’ll concede that you can get into this house, but when you do maybe I have cameras that will take a picture of you and the alarm company will get notified and will call me at three in the morning and they’ll say sir or mam, your door was kicked in, we are sending who? Not the locksmith to fix your door, we’re sending the police to catch the guy.”