Wednesday, June 26, 2013

Good cyber security is not just a pile of "best practices"

Recently, some folks involved in the NIST Cyber Security Framework process have suggested that the challenge is analogous to "safety" and thus a similar compilation of "best practices" is what we need.  The thinking goes like this: If we just compile the "best practices" and then give everyone incentives to implement them, all will be good (or at least much better).  Taking the health/safety analogy further, they say that we need to promote "cyber hygiene".

But cyber security is not like safety.  It would be a grave mistake to treat it like they are the same or even similar.

Food Safety, as a Comparison

Consider food safety at restaurants, markets, and food suppliers.  In every establishment, it's possible to enumerate a list of simple practices that, cumulatively, promote food safety and reduce risk of spoilage and food-borne pathogens.  Examples: "Wash your hands", "Use hair nets", "Wear clean clothes", "Sterilize equipment that touches food", "Separate waste water from food washing water", and so on.  Each of these is fairly independent and they each make an incremental contribution to the goal of food safety.  They are mostly free of context.  It's also not hard to evaluate practices to determine which are best.  And from a management point of view, it lends itself to simple checklist inspections and audits.

For any organization that wants to improve food safety, they first improve execution on the existing practices and then add additional practices to cover more causal pathways.  Therefore, having more safety practices (well executed) is roughly correlated with better food safety outcomes.

Cyber Security, at a System Level, is Not Simple

Now compare this to cyber security.  What ever security/privacy practices are used, many of them are not simple.  They are context sensitive and path-dependent.  They are often intertwined and sometimes work at cross-purposes to each other.  There isn't a simple linear relationship between adding a practice and improving cyber security.  In fact, due to increased complexity, adding more practices and controls can actually reduce cyber security.  It's hard to evaluate practices individually to determine which are "best", and even if you could, your evaluation would change with time and context.

Of course, some people may argue against this, saying that it really is all about doing many simple things.  In a Twitter debate on risk metrics, someone (maybe @daveshackleford) argued against all the "fancy" risk metrics and methods, and instead advocated that people should just focus on "locking down boxes".  Yes, there are many simple things that should be done that aren't being done.  Do those things.  But don't confuse them with achieving "good" cyber security.  At best, you would be achieving "not-completely-incompetent" cyber security.

Human Immune System is a Better Analogy

It's better to think of cyber security as if we were designing the human immune system.   This should give everyone pause and inspire humility because the human immune system is an amazingly sophisticated system with distributed intelligence, memory, and adaptation capabilities.  The human mind would probably not be able to design something that works as effectively and as efficiently (which is why many AI researchers study the immune system as a model of collective intelligence).

Without going into too many details, a few things stand out.  First, all the "practices" the immune system performs -- e.g. "produce white blood cells", "raise body temperature", etc. -- are mediated and influenced by many others, including elaborate signaling, memory, and even information processing.   The systematic interactions are much more important to the performance of the system as a whole than the sum of the individual "practices".

Second, the immune system in every human being is grown, not hatched fully formed.  You'll never get an effective immune system by implementing a checklist of "practices".  There is no substitute for going through a developmental process and, especially, through learning through experience.

Third, the loose distributed structure of the immune system is key to its ability to constantly adapt and innovate.

Finally, autoimmune disorders are an unavoidable hazard of a system with these capabilities.  The system can attack itself.  Likewise, any cyber security program of sufficient adaptive/innovative capabilities has the potential to be self-defeating or self-destructive.

Instead of a "Pile of Practices", We Need Systemic Capabilities

I'm trying to promote a focus on systemic capabilities with the Ten Dimensions.  This is why my RFI response to NIST Cyber Security Framework (CSF) focused on "Evidence-based Evaluation":
"The US CSF should focus on evidence-based evaluation to accelerate continuous learning and innovation.

"...the biggest gap is the lack systematic evaluation of what “good” or “best” means given information about the latest conditions and emerging trends.

"...the CSF should ... focus on institutional innovation to support evidence-based evaluation of any and all standards, guidelines, technologies, and practices that are proposed by any sector – private industry, trade organizations, NGOs, international standards organizations, academics, or professional communities of practice. ...   Every organization or person who promotes a practice as 'good' or 'best' should have the burden of proof and should provide supporting evidence or objective evaluation. The best contribution of the CSF will be as the outside learning loop to ensure that practices are continually evaluated, improved, and then eventually discarded when they are no longer appropriate."
Other people are promoting similar ideas regarding a systemic view on cyber security.  One example is Jennifer Bayuk in her PhD dissertation (presentation).  You might look to Systems Thinking or Design Thinking for applicable methods and models.

Maybe someone can convert these thoughts into a few pithy slides or crayon drawings.



No comments:

Post a Comment