A top National Security Agency executive argued today that if the nation is to defend against escalating cyber threats, it will be increasingly important for individuals, corporations and institutions, including government, to be held more accountable for their contributions to, and their actions within, cyber space.
At the same time, there are limits to what actions private enterprises can take in protecting their networks, said NSA Deputy Director Chris Inglis, speaking at an Intelligence and National Security Alliance forum in Washington.
“You want to defend against the arrows,” said Inglis, “but there are also times when you want to take out the archer.”
The question of when that decision should be made, by whom, and how, is a one of the great debates raging within cyber circles, and especially within NSA, the Department of Defense and the Department of Homeland Security, which is charged with working with critical infrastructure operates in the private sector.
Inglis acknowledged “If there’s ever something we’re behind in, its cyber.”
But there are limits to what organizations such as McAfee, Symantec, RSA and others that provide cyber security protections — as well as what private enterprises seeking to protect their networks — can do in dealing proactively with those threats, he said.
Those types of decisions are inherently governmental in nature, he said, warning that such decisions should not be left to cyber vigilantes.
Inglis highlighted three properties that have made cyber space exceedingly difficult to safeguard, and outlined how the U.S. and other nations might make it more defensible.
First, he said, is the extent to which everything is connected to everything. That convergence is what has helped produce what he called the Internet’s “greater good,” but it also has increased users’ exposure to unwanted and even hostile attacks.
The second property is the anonymity users enjoy online, allowing them to traverse cyber space without clear attribution, making governance and responses to bad actors much harder than in the physical world.
But the third property, and perhaps the Internet’s inherent flaw, is a design bias over the years that favored speed, connectivity and performance with security coming as an afterthought.
“Security was considered to be a drag on those features,” Inglis said. “It was assumed people would behave well. Security was based on self–governance.”
But security also tended to reflect a static view of the Internet, or the networks that connect to it.
“When we show up, we find networks that hold wealth and treasure that are not well defended,” he said.
Inglis said that one the “national tools of power” that remain at policy makers’ disposal, is “getting people to understand their liability” for their respective roles in how they use the Internet.
“There is a need for those that build the systems, the network, the protocols” to be held accountable for their design decisions, as well as for how individuals and corporations use or manage those systems, he said, calling such accountability “an instrument of power.”
Inglis said that while technology innovation is important to improving cyber security, innovation is also needed in getting people to understand their fundamental roles in using the Internet, and for finding ways to codify those roles and rules, “so you can hold those entities accountable.”
He also stressed that cyber safeguards need to protect not only intellectual property, but also individual privacy and the right of navigation to use the Internet freely.