Assigning national information security roles
Robustness — being capable of performing without failure under a wide range of conditions. Cybersecurity measures that promote robustness can be classified into several main efforts, including: 1) organizational processes; 2) technical steps, such as network segmentation, user privilege policy, access control, data encryption and authentication mechanisms; and 3) procedures focused on the human factor, such as training
Resilience — the capability to detect threats, prevent their infiltration or at least confine their expansion, manage their effects and deny their recurrence; the notion of adaptability is at the core of resilience, as is being able to continue ordinary operations
Defence — the capacity to disrupt cyberattacks by focusing on the human factor behind them through national operational defence capabilities.36
The question of establishing national cybergovernance is fundamental to ensuring security. What are the roles, responsibilities and capabilities that should be expected of the public and private sectors? Leaving aside issues of liability and insurance, it is important to establish clear roles and responsibilities for security within a country. When security is vaguely defined as “everyone’s problem”, or perhaps more dismissively “someone else’s problem”, in practice it is no one’s problem.
In contrast to policy in other spheres, organizations (rather than individuals) are the unit of analysis and action for this sphere. Security governance should be framed in collective terms (similar to threat intelligence) to create collective immunity. Furthermore, it should be framed in collaborative terms to leverage the private sector’s decentralized contextual knowledge and the public sector’s broad view of the threat landscape and considerable resources.
A three-layer additive framework can be used to help align roles and responsibilities with distinct security capabilities around software and the assets that software impacts, for which a national government should assign responsibilities. One preliminary determinant of how policy should be implemented in any given national context is ownership and responsibility of data. The World Economic Forum explored how to assign responsibility around personal data in an earlier publication.37 The three layers of national cybergovernance are:
- Robustness, which can be understood as the ability to prevent, repel and contain threats. In practice, this would consist of organizational and technological measures to prevent cyberincursions. For many countries, the first layer of defence is a responsibility delegated principally to the private sector, with the public sector providing guidance on standards and minimum policies, procedures and technologies.
- Resilience, which is the ability to function during and after successful cyberincursions. One of many capabilities that helps promote resilience is a Computer Security Incident Response Team (CSIRT). Governments typically have taken a greater role in providing resilience, although large private organizations are also able to field capabilities that promote resilience. The upfront costs associated with resilience capabilities are high while the return for most private-sector organizations is episodic. Furthermore, such costs are highly scalable; while it is (usually) not feasible for any single organization to develop emergency response capabilities equivalent to a CSIRT, when those capabilities exist, an individual organization’s ability to respond to a breach is heightened by potential recourse to a CSIRT. Another important resilience capability is also business continuity planning, ensuring that organizations are prepared to manage through incidents.
- Defence, the ability to pre-empt, disrupt and respond to cyberattacks. In contrast to other governance capabilities, which are fundamentally introspective, defence is focused on the originating source of cyberattacks. Again, defence is a role more naturally suited for government, given the exercise of sovereign responsibilities, laws and regulations related to intentionally doing harm to another individual or entity, and the economic profile of developing defence capabilities. Developing and maintaining defence capabilities is resource intensive, while the benefits are diffuse and over longer periods of time (e.g. deterrence). To be sure, there is considerable debate about the extent to which the private sector should be allowed to act to defend itself (which is addressed separately under point 4.12 “Active Defence”).
- Each capability strengthens the others. Greater robustness means that governments will be required to deploy resilience less frequently. And greater resilience implies greater capacity can be dedicated towards defence. Alternatively, greater robustness and resilience capabilities might necessitate less of an investment in defence.
Significant trade-offs are associated with delegating these capabilities to the public sector vs the private sector. The principal trade-off is that associated with governance centralization:
- The more robustness is a decentralized responsibility of the private sector, the greater the risk that friction in cross-organization intelligence sharing impedes security. To take a simplified example of disseminating a known suspicious URL, in a more centrally managed (through the public sector) robustness capability, it would be easier to ensure that less traffic is directed towards that URL. Alternatively, a more centralized security posture trades the ease of management for agility. Every organization faces unique threat vectors that may be overlooked if the public sector takes a more active role.
- A similar risk is associated with resilience capabilities. As resilience becomes centralized, the contextual knowledge of an organization’s specific network topography is less accessible for the public sector, which means that efforts to respond to cyberemergencies may be slower. Alternatively, as resilience becomes the responsibility of the private sector, inordinate (duplicative) costs may be borne by organizations (unless those capabilities are outsourced).
- The risks associated with defence capabilities are somewhat analogous to the trade-offs involved in allowing the private sector to take a leading role in attribution (as identifying adversaries is core to defence capabilities). The more defence is delegated to the private sector, the greater the risk of potentially significant collateral consequences (e.g. the private-sector hack back of an alleged public-sector adversary).
One general trade-off that should be considered across all the capabilities is the extent to which guidance, both from the government to organizations and from organizations to their constituents, is fully specified. The greater a given control is specified (e.g. an organization must have an antivirus solution installed on all endpoints), the greater the risk that organizations “solve for” security through compliance rather than the regulatory objective (e.g. secure endpoints). However, from the perspective of managing the regulatory apparatus, determining and verifying compliance from the perspective of government is simpler and less expensive than understanding if regulatory objectives are being achieved. While this is generally true of many regulatory efforts, in the context of cybersecurity, the increasing heterogeneity of specifications made by well-intentioned actors has created a proliferation of requirements with varying effectiveness.
Policy model: assigning national information security roles
Key values trade-offs created by assignment of national security roles
Case study: Waking Shark, United Kingdom
Since 2011, UK financial authorities have conducted cyber stress tests, Waking Shark I and II, on the financial sector to prepare and assess its readiness to increasingly severe cyberattacks. In contrast to typical “red team” exercises, in which external teams probe and hack a given company, “Waking Shark” is an industry-wide government-facilitated exercise to test financial infrastructure generally. A number of valuable lessons can be learned from the British experience:
- There are no substitutes for experience, but cyberexercises are one of the best ways to test an organization’s capacity for robustness and resilience and to challenge leaders to deal with the question of defence.
- Industry-wide exercises facilitated by the public sector are a unique form of collaboration. Conducting such a test would be difficult in a purely private context — organizations would be loath to participate and risk reputational damage with their counterparties, competitors and customers.
- The exercises have focused on the health of market infrastructure rather than on any individual participants. Not only does this focus allay the concerns of individual participants, it reveals a nuanced understanding of the connected nature of cyber-risk. Market infrastructure can only be as resilient as the weakest contributing link.
Case study: Cyber Star, Singapore
In 2017, the Cyber Security Agency of Singapore (CSA) conducted an exercise covering all 11 designated “critical information infrastructure” sectors in Singapore, in a whole-of-government effort to test Singapore’s cyberincident management and emergency response plans. The exercise comprised a series of complex scenario-planning sessions, workshops and table-top discussions, covering different types of cyberattacks targeting essential services, including web defacement, widespread data exfiltration malware infections, ransomware hits, distributed denial of services attacks and cyberphysical attacks. Participants also developed and tested their incident management and remediation plans in response to these simulated attacks.
To understand why such an expansive exercise is useful, it may be helpful to use the example of the financial sector, typically deemed critical in most countries. The ability of the financial sector (or any sector) to withstand a cyberattack is deeply premised — sometimes unquestioningly — on the availability of adjacent sectors. How many banks can withstand a cyberattack when their ISP is besieged? To what extent can market infrastructure absorb the deterioration of power generation capabilities through a cyberattack on industrial control systems? If transportation infrastructure is constrained (e.g. metropolitan transit no longer operates), who will staff the security operation centres of financial institutions? The scenarios and potential linkages are numerous and without some level of planned and exercised coordination, it is difficult to imagine how resilience capabilities will be maintained during a cyberincident.
Connecting policy to values:
The inherent value trade-offs created by choices in cybergovernance defining how information security roles and responsibilities will be delegated are highly context dependent. However, a few efforts across economic value, privacy, security and accountability reveal general themes:
- Some capabilities have the profile of a pure public good (in the classic economics sense): their consumption is non-rivalrous and non-excludable. Deterrence arising as a consequence of defence capabilities would be one such example. As such, the economic value of the public sector providing this capability is likely to be greater. Other capabilities have a more mixed profile.
- A given polity’s understanding of privacy is highly dependent on the context and may vary depending on how responsibilities are delegated. In some contexts, a more active role for the public sector in providing robustness capabilities may be perceived as a diminution of privacy, whereas in others the ability to access sensitive information would raise symmetric privacy concerns regardless of whether it is led by the private or public sector.
- Security can be achieved through a variety of assignments of roles and responsibilities — little empirical evidence suggests that a more or less centralized role for the public sector necessarily results in greater security. However, it is worth noting that the degree of centralization of cybergovernance differentially impacts the security risks that are mitigated. A greater degree of centralization, in which the public sector has a more active role across robustness, resilience and defence, is likely to be more effective at addressing coordinated and broad threats. Contrariwise, a greater degree of decentralization is likely to be more effective at addressing diffuse and heterogeneous threats.
- Governance decisions will necessarily impact the accountability of the public and private sectors; governance choices will principally distribute that accountability. However, given that private-sector organizations are typically the providers of ICT, for some capabilities (e.g. resilience) the extent to which private-sector accountability diminishes if the public sector takes a more active role is limited.