The Need for Higher Level Strategic Approaches to Cyber Security
By Bonnie Butlin, Co-Founder and Executive Director of the Security Partners’ Forum
Multiple factors are driving the need for higher-level strategic approaches to cyber security, as states and communities adapt to ubiquitous technological advancements, globalized platforms, and digital economies that are affecting nearly every aspect of our lives, our communities, and the global interactions among states and economies, which have become increasingly complex and intertwined.
New and additional players are involved in cyber security, such as cyber lawyers, cyber insurance providers, regulators, and law- and policy-makers, at multiple levels of government. IT and security disciplines themselves are maturing and professionalizing, and are adapting to automation and technological advances, one such example is the introduction of AI into fraud and forensic investigation. Additionally, new security and cyber security disciplines are emerging, such as security convergence, and cyber security economics. The proliferation of unique interests, influences, and objectives among cyber security professionals and disciplines may result in different, and even conflicting, directions being taken in cyber security. This conflict may be reduced or managed through cross-discipline awareness and engagement, and a more strategic approach that transcends individual disciplines and actors.
One example of such conflict is that the security community in general is trending toward greater regulation, and specificity in standards and certifications, while the business community is trending toward a demand for less regulation and specificity, to stimulate innovation, reduce barriers to sector entry, and to foster competition that drives innovation. Another example is that law enforcement and intelligence communities may resist encryption as an enabler of threats, while the cyber insurance sector may encourage encryption as a reasonable measure that businesses may take to protect data and reduce liability risk. Additionally, social media platforms, largely privately owned, are facing increasing pressure in the public interest to monitor and attribute content to limit social harms, which may in turn risk limiting anonymity and freedom of speech, which are also in the public interest, and have traditionally been public sector responsibilities.
Coherence will require more than collaboration and consultation; rather, it will require careful strategic balance and interdisciplinary consideration to ensure coherent momentum forward in cyber security efforts.
Attempts to achieve such balance are increasingly reflected in the proliferation of National Cyber Security Strategies (NCSS’s), which are focused at the strategic level, rather than at lower levels, where much of the innovation and risk management in cyber security are occurring. NCSS’s are to a certain extent political in nature, factoring in national interests and cost considerations for taxpayers, which may compete with traditional risk management and focus within organizations, which have their own strategic planning, risk tolerances & cultures, and stakeholder interests, among other. Traditional risk management approaches in cyber security may not working as effectively as expected. New risk management models and better data sets may need to be developed, including from the new ‘cyber security economics’ discipline. Similarly, NCSS’s alone may not capture the full complement of considerations in cyber security, even at the strategic level, and may require the gap to be bridged more effectively between NCSS’s and risk management within organizations.
Cyber security may require not just a strategic-level approach, but a grand-strategic approach, once reserved to great powers. Grand-strategy involves greater than military resources, and applies in peacetime, and within domestic space - consistent with the ubiquitous nature of cyber security challenges of today. Middle and even smaller powers may require comprehensive, and more than basic strategic efforts when it comes to cyber security challenges, even beyond cyber-specific or cyber-focused NCSS’s. While dedicated NCSS’s are becoming more common, outside of national security and foreign policy strategies for example, stand-alone cyber security strategies may not be sufficient, particularly in the absence of recognized international cyber law. Larger geostrategic considerations may also need to be factored into strategy, as well as international trade and investment, and larger economic considerations.
Risk management and risk tolerances are related to organizational culture. State-level ‘cyber security cultures’ may be slowly emerging, including as the global regulatory and legal landscape is becoming increasingly ‘staked-out’ in terms of jurisdictions and state preferences. For example, in relation to cybersecurity, the EU has been notably privacy-focused, and favourable to individuals with personal information (as reflected in the General Data Protection Regulation - GDPR), the United States has been notably business focused (reflected in the rollback of privacy protections and internet neutrality), and Russia’s approach has been informed by its unique international law doctrine and security posture that has favoured strategic independence and sovereign decision-making among states (consistent with Russia’s recent ‘Internet Isolation Law’).
As regulators and law-makers are pressed to address rapid advances in technology and the associated risks and effects of same on societies and communities, these new laws and regulations may be ‘baking-in’ the preferences and/or characteristics of the current leadership and trends, further shaping in enduring ways these emerging ‘cyber security cultures’. For example, the current U.S. President Donald Trump has a personal background in business, while Russian President Vladimir Putin has a personal background in international law, and Europe’s Cold War history has arguably made current leadership more sensitive to privacy rights - all of which are reflected in their respective laws and regulations, which are unlikely to be easily changed. Emerging cyber security cultures may in turn affect both how risk is managed and how strategic approaches are formed and evolve.
In the short- to medium-run, cyber security may benefit from enhanced strategic treatment, to address and mitigate the uncertainty and instability that currently characterizes the cyber security landscape, due to rapidly changing technology, uncertainty in relation to laws & regulations, significant liabilities & compliance penalties, jurisdictional variations, and conflicting state approaches, in the context of more frequent and severe threats and risks. Excessive uncertainty may be an obstacle to sector development, and may exacerbate the talent gap, disincentivize investment, and inhibit the ability of businesses to innovate, grow and scale-up.
Greater stability through enhanced strategic approaches may foster a more predictable and hospitable cyber security landscape over the long-run.