Doctrine for Cybersecurity

Governments, businesses, and individuals are growing increasingly worried about the security of networked computing systems. This concern is justified. Press reports of successful attacks grow ever more frequent: cross-site scripting used to pilfer consumers’ passwords, large-scale breaches of corporate customers’ personal information, distributed denial-of-service attacks on websites, cyber espionage aimed at classified documents, and attacks on civil critical infrastructures.

Consequently, computer scientists and their funders are investing heavily in technological means for improving cybersecurity. But technological solutions are useless if they are not deployed or if operating practices allow attackers to circumvent them. Policy must create incentives for system developers, operators, and users to act in ways that enhance rather than weaken system security. Moreover, neither technologists nor policy-makers have the luxury of starting with a clean slate. All must labor in the shadows of legacy networks and end systems that are not secure (nor easily made so) and in the context of extant policy that reflects societal values from a time when dependence on networked information systems was minimal.

Enhanced levels of cybersecurity can create tensions over cost, function, convenience, and societal values such as openness, privacy, freedom of expression, and innovation. Absent a widely accepted doctrine, evaluation of proposals for improvement is difficult, and debate about their adoption can be neither compelling nor conclusive. The utility of a doctrine is thus determined by the extent to which it offers a framework for resolving these tensions while not imposing, ignoring, or ruling out possible technical or policy solutions.

.  .  .