Fall 2011

Doctrine for Cybersecurity

Deirdre K. Mulligan and Fred B. Schneider

A succession of doctrines for enhancing cybersecurity has been advocated in the past, including prevention, risk management, and deterrence through accountability. None has proved effective. Proposals that are now being made view cybersecurity as a public good and adopt mechanisms inspired by those used for public health. This essay discusses the failings of previous doctrines and surveys the landscape of cybersecurity through the lens that a new doctrine, public cybersecurity, provides.

DEIRDRE K. MULLIGAN is an Assistant Professor in the School of Information at the University of California, Berkeley, where she is also a Faculty Director of the Berkeley Center for Law and Technology.

FRED B. SCHNEIDER is the Samuel B. Eckert Professor of Computer Science at Cornell University.

Governments, businesses, and individuals are growing increasingly worried about the security of networked computing systems. This concern is justified. Press reports of successful attacks grow ever more frequent: cross-site scripting used to pilfer consumers’ passwords, large-scale breaches of corporate customers’ personal information, distributed denial-of-service attacks on websites, cyber espionage aimed at classified documents, and attacks on civil critical infrastructures.

Consequently, computer scientists and their funders are investing heavily in technological means for improving cybersecurity. But technological solutions are useless if they are not deployed or if operating practices allow attackers to circumvent them. Policy must create incentives for system developers, operators, and users to act in ways that enhance rather than weaken system security. Moreover, neither technologists nor policy-makers have the luxury of starting with a clean slate. All must labor in the shadows of legacy networks and end systems that are not secure (nor easily made so) and in the context of extant policy that reflects societal values from a time when dependence on networked information systems was minimal.

Enhanced levels of cybersecurity can create tensions over cost, function, convenience, and societal values such as openness, privacy, freedom of expression, and innovation. Absent a widely accepted doctrine, evaluation of proposals for improvement is difficult, and debate about their adoption can be neither compelling nor conclusive. The utility of a doctrine is thus determined by the extent to which it offers a framework for resolving these tensions while not imposing, ignoring, or ruling out possible technical or policy solutions.

.  .  .

To read this essay or subscribe to Dædalus, visit the Dædalus access page
Access now