The US Army and Marine Corps’ official Counterinsurgency Field Manual opens with a quote that could easily serve as a motto for cybersecurity professionals: “This is a game of wits and will. You’ve got to be learning and adapting constantly to survive.”
General Peter J. Schoomaker was describing how to confront asymmetric military and political threats such as those posed by small, armed groups trying to overthrow governments or destabilize societies. But he might just as well have been framing the challenge of defending IT systems against cybersecurity threats such as those posed by Trojans, worms and viruses.
BSA member company Symantec last year identified 2,895,802 new malicious code signatures in its Global Internet Security Threat Report, a 71 percent increase from 2008. Think about that: nearly 2.9 million variations of Trojans, worms, worms with back-door components, viruses and other sorts of malicious code. To defend against such an onslaught, technology companies, IT managers and cybersecurity professionals must be extremely nimble. They must, as Chapter 1, paragraph 144 of the Counterinsurgency Field Manual counsels, “Learn and Adapt.”
Yet when policy-makers are confronted with the scale of today’s cybersecurity challenges — and when they ponder the implications of those threats for vital IT infrastructure — a frequent impulse is to respond with legislative or regulatory proposals that would have the unintended consequence of inhibiting the technology community’s ability to innovate as quickly as the creators of malicious code. The understandable urge is to mandate technology solutions that would guard against known threats. This creates a problem familiar to military commanders who have had to operate within the confines of doctrines conceived in response to the last war instead of the next one.
The Counterinsurgency Field Manual was written, in part, to break that pattern. Policy-makers would be well advised to take its lessons to heart when they think about how best to tailor a policy approach to bolster cybersecurity.
To start, innovation must be a guiding principle. We need a policy framework that maximizes incentives for industry to develop and market new security technologies. And to that end, industry-led technology standards are indispensible: They facilitate interoperability between systems built by different vendors while also driving competition among vendors, leading to greater choice of better security products at lower prices.
Prescriptive government mandates can have the opposite effect: They can impose country-specific technology standards that defy the nature of the Internet by breaking up the global marketplace. Worse, they can force security developers to conform rather than learn and adapt.
I doubt the general would approve.