TNNI Interview With Dr.Herb Lin Of The National Research Council: What Every Executive Should Know

Dr. Herb Lin, chief scientist of the recent report “Toward a Safer and More Secure Cyberspace” at the National Research Council, spoke with The New New Internet on a variety of cybersecurity issues, including his definition of cyber deterrence. Dr. Lin said that the private sector must use current, readily available securities and acknowledged that most individuals see security as a ‘tension’ in work productivity. Dr. Lin said that through research and improvements, cybersecurity will soon go hand and hand with work efficiency. 

The New New Internet: We’ve heard about offensive cyber warfare and defensive cyber warfare.  What does cyber deterrence look like in the possible event of a global war?

Dr. Lin: People don’t often distinguish between cyber warfare and cyber deterrence. Lots of nations and other parties are the victims of cyber attacks from a variety of bad guys.   One way to mitigate the impact of those attacks is through passive defense—better virus detectors, more effective firewalls, and so on.  Also, we ask law enforcement authorities to investigate cyberattacks and we hope that they can find the bad guys responsible and lock them up.  This is supposed to have two effects; it gets the bad guys off the street and it sends a message to others.   Deterrence is about persuading the bad guy to not attack you, and comes in because you may not be successful in defending yourself.  By law, individuals are not allowed to strike back against a bad guy who is coming after you in cyberspace.  The cyber deterrence dimension of cybersecurity asks, “how do you credibly threaten the other guy so that he decides not to attack you in cyberspace?”  There are many questions like, “how do you know who is attacking you?”, “how do you make sure that whatever strike you launch against the other guy is actually going to hit the target that you intend to hit?”, and so on.  Those kinds of questions have to be answered successfully and it is very hard to answer those questions.  It doesn’t mean it is impossible, but it is very hard. 

The New New Internet:  I have a question about the role of the private sector.  What is the proper role of the private sector in the challenges involving cyber security?

Dr. Lin:  The private sector has two distinct roles.  The first is that the private sector is the source of the products that you and I buy.  Vendors such as Apple, Intel, and Microsoft are private corporations that have some role in providing cybersecurity.  The second is the fact that you and I rely on private sector companies to provide services: banks, Amazon.com, electric utilities, and so on.  These companies also use the technology that vendors produce.  Vendors have some responsibility to security in their products, and private sector users must actually use the security functions embedded in the products that the vendors provide.  So everybody has responsibilities and the interesting policy question is how best to incentivize the private sector to provide that security. 

 Mostly security gets in the way, so we all have a great incentive to not use security because we want to get our work done.  You really need to pay a lot of attention to how a security practice actually has an impact on the ability of people to get work done.  Some people say that there is always a tension between cyber security and usability.  We believe there isn’t always a tension, and better systems engineering and human engineering and process engineering can help a lot in developing procedures that are both affective and usable.  

The New New Internet:  Speaking of that, do you have any thoughts on what incentives the private sector should have to help the government solve this challenge?

Dr. Lin: This is a question in which the National Academies are particularly interested.  We’ve heard of many possibilities that a lot of different people talk about but we don’t have any recommendations on them because we haven’t studied the topic in any systematic way.  One of the options most often mentioned is imposing liability for products that don’t have adequate security built into them.  To the best of our knowledge, no one has done a comprehensive study of what that would mean to go down that path.  At this point it remains one suggestion that is common but not something that the National Academies either endorses or rejects because we haven’t examined that issue. 

The New New Internet:  What is something that most people, the average executive, should understand in terms of when they think about cyber security impacting their businesses and their daily lives?

Dr. Lin: You just can’t order people to take cyber security measures. You might think that you can but it’s likely to not work.  The problem with most security is that it gets in the way of doing real work.   Mostly, the password to my system prevents ME from getting in, because I can’t remember it, and it’s almost certainly true that it’s had this effect many more times than it’s prevented some bad guy from getting in.  Mostly security gets in the way, so we all have a great incentive to not use security because we want to get our work done.  You really need to pay a lot of attention to how a security practice actually has an impact on the ability of people to get work done.  Some people say that there is always a tension between cyber security and usability.  We believe there isn’t always a tension, and better systems engineering and human engineering and process engineering can help a lot in developing procedures that are both affective and usable.  

Related posts:

1. Georgetown Cyber Expert Interview: Obama Good Start/Research Needed
2. TNNI Interview With Leslie Harris of CDT: Privacy Needs To Be Obama’s Priority
3. The New New Internet: Interview With SANS Internet Storm Center Director Marc Sachs
4. Cyber Security: Space Race of the 60s According to Cyber Expert Interview
5. Interview With The New New Internet: Cyber Expert Does Not Believe In ‘Urban Myths’