Tech advisers to the Trump administration are looking for a cybersecurity “moonshot” — a single national target that will be a game-changer in online security. But a meeting of a blue-ribbon telecommunications panel this week suggested that defining such a goal is still some way off.
“This is the beginning of a conversation,” Scott Charney, vice chairman of the president’s National Security Telecommunications Advisory Committee told CyberScoop during a break in the proceedings at a public meeting Wednesday.
“This current approach [to cybersecurity] isn’t working,” added Charney, a former Justice Department cyber prosecutor and current Microsoft VP. “Maybe incremental improvements are not enough … The breaches keep on happening.”
One official said the “moonshot” paradigm had been suggested to the committee by the White House. A former official who once worked with the committee said that was how taskings typically emerged. Charney said only that “It’s something a lot of people have been talking about.”
On Thursday, Former CIA CTO Ira “Gus” Hunt delivered a presentation about the need for a cyber moonshot to an event hosted by The Atlantic. America faced a “compelling opportunity to apply the lessons” of that five year scramble to get a man on the lunar surface and bring him back, said Hunt, now the federal cybersecurity practice lead for Accenture. “It took a visionary challenge to put that all together,” he added. “Today, we need to ignite that same passion.”
Charles Romine, director of the Information Technology Lab at the National Institute of Standards and Technology introduced a panel of technologists to kick off the NSTAC discussion Wednesday.
The actual U.S. lunar program of the 1950s and 1960s had three characteristics as a national goal, Romine argued:
- It was seen as “impossible, or nearly impossible, to achieve.”
- It was “pretty easy to describe.”
- It was “also easy to know when you’ve succeeded.”
But even the invited experts noted it was difficult to see how those criteria could be be applied to information security.
“I don’t mean to imply that moonshots aren’t worth doing,” Ed Felten, the Princeton professor who was deputy CTO in the Obama administraion told the NSTAC. But”roofshots,” an alternative, more iterative methodology, might be a better approach to solving the cyber problem he suggested.
“Roofshots can help us find where the moonshots ought to be aimed,” he said.
In his roofshot manifesto last year, Google engineer Luiz André Barroso pushed back against the “moonshot” model of development and progress in the company, arguing that “the bulk of our successes have been the result of the methodical, relentless, and persistent pursuit” of iterative opportunities — “what I have come to call roofshots.”
From the point of view of the private sector, said Felten, “One of the good things about roofshots is your entire business doesn’t stand or fall [based] on whether you are the only people who can do it.”
In prospecting for oil, he said “You end up drilling a lot of holes,” but only one of them had to be a strike.
“There’s some discussion about whether moonshot is the right paradigm,” Charney acknowledged.
In Felten’s presentation, he laid out two very iterative goals: Better implementation of well-understood security best practices and more secure software development.
He said a cyber moonshot would have to be a “very ambitious, risky and fundamentally sound scientifically … Something that, if it works out, would have an enormous return.”
But it wouldn’t have to be large or expensive. Asymmetric Public Key Encryption — PKI — had made whole new categories of communications encryptable.
“When you get a new approach, that can be transformative,” Felten said.
But the “biggest” cybersecurity transformation over the past 20 years, “wasn’t technology, it wasn’t [corporate] culture, it wasn’t any of these things, it was a peace treaty between the U.S. and China,” said NSTAC member Dave DeWalt, former CEO of numerous. He said the Obama-Xi deal had led to “massively diminished activity” by Chinese state-sponsored hackers.
However, the globally and universally connected nature of the internet makes the gains from such deals illusory, countered Rodney Joffe, senior technologist at Neustar.
“It just needs one country that won’t sign on and unless you block them [from the global internet] you’ve achieved nothing,” he said.
He added that the issue highlighted the failure of online accountability. “Every piece of the internet, every connection, every [device] on it, is owned by someone,” he said.
Those owners needed to start tackling the problems, not just piping them through to the next guy. “We need to push responsibility out to the edges more,” he said.