The four cybersecurity questions government agencies should ask themselves

By Yogesh Hirdaramani

Professor Steven Weber, Founder and former Director for the UC Berkeley Center for Long-Term Cybersecurity, shares why a diversity of responses is key towards defending from cybersecurity threats.

“Much of the cybersecurity world operates the way emergency department physicians have to often operate,” observed Professor Steven Weber, Founder and former Director for the UC Berkeley Center for Long-Term Cybersecurity at AI x GOV 2022. Rather than tackling long term problems, their focus is fixed on resolving the crisis of the day.

UC Berkeley’s Center for Long-Term Cybersecurity aims to counter this trend with its long term perspective over years and decades – envisioning tomorrow’s cybersecurity challenges, today.

At his keynote speech during AI x GOV’s cyber diplomacy panel, Weber discussed how a diversity of responses today can better prepare the world for a more resilient cyber landscape in the future. He also shared four key questions government agencies should ask themselves when developing cybersecurity strategies.

The need to avoid uniform attack surfaces

To look to the future, we need to look at the past. Weber pointed to the period of optimism around the Internet in the 1990s, when there was a belief that the Internet would usher in greater democratisation and decentralisation. This failed to account for two factors: technology monocultures and human complacency. Today, these factors have led to a rise in uniform attack structures that are easy to exploit.

First, technology monocultures make it easier for attackers to concentrate their research and development, with “a promise of massive returns,” shared Weber. A computer monoculture occurs when a community of computers all run identical software, and thus all have the same vulnerabilities.

There is a strong tendency for a market to land on a single standard, even if it’s not the best option, explained Weber. For instance, in the 1980s, VHS became the standard videotape format despite the presence of superior alternatives. This victory had less to do with the quality of VHS and more to do with it arriving first, Weber noted.

Today, nearly 85 per cent of the US Federal Government uses Microsoft software, a study found. This could be a national security risk. In 2021, hackers used multiple software vulnerabilities within the Microsoft Exchange Server to attack over 30,000 organisations in the US, noted Weber. When organisations globally rely on the same software, one weak point can be catastrophic.

Second, human complacency can compromise attack surfaces, warned Weber.

The average American has over 50 accounts with digital services, but only one in five use a password manager, he cited. When complacency around passwords and other security matters scales up, government agencies and private firms may become vulnerable.

IT departments may be too stretched to teach people new protocols and new ways of interacting with their devices, which contributes to weaker attack surfaces, he explained.

We should have “a less uniform and a more diverse attack surface and digital ecology,” Weber suggested.

There might be more successful attacks, but each of those would be much less consequential than cyber security attacks that target one widely-used software system instead.

No single best practice for cybersecurity

There are multiple routes to cybersecurity success, he shared. This may be a good thing: with multiple experiments going on at once, there are multiple chances to learn and see what works best. This can also help organisations avoid being embedded in a wider cyber security monoculture.

Here are four questions cybersecurity experts should ask themselves as they design their cyber security strategy, suggested Weber:

Is cyber risk a single aspect of risk management, or unique?

Can cyber security be managed as just another element of an organisation’s risk management strategy, or should it be treated as “something unique, distinctive, and existential?” asked Weber.

Should cybersecurity knowledge be distributed or concentrated?

Should everyone in your agency be equipped with some level of cybersecurity knowledge, or should you have a team of highly specialised cybersecurity experts guarding the agency?

Beyond individual agencies, it is also important for citizens to have a basic understanding of cyber security on a national level, shared Gaurav Keerthi, Deputy Chief Executive (Development), Cyber Security Agency during his keynote speech in the same panel.

Is cybersecurity a collective or competitive mission?

Is cybersecurity a collective effort, something you need to share with both competitors and allies, private and public agencies? Or is it a competitive edge, where your security posture acts as a differentiator?

On the national stage, governments can consider viewing cyber security as a collective effort. 2021’s ASEAN Ministerial Conference on Cybersecurity was a recent showcase of the ASEAN cyber security cooperation model. One of the highlights of the Conference included the opening of a training centre in Singapore for ASEAN national cyber security teams, shared GovInsider.

Do we evaluate cybersecurity in a standard or nonstandard manner?

To evaluate how well an agency is doing, should one rely on a standard set of metrics? Or should the CSO evaluate the data in a more holistic manner?

“In fact, you can do well with a variety of answers [to these questions], but only if the organisation knows what it’s choosing and if everyone in the organisation understands,” explained Weber.

In 1996, John Perry Barlow declared the independence of cyberspace from governments. Though his vision of a decentralised cyber future did not come to pass, the cyber landscape today may still benefit from a decentralised, diverse approach to cyber security, with each organisation making choices best suited to their needs.