Do We Need a CDC for Cybersecurity?
Modernizing Authentication — What It Takes to Transform Secure Access
A centralized cybersecurity agency could leverage the mission and approach of the U.S. Centers for Disease Control and Prevention to proactively respond to cyber threats in real-time.
By Madeline Weiss
Although the U.S. Centers for Disease Control and Prevention (CDC) has emerged from the Ebola outbreak with a somewhat blemished reputation, its mission ("works 24/7 to protect America from health, safety and security threats, both foreign and in the U.S.") and approach ("conducts critical science and provides health information that protects our nation against expensive and dangerous health threats and responds when these arise") are as vital as ever.
Would such a proactive mission and approach help protect America from cybersecurity threats, both foreign and in the U.S.? David Bray, visiting associate at the University of Oxford, made the case for "a CDC for cybersecurity" at a recent Advanced Practices Council (APC) meeting. Based on his research at Oxford, Bray built up to his case by reminding APC members of the current grim reality:
· The Internet continues to grow as the main source of information and arena of international commerce.
· More sophisticated computational tools and software facilitate state and non-state cybercrimes.
· The types, numbers and frequency of malicious cyberattacks that cause corporate and societal disruptions are growing exponentially.
Next, Bray discussed potential solutions. In our current turbulent environment, where rapid assessment and response are essential to ensuring security, we must enlist collective intelligence, he urged. We need to connect people and computers, so that collectively they act more intelligently than any individual, group or computer has ever done. And here's where the CDC model comes in. Such a model could leverage the crowd of intelligence professionals; local, state and federal agencies; and the public.
Similar crowdsourcing models already exist in other fields. Consider InnoCentive, launched by Eli Lilly and Company in 2001 to source solutions to unsolved R&D problems from the global crowd. It was so successful that many other companies now leverage InnoCentive for similar situations. Why couldn't a CDC for Cybersecurity connect security problem-solvers with problem holders? Likewise, why couldn't a CDC for Cybersecurity launch automated computer programs to scan news sources and other data in order to produce a map of distributed denial of service alerts? And volunteers could anonymously share observed attacks and everyone could receive early warnings from the collective group's intelligence. Data collected in real-time could be used for longitudinal research to create fixes and cyber interventions to thwart attacks.
Facilitating Cross-Industry Cybersecurity Collaboration
Fortunately, Bray has spurred APC members to action. A member-comprised task force comprised has drafted a proposal for the CIO Coalition for Open Security, whose primary purpose is to develop and implement strategies that facilitate cross-industry collaboration to minimize risk from malicious cyber activity. The task force envisions a forum where participants can share observed attacks; a national organization to analyze reported attacks and respond immediately; identification of open source tools and policies for cybersecurity; collaboration among private, public and non-profit security experts; partnerships among local, state and federal agencies dedicated to cybersecurity; collaboration among professionals to solve each others' problems; and ability to more quickly develop and distribute countermeasures against attacks.
The task force's next steps are to name a leadership board of CIOs to coordinate the efforts of the coalition and establish a core team to lead this effort. It also seeks broader participation among professionals across different sectors. (For the position statement, click here.)
I encourage you to read the position statement and sign up to participate (send an email to firstname.lastname@example.org). Joe Bruhin, CIO of Constellation Brands and the principal author of the position statement, captures the urgency behind the coalition's actions when he says, "Those of us who have to play cyber defense are losing; together, I believe we can be stronger than the worst of the bad actors."
About the Author
Madeline Weiss, Ph.D., is director of the Society for Information Management's Advanced Practices Council, a research-based program for CIOs and senior IT executives.
To read her previous article for CIO Insight, "Mobile App Risks in Highly Regulated Industries," click here.