Harmonic

The challenges of cyberspace are broadening and deepening.  Whether this is from the aspect of threat, which has now become systemic, or the general understanding of cyberspace, which is limited, or the overall response to cyber insecurity, which is still too fragmented and too slow, there is much ground to make up against the individuals, groups and nations, who use cyber to achieve their aims.

These threats are unencumbered by law, business process, or, for example restrictive rules on human resource management.  Threats can be both sophisticated and well organised, or simply ad-hoc and fleeting.  Flash mobs at a tactical level, and national uprisings at a strategic level seem now to be increasingly common fare; the Arab Spring, cultivated on the vehicle of social networking media, is symptomatic of how cyberspace is changing the global threat landscape.

We may all be aware of this, and are becoming more sensitive to the phenomenon, but what of the response? It is clear that there are a few facts that are irrefutable.

For the international stage, a global response is required.  For national security, a societal response is needed.  For individual enterprises, a whole company response is necessary.  The message needs to get to every conceivable stakeholder that they each have a role to play to protect their interests in order to achieve a higher level of an easier target, or to mitigate the harm it achieves by quick reaction to discovered vulnerabilities.

The Need for Tempo

Why do we say message, and not, perhaps, the rules, or the regulations? It is simply a matter of Tempo of the response.  Tempo, which is a term with military origins, does not mean speed, but is more a rate of activity and is a measure of the extent to which the potential pace of the response is exploited relative to the threat.  Simply put, the concept is to get inside the cyber threats’ Decision-Action cycle, to persuade the threat to simply stop what it is doing, or displace its focus persuading it to find an easier target, or to mitigate the harm it achieves by quick reaction to discovered vulnerabilities.

An analysis of Tempo shows that to achieve a satisfactory rate you need:

• A good information system that generates reliable information and intelligence, and reaches all the elements of the response.
• A decentralisation of command, and use of directives which give considerable degrees of freedom of action to various levels of the response.
• A response organised for mobility and agility, with movement skills of the highest order
• A response in which the activity at low level is rapid, as a result of being based on clearly understood and regularly practised procedures and drills.

Regulation

So let’s take those four strands and superimpose the key question of regulation. It is our view that a highly regulated cyber security response, with a central authority (such as a Government) dictating the rules, runs counter to the need to create Tempo in the response.

Firstly, the machinery of government itself is characteristically slow.  National politicians and their Departments of State cannot work at the pace needed.  Primary and secondary law making practices will not change in this generation.  And at the international level, bureaucracy is even worse than within nation states.

In a highly regulated architecture, there is a requirement for human resource to manage it, and even more to enforce it, and then more to audit the enforcers.  These are resources that Governments cannot afford.

In the presence of regulators any instinct to share information, particularly on vulnerabilities and losses, is suppressed.  Free flow of information is thus reduced, slowing the response.  In a highly regulated environment, audit dodging becomes an art form.  Practical experience of target-driven environments shows that human ingenuity has no bounds when compliance statistics are required by an over-imposing bureaucracy.

And it is a matter of delegation of responsibility for protective action that regulation interferes with.  With tight regulation there is a natural inclination to push risk back up the hierarchy, rather than allow it to flow down through the system.  To simply suggest that ‘something was not done’ as it was not required in the rules system is highly tempting, but in essence ducks responsibility.  And apart from many other things, high regulation stunts innovation, agility and initiative.  It runs against everything that a cybersecurity regime needs.

Where Harmonic fits in

Harmonic Limited is a specialist service provider that supports clients to win more business, optimise business performance and deliver programmes and services with greater assurance.

We assess the client’s enterprise to measure how effectively it manages cyber-related risks. We can then work with them to create a regime which minimizes their exposure to harm, providing Board level assurance. Our relationship with policy makers, thought leaders and the intelligence community, as well as our knowledge of best practice, enables us to provide an agile and relevant response. Not only can we raise expertise quickly, but the nature of the expertise reaches beyond simple technological know-how.  It incorporates unique understanding of the effect required in mitigating harm being experienced in or through cyberspace, which includes knowledge of threat, the wider stakeholder environment, and how the current regulatory regime is configured.

Knowledge of the regulatory environment is important, but more vital is awareness of how each element of the response interlocks together to generate cohesion and agility, and, most importantly, reaches beyond simple assumptions and a condition of ‘ticking the boxes’.   This awareness can be hard to come by, is perishable, and can be very costly to retain on the books.

We offer clients a partnership with a competent service provider, one that has a very deep understanding of the cybersecurity domain to provide the right level of assurance.  Above all else, a partner who knows that the creation of Tempo is the single greatest factor in reducing risks in cyberspace.

Creation of Tempo lies at the very centre of the Harmonic offering.

About the Author

David Livingstone is a recognised figure in the National Security field and is a Principal Consultant at Harmonic. He is an Associate Fellow on the International Security Programme at Chatham House, and has written a number of leading works on cybersecurity, counter-terrorism, serious organised crime, and related subjects.

As a desk officer in the MOD Directorate of Military Operations during his military service he led policy development in ‘Homeland Security’.  In this appointment he was a staff officer in COBR and represented the MOD on a number of Cabinet Official Committees, being a founder member of the Home Defence Official Committee on Information Warfare in 1996.

He is continuing his cyber related policy research by leading a CH project on national level stakeholder identification and mapping, and is in the formative stages of new projects on the security issues surrounding the cloud computing phenomenon, and the protection of critical electronic data.

David is participated in the recent DSEi 2011 Security Seminar Programme appearing on two panels of industry experts consdiering Securing Critical Networks and Is the Cyber War Winnable?