Though New York is one of 23 states to establish an official cybersecurity task force through executive order or legislation, the Governor’s Cybersecurity Advisory Board should not be confused with the non-governmental New York Cyber Task Force, sponsored by Columbia University. and composed largely of individuals working in academia and the financial sector.

Jason Healy currently serves as the New York Cyber Task Force’s Executive Director as well as president of the Cyber Conflict Studies Association. He previously served as an editor of the original history of cyberconflict, A Fierce Domain: Cyber Conflict, 1986 to 2012, in addition to being the Director for Cyber Infrastructure Protection for two years at the White House under President George W. Bush’s administration. He also led the important Cyber Statecraft initiative at the Atlantic Council.  In his capacity as a leading figure at the New York Cyber Task force, Jason has been driving an ambitious initiative to revolutionize the power dynamics of cyber conflict in order to maintain an open yet resilient internet.

The Offensive Advantage in Cyberspace

As warfare has become increasingly irregular, a result in large part of the ever-declining barriers to acquiring military capabilities, defense has become disproportionately expensive. As of 2001, it cost on average only $150 for a Palestinian to conduct a suicide bombing in Israel, with the largest cost being transportation. By contrast, the cost of providing round the clock protection to the breadth of vulnerable soft targets is unimaginable.

It is in this broader context that Jason Healey and the New York Cyber Task Force have been attempting to address the offensive advantage in cyberspace. In terms of money and man-hours, cyber attacks have been consistently and considerably more affordable than cybersecurity defenses. In part, this may be because cyberattacks can function similarly to insurgent attacks on physical soft targets. An early acknowledgement of this fact came in the form of the 1991 report Computers at Risk, which noted that the attacker only has to target a single vulnerability, while cyber security has to defend all of its vulnerabilities. While there may be rare cases in which the explosively expansive nature of the internet can lend an advantage to the defenders of cyberspace, it typically serves to enable cyber attacks. The more computers linked to a single company’s network, the greater the range of potential vulnerabilities an attacker can select from to exploit.

Despite the broader context of offensive advantage in guerrilla attacks, Healey is attempting to combat the notion that an offensive advantage in cyberspace is inevitable. Indeed, the offensive advantage is hardly universal. After all, the—admittedly imperfect–3:1 rule of combat dictates that a numerical advantage of 3 times the defensive forces is required in order for an offensive operation to be able to anticipate success. The New York Cyber Task Force has not contented itself with doomsaying the unsustainable nature of the offensive-defensive imbalance in cyberspace, but have rather dedicated themselves to finding ways to buck the trend, and establish a truly defensible cyberspace. Healey describes defensibility as being characterized by difficulty imposing destructive consequences on another actor’s system, resiliency in the face of flaws and tribulations, quick and responsive recovery, and, more generally, sustaining the internet’s high value. This, he maintains, is achievable.

A major challenge for the New York Task Force, if they are to prove the naysayers wrong, is establishing accurate measures of their victories and losses as they seek to strengthen the defensibility of cyberspace. To this end, Task Force member Yurie Ito has led CyberGreen in attempting to assemble relevant statistics. Though he acknowledged that reliable measures remain scarce, Healy endorsed the use of indirect measures such as the Index of Cybersecurity—which has recorded increasingly pessimistic opinions among cybersecurity since its debut in 2011—in order to give an idea of where things are headed. He also recommended the yearly Verizon Data Breach Investigations report, which has demonstrated, unencouragingly, that the escalating speed with which attacks can be conducted outpaces similar increases in detection speed.

Technological Elements of Defensibility

Of course, offensive/defensive advantages can hardly be reduced to a binary. The “scale” of an advantage is just as important as its directionality. While incremental gains for defensibility may still be worth pursuing, they must be distinguished from game-changing solutions representing more cost-effective investments in defensibility. Such “hyperscale” solutions must be the primary focus if the offensive advantage is to be sufficiently reversed as to secure a stable and positive future for cyberspace. Simultaneously, if a dystopian future of cyberspace is to be averted, the internet must remain relatively open. This represents a substantial challenge, because much of the internet’s vulnerabilities are attributable to the fact it was designed primarily with accessibility, rather than security, in mind.

Jason Healey outlines several ways in which technologies can be game-changing. Some technologies, such as the cloud, creates a unique new environment in which the massive scope actually serves to strengthen defenses over offenses, rather than emboldening offensive strikes against one of a plethora of soft targets. Others, such as encryption, take a specific vulnerability and tip the scales decisively in favor of the defense, turning it into a position of strength. Finally, some technologies may rectify non-technological sources of defensive weakness. Automation can serve to remove the risk of human error. The debut of automated updates by Windows in 1998 demonstrates this point. Though it was an expensive project, the result was a significant improvement to the security of “millions or even billions of computers”. Another innovation that would seem to function similarly—though Healey lists it with his game-changing operational reforms—is the use of automation by the Finance Sector Information Sharing and Analysis Center to drastically cut down on the time needed for financial institutions to access their information and act on it.

Healey’ list of examples of game-changing technologies included “authentication beyond passwords”, especially “two factor authentication”, “RSA tokens”, and the game-changing authentication leap of “Kerberos”. It also included, “mass vulnerability scanning”, especially “nmap”, a free open source network scanner, enabled quick and simple surveying of ones own network, and by extension identification of problems therein. Additionally, “Built-in NAT for home router”, which has provided every household with its own simple firewall, and prevented networks from being easily visible to attackers; along with “Development environment security”, especially “heap protection, kernel memory protection, compiler driven fortification” and “stackguard”, which have helped to prioritize  security over compatibility. Healey does express some reservations about his inclusion of “secure default configuration” and “DDos protection” as game-changing technologies, in the case of the former because the benefits are relatively minimal, and in the case of the latter because the cost is so high, though the improvements to an online network’s resiliency may be uniquely beneficial.

Why Organization is as Important as Technology

The human elements of cybersecurity cannot be forgotten amidst a misguided belief in technological determinism. Operator error may lead to dysfunctional use of even flawless systems. Cyberspace can only be truly defensible if operator sloth and uncertainty are no longer vulnerable to exploitation. Accordingly, Healey lists responsive and active mulit-stakeholder governance and adaptive crisis decision making as key characteristics of a truly defensible cyberspace.

Though the offensive advantage has been possessed by the entire spectrum of nefarious actors, from criminals to militaries, defensive actors were not created equal. It is therefore necessary to determine which are most cost effective to invest in. For example, Healey argues that investing in government bureaucrats will likely be less effective than investing in grants to internet service providers. Market incentives have also been dysfunctional, leading to an increasingly broad selection of cybersecurity products, rather than more effective products. Improving quality may fail to improve sales sufficiently to offset the cost, even if Microsoft and Apple started to prioritize more effective cyber security.

Still, one organizational approach that is key to establishing a defensible cyberspace is collaboration between a broad range of actors, public and private, because the end goal of defensibility is not limited to a single organization’s security, but rather extends to all of cyberspace. Those solutions able to be applied at this macro-level are especially significant, as they prevent the attackers from simply being driven toward an easier target. Healey has specifically singled out the group “The Cavalry” as an example of the sort of group that can help facilitate collaboration between academic, corporate, and government actors to find collaborative solutions to their shared problems.

In his 2010 book, The Diffusion of Military Power, Michael Horowitz argued that paying attention only to the technical aspects of a military innovation may result in full adoption of said innovation stagnating for years (23,27). Jason Healey has similarly decried the pervasive failure to take into account the role of organizational approaches to establishing a defensible cyberspace. Horowitz further noted that the organizational challenges inherent in adopting cyberwarfare specifically would be particularly significant, given that it represents an entirely new area of warfare, but he also acknowledged that these challenges were not insurmountable (221). Just as organizational reform may be critical to victory in cyberwarfare, it may enable cybersecurity institutions to gain an edge over their attackers.

Organizational Elements of Defensibility

Jason Healey distinguishes between two oft conflated subtypes of organizational game-changers, namely operations and policies. Both operations and policies are more difficult to identify as game-changing compared to technologies, which are more concrete and as a result have less ambiguous consequences. However, game-changing policies are particularly difficult to identify, because they typically have mixed results, benefitting some defensive actors and harming others. Consequently they have been acknowledged even less than game-changing operations. Nevertheless, Healey and his New York Cyber Task Force created a short list of game-changing developments for each type of organizational innovation.

In terms of operations, the organizational shift towards greater sharing of information was certainly key to the previously mentioned game-changer of “Automated sharing of threat intelligence”, even if it also involved a technical component, . The innovation of Computer Emergency Response Teams (CERTs) almost 30 years ago and Chief Information Security Officers (CISOs) 25 years ago represent similar operational game-changers. Notably, both operational reforms were only implemented after a devastating cyber attack illustrated the need for greater attention to security. Since their debut, these specialized roles for personnel have come to be regarded as critical capabilities for any serious enterprise. Another critical shift in operational thinking took the form of “’bug bounty programs’” whereby rewards would be made available for finding vulnerabilities, rather than attempting to silence such discoveries. Other operational game-changers may include some especially effective “volunteer groups and industry alliances”.  Finally, the concept of “cyber kill-chains”, developed by a team at Lockheed Martin, significantly improved the ability of cyber defense professionals to understand the offensive processes they needed to thwart.

The Cyber Task Force acknowledged that game-changing policies may appear at different levels of analysis, ranging from “high government”, largely comprising norms; “governance”,  including the “Internet Corporation for Assigned Names and Numbers”; “regulation”, as demonstrated by the cyber policies of bureaucracies like the SEC and FTC; “domestic policy”, such as “the Australian Voluntary Code of Conduct for Internet”, and “corporate initiatives”. As for game-changing policy examples, the “Budapest Convention on cyber crime” can be interpreted as just such a “hyperscale” example of “high government” policy, while “the NIST Cybersecurity Framework” represents a “domestic policy” game-changer. A corporate initiative to motivate greater engagement with cyber threats on the part of the board of directors may likewise be game-changing. As an “affiliate” at the Center for International Security and Arms Control at Stanford, it is perhaps unsurprising that Healey highlights the attempts to apply the Wassenaar Arrangement on arms control to cyber tools as an example of a cyber policy that would backfire, increasing defensive cyber expenses far more than offensive expenses.

Determining the Future of Cyberspace

Rather than simply extrapolating from current trends to examine a “Base Case” future, examining “alternate futures” may be necessary, given the vast uncertainty inherent in cyberspace. As a nonresident senior fellow at the Atlantic Council, Jason Healey was the primary editor of a 2015 document produced in partnership with the Zurich Insurance Group and the Frederick S. Pardee Center for International Futures, that outlined precisely these sort of alternate futures. Similar sets of alternate futures for cyberspace had previously been proposed, in Microsoft’s Cyberspace 2025, published in 2014, and CISCO’S The Evolving Internet, published in 2010.

The first two of Healey’s four alternative futures emerged from the “axis of uncertainty” over whether the internet will remain an invaluable resource, or whether the offensive advantage will persist to such a degree that hacking, cyberwarfare, and trolling render it inherently unreliable, and represent opposite ends of the spectrum. A “Cyber Shangri-La” future would be the ideal outcome, wherein hyperscale technological solutions live up to their full potential, reversing the offensive advantage and establishing a truly defensible internet, whereas a “Clockwork Orange Internet” represents a worst case outcome, in which the offensive advantage grows to the point of “supremacy”, making cyber defenses futile ventures that are inevitably and quickly dismantled by attacks, even as bullies and trolls make an internet presence unappealing. While the Shangri-La future would only develop gradually, the transition to a Clockwork Orange Internet could either develop gradually or rapidly. The cost of internet use could persistently grow relative to the services it provides, or the Clockwork Orange future might be brought on abruptly by a crisis, such as the debut of a devastating offensive cyber innovation, or a massive conflict in cyberspace.

While in the Shangri-La future, ordinary people would be able to still feel that their privacy was being respected, and trust that they are safe operating in cyberspace, a Clockwork Orange future would be characterized by a lack of trust, causing and being caused by the collapse of secure internet infrastructure available to ordinary people. As an online presence becomes intolerably dangerous, privacy becomes not only nonexistent, but irrelevant. Consequently, the “information and communication technology” (ICT) industry would develop quite differently in the two hypothetical futures. In the Shangri-La future, the full range of web-based services would be available to everyone, integrated into every economy, and fostering rapid innovation. By contrast, in the Clockwork Orange future, the high cost of maintaining constantly eroding defenses would render such cyber products into luxury goods, only possessed by the wealthiest actors, and cutting-edge innovations would be divorced from ICT, even as web-based technologies taken for granted in the present would become unsustainable, due to their dependence on a large user base.

The greatly reduced market in the Clockwork Orange condition would result in a massive blow to global GDP, particularly as compared with the benefits that might be derived from Cyber Shangri-La. While in the Base Case, the industry could be expected to contribute $160 trillion to the global industry by 2030, in the Shangri-La case this would rise to $190 trillion, and in the Clockwork Orange case it would sink to $70 trillion. International security might suffer similarly. A Shangri-La future would be characterized by thriving globalization fueled by the total proliferation of communication technologies, and international cyber-security cooperation as the norm. Those communication technologies would virtually disappear in the Clockwork Orange future, and globalization with it, as constant cyber-offensives against other nations takes the place of cost-ineffective cyber defenses.

The other two alternative futures were derived from another great uncertainty, the extent to which government regulation would take the lead in shaping cyberspace, as compared to  private enterprise (Risk Nexus). The “Leviathan Internet” scenario represents a future dominated by governments, while the “Independent Internet” represents one dominated by the private sector.  In the Independent future, governments becoming powerless to enforce regulations on tech companies would constitute the most glaring shift, but in the Leviathan future, unrestrained government regulation would reshape the internet itself in dramatic ways. In the Leviathan future, the internet is no longer a unitary entity, having been divided into several distinct systems, so as to better cater to the preferences of different sovereign governments. These divisions could occur along cultural lines, in a “’Huntington Internet’” variant; between ideological blocs of transparent and closed states, in a “’Iron Curtain’ Internet” variant; or between trade blocs, in a “’Schengen Internet’” variant. By 2030, the separate internets would have already developed so differently that they would no long be compatible, even if there was a desire to reconcile.

In the Leviathan future, individuals have low levels of privacy from their governments, but high levels of privacy from commercial entities, while the situation is reversed in the Independent future. The impact of the Leviathan and Independent Internet alternate futures on global GDP is comparatively mild, but that does not constitute the extent of their economic repercussions. In the Leviathan future, GDP growth would continue, but at a less dramatic rate than current technology trends might suggest, because hard borders would obstruct collaboration. The cyber industry’s estimated contribution to global GDP in this future would be $140 trillion, as opposed to $160 trillion in the Base Case. In the Independent future, the loss to Global GDP would be insignificant, but income inequality would increase to a greater degree.

Interview Transcript

I was able to ask Jason Healey a few questions about his work.  Responses are provided in full and unedited below.

Tyler Robinson: You address the problem of market incentives to produce an increasing variety of cybersecurity products rather than increasingly effective products. How might this worsen the problem of a broad array of vulnerabilities needing to be defended in an expanding cyberspace? 

Jason Healey:  There are only a few kinds of ways we might fix a broad array of vulnerabilities. We might fix each and every kind, building in security for each and all. That’s never worked, nor will it anytime soon. There’s more promise though in taking different kinds of vulnerabilities and finding fixes for each. For consumer devices (phones, fridges, cars) there is just enough room for optimism that Consumer Reports and other efforts might get consumers to easily recognize which devices are safer than others and that drives market choice. There may also be promise with common-mode successes. We normally think of common-mode failures, where all devices fail at once due to having the same vulnerability. We can also discuss the upside of this where a few good solutions can fix a very, very wide range. For example, I’m thrilled that Microsoft has been pushing to use formal methods (which are increasingly inexpensive) to more securely code Open SSL and other key pieces of software.

The same applies to security software as well. New security tools deployed within an enterprise are perhaps the principal path through which we achieve security. Not only are these as efficient as solutions that can scale across all of cyberspace, but each is easier for attackers to bypass. In addition, each has their own vulnerabilities which can be used to unravel all the other protections. It is far less likely to bypass solutions at scale or operational innovations like information sharing.

Tyler Robinson:  As someone who has worked in arms control as well as cybersecurity, do you think there is potential for cyber arms control policies that might actually improve defensibility, in contrast to the Wassenaar Arrangement?

Jason Healy:  Sorry no, I’ve never worked arms control directly. But if I had to start somewhere, I’d seek an agreement between major nations which have defense industries: US, UK and France to start, then maybe Israel and Italy. Each would agree to norms about export by their defense industries. This could at least limit whether these nations would help, for example, Gulf nations build cyber commands and capabilities.

Tyler Robinson:  Since you proposed four alternate futures back in 2015, have any of these futures begun to seem any more or less likely?

Jason Healey:  Oh yes. Clearly we are heading down and to the left, that is, we are heading towards “Clockwork Orange Internet” where the attackers are having increasing advantage. Also nations seem to be gaining more control over tech companies. This is still not as strong a trend, but certainly strongman, as populist and nationalist leaders, are likely to use their power to coerce tech companies to agree to implant backdoors, weaken encryption, or the like. National security will be the primary driver of technology policy. Indeed, that’s much of what the current Huawei issue is about.