Paul Rosenzweig recently made an appearance on the Lessons from the School of Cyber Hard Knocks podcast to discuss his current work, his theories of trust, 5G network technologies, and the importance of cybersecurity metrics with RunSafe’s CEO Joe Saunders.
Currently, Rosenzweig is a cybersecurity consultant, practicing attorney, Senior Fellow at the R Street Institute, and law professor at George Washington University.
The Zero-Trust Model and 5G Networks
Before defining the three dimensions of trust Rosenzweig subscribes to, we must look at trust in the context of cybersecurity. You can think of trust as the point at which you can no longer filter out any more risk. Your software is protected, and in turn, so is your company.
The three different dimensions of trust Rosenzweig discusses are:
- Technical: There are present abilities to make systems more secure
- Corporate Interest: The level of corporate compliance to a safety regime
- The degree to which the technical and corporate interest dimensions of trust are subject to superior control or manipulation by law or policy of a nation-state
Beyond the dimensions of trust, there is heavy significance on zero-trust and 5G network technologies.
For example, 5G technology faces a different risk than the software security risk you incur from downloading an app, such as LinkedIn, on your phone. If you look at these risks on a spectrum, you can see the optimal level of trust to take on each stake.
With 5G technology, you must allow access to networks and the ability to manipulate them. But if you download LinkedIn on your phone, you must only worry about data access and privacy concerns.
And with 5G, we should ask ourselves:
- How do we identify and authenticate legitimate users and devices?
- Based on vulnerabilities, are there mitigation steps we can take?
- Are there any “least interference principles” we could impose?
Cybersecurity: an Art or a Science?
Do you consider cybersecurity to be an art or a science? If you view cybersecurity how Rosenzweig does, you would agree that it’s more of an art today, but can become more of a science through capturing and monitoring key metrics.
But today we aren’t able to measure the efforts of cybersecurity and efficiently reproduce it, so cybersecurity can’t be classified as a scientific field.
For example, we think two-factor authentication helps protect us. But how much does it help? If cybersecurity were a science, we would measure precisely how much protection two-factor authentication provides and improve off of that data. However, this is not a precise measurement.
Why We Need Universal Metrics for Cybersecurity
Because cybersecurity isn’t a measurable field, why do we need cyber metrics? The answer: If we don’t establish universal metrics to measure cybersecurity efforts, the rate of change will outpace our ability to keep control over technology.
In addition to metrics, we need to standardize definitions and questions that pertain to cybersecurity. By establishing universal definitions and questions in the field, we will have a baseline to optimize the metrics over time.
It doesn’t have to be perfect at the beginning. But if we don’t start now, it’ll become much more challenging to create as time goes on.
The Implementation of Cybersecurity Metrics
So who or what should be in charge of beginning this process? Rosenzweig advocates that the United States government should start measuring its cybersecurity efforts.
We should begin by aggregating metrics that are similar, but differently measured.
For example, if we were to collect 50 different definitions of a data breach, all 50 would be alike but not uniform. However, this would give us a starting point to create a standard report for a data breach.
After standardizing cybersecurity definitions and questions, the government should think of new things that we should measure.
By doing so, we’re also addressing Rosenzweig’s most challenging lesson in cybersecurity: human experience is not ideal, meaning don’t let perfect be the enemy of good.
Looking to increase the speed and effectiveness of your response to a cyber breach and learn more about immunizing your software? RunSafe’s new Alkemist:Flare continuously monitors the health of your systems during runtime to provide indicators of stability, reliability and vulnerability while instantly flagging failures and potential attacks. Request a free 30-day analysis of runtime vulnerabilities today.