Legislated security always fails. Government cannot tell people what to care about; markets can. That’s why I’m so excited about reading Cyber Doctrine: towards a coherent evolutionary framework for learning resilience, which has finally been released by The Institute for Security & Resilience Studies at University College London.
This report seems to take into account the inherently dynamic and unpredictable nature of the cyber landscape in a way that many others have not.
The findings are clearly marked as “provisional”, yet they speak in terms an evolutionary framework that, unlike most of the other stuff I’ve seen, speaks of – in fact, relies upon – the value of resiliance and security to competition and entrepreneurship.
This is a fundamentally better way to approach the topic than those which seek to “keep computer users safe” or establish legislation to defend against any particular thing.
I am working my way through it now.
A friend who works in London has been talking with me with great excitement about this document for some time. The Cyber Doctrine, written by Dr JP MacIntosh; the Rt Hon Lord Reid of Cardowan; and Len Tyler OBE, seems to me a great candidate for an Intel Intelligencer, because within its pages are well-sourced and well-stated thoughts about the definition and state of cyber in the UK and beyond.
If you want to get an idea of where the most clued-in minds believe cyber policy (which would affect everything from policing to banking to war to smut and entertainment to kids’ games and university degrees) it’s a must-read.
It is highly original, but of course Cyber Doctrine draws on and refers to other works – most notably the latest White House proposal on the same subject, entitled International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, released in May, and that of the House of Lords from 2009, entitled, Protecting Europe against large-scale cyber-attacks.
But as I say, it departs from those by viewing cyber security through the basic tenet that security and resilience are good for business:
The proposed Doctrine is founded on the recognition that resilience is competitiveness. It should be synonymous with entrepreneurship. At its centre is the vital principle of the easy integration of competent authorities and capabilities with the capacity to manage and innovate. Sustainable resilience in cyberspace will derive from open sources and standards, driving an internationally coordinated approach to Research & Development.
The report brings home in specific detail why this matters to everyone:
- From the Neo-Taliban’s propaganda front nurturing a cyber-Ummah out of the borderlands of AfPak, sometimes with skills learned in Yorkshire schools and colleges;
- To High Frequency Traders, un-chastened by the Great
Recession or the Flash Crash, profiting through processes operating near the speed of light;
- From the raw statecraft experienced by Google and Morgan Stanley as the Chinese seek to shape the future;
- To paedophile “grooming” of children and their use of proxies; and
- Would-be stalwarts of Global Civil Society valorising privacy and Wikileaks
It also addresses some previously sacred cows: the role of politics in doctrine, the changing nature of the “competent authority,” issues of trust, and of legal frameworks being artificially pitted against politics and/or economics.
It is clear about its limits:
We do not suggest that doctrine is a universal panacea. It can provide a framework for learning, which brings coherence to many strands of otherwise discordant activities. These range from the strategic to the tactical, encompassing the organisation of capabilities through entire life cycles. Without undermining or obscuring the value of drills, cyberspace and cybersecurity presents doctrine with fresh challenges.
This is not something to be breezed through; this is a good, long read; it is the basis for debate; it is the fodder of worthwhile policy strategy. I highly recommend reading it, as it is this kind of thinking that advances cyber discussion from meaningless buzzwords and marketing drivel to useful, good work that will keep society safe and prosperous.