Do we need a new cybersecurity organization?
What does it mean for higher education to exercise agency.
If asked what I’ve learned throughout my career in cybersecurity, I’d answer, to paraphrase, we have an inordinate fondness for communities. It seems that in any gathering of cybersecurity professionals, the talk inevitably turns to the need for a new organization: a club, an ISAO, or an ISAC. This isn’t to say that every existing cybersecurity organization is failing. Many of them make an important contribution to information sharing. They provide a forum where members of a sector’s practitioner community can ask questions and discuss issues. But as I’ve mentioned before we’re a quarrelsome lot and everyone has their own view of what’s needed.
Take ISACs for example; we do have a legion of them. A little googling turned up around 901. As far as I can tell they all do roughly the same thing. They provide some sort of forum or mailing list for discussion topics, they host occasional get togethers for members. Often members of their leadership teams sit on a panel and try to represent the interests of their community. But honestly, they’re largely interchangeable. Some of the more sector focused groups do give greater attention to sector specific technologies or vulnerabilities, but often that’s largely performative since their ‘intel’ is usually drawn from other public sources. The same sources we all have. Most large organizations will have elements of many of the different sectors in their environment, with few exceptions, any well-run ISAC fills the need of most sectors2.
I think part of what is missing from all these organizations, and why despite their proliferation we still debate creating new ones, is that they don’t represent us, they are representative of us. This was quite striking when I was more involved with the REN-ISAC. The needs of the smaller member organizations, with budgets the larger schools would consider a rounding error, and staff headcounts often in single digits, are so radically different than the larger R1s, that discussions about organizational services simply went nowhere. That is, the organization reflects the heterogeneous nature of our community in its activities. This pulls the organization in every direction simultaneously, thwarting progress. Higher education speaks in cacophony, not with a singular voice. For in many ways, we are a cacophony.
Imagine having a town hall made up of hungry people on one side, and the affluent on the other. The topic is ‘food’. One group is arguing for more bread, the other wants more french bakeries. No one is asking “do we have enough wheat farms.” In a nutshell that’s our problem. When I would discuss this with colleagues we could all agree that we may need both, the bakeries and the loaves of bread. But as a community higher education needs someone to be asking about wheat farms.
It’s reasonable to ask if some of the other, more general higher education organizations currently fill this void. I’m thinking of groups like ACE, APLU, COGR, or AAU. These organizations do respond and comment on (and thus try to shape) Federal proposals for policy and regulations. It makes for fascinating reading to browse their websites for items related to cybersecurity. The items pertaining to forthcoming regulations (such as this example from AAU related to research security) have a fairly predictable and consistent style. Some gentle red-penciling about conflicting terminology, plaintive nudging the issuing agency for clarity, reminders that consistency is the hobgoblin of little minds, er, that all universities are different and cybersecurity regulations need to reflect and respect this. This is all quite valuable, and across all of the organizations there’s a remarkable professionalism and thoughtfulness on display.
But fundamentally, they are reactive to federal proposals; they do not steer or shape the policy discussion that these regulations stem from. They are bureaucratic responses, not strategic. When I think about what we’re missing in our national representation, I feel we need someone who, speaks collectively for higher education’s security strategy; advocates for new legislation or regulations on commercial businesses (our supply chain); and works to tackle the major systemic challenges3.
In short, a kind of organization that doesn’t merely react to policy, but helps create it; one that gives higher education a coherent, authoritative voice in the national security landscape. Through such an organization, we should be able to articulate a unified strategy and shape the regulatory environment rather than merely absorbing it.
Of course, there are organizations that tackle this challenge more broadly, such as the EFF (Electronic Frontier Foundation), Center for Democracy & Technology, ACLU (American Civil Liberties Union), Stanford Center for Internet and Society, or Fight for the Future, all of whom work on big picture freedom and democracy issues. The challenge for higher ed in partnering with any of these is that they have become part of the right-wing culture war; as crazy as it seems, simply being pro-democracy and anti-fascist now makes you a target for physical and political harassment. Further, while the issues these organizations address are generally supported by academics, they do not represent the community of higher education, nor the dimensions of cybersecurity4.
We need to think about the question I asked earlier, “What does it mean for higher education to exercise agency?” which is the meta-version of “What does it mean for higher education to exercise agency around cybersecurity?”5 Historically, higher education has been allergic to any issue that is remotely political. Yet, in an era of hyper-politicization schools are in a difficult position. Almost any institutional stance is now framed as evidence of political or cultural wrongdoing6, so it’s no surprise that there would be even greater reluctance to engage nationally at the moment.
While I argue that the ‘agency’ I’d like to see involves actively pursuing changes to national policies that address the larger open questions, there’s a lot to do to prepare for that7. First, we would need to coalesce the community around the specific issues, goals, and language to discuss them. We’d want to lay out the risks, not to higher ed, but to the country by failing to address them. We’d have to articulate why simply continuing down the path we’re following isn’t sufficient. Of course this is all assuming that as a community we want to go down this path. Much of my writing on this blog makes the case that real change in the real world, requires real change in us. That the slow incremental progress we show in cybersecurity at our institutions, though necessary and valuable, fails to address the larger political and cultural barriers to privacy and security.
Which brings me back to my opening question, do we need a new organization that focuses on information assurance? One that could represent higher education writ large. It’s unclear to me if we need a new one or we merely need one of the existing organizations to take up our cause. Clearly there’s nothing preventing an AAU or COGR from sponsoring the prepwork I mentioned above. But if we want to move past that prepwork, and deeply into the advocacy for social change I’m skeptical that they’re the right place for that work.
Deciding whether a new organization is needed forces us to confront competing strategic realities. On one hand there’s the attractiveness of a new organization and with it all the opportunities afforded by an absence of traditional practice and biases. On the other, creating a large, national-scale organization is not for the weak willed, and much of the energy that could be used productively in advocacy and message development would be subsumed in organizational logistics. It could be that there are far better organizational models we should look at, perhaps from industry, or that some sort of hybrid model is best. Prepwork under the auspices of an existing set of organizations, and at a future time the creation of a new unit focused on advocacy.
I suspect any security practitioners who are reading this might be wondering just where they are in this analysis. I would ask them to reflect on whether they feel prepared to enter the conversation. It’s one thing to say “the supply chain is an acknowledged risk, and here’s what we can do locally to manage that”, and it’s another to say “why is the supply chain such a risk and what would I advise national policy makers to address it?” Going to your institutional leadership and engaging in that conversation is probably going to fall on deaf ears. Universities are notoriously conservative and few CISOs or CIOs are positioned to influence the activities of your office of governmental relations. Or what decision makers convey to AAU or APLU on these issues.
Practitioners should frame supply chain and institutional risks by including observations on these root causes. Your need to perform endless procurement reviews and vulnerability management stems from the unreliability of the products. That part of your hesitation to support third-party personal services is because they operate without any meaningful cybersecurity or privacy regulations. That there’s a cost to living with 50 sets of state privacy and breach notification laws instead of one strong Federal policy. No doubt that if asked, many in your leadership are vaguely aware of this, but it needs to become a drumbeat. Recognize that your technical expertise provides the only credible data for this strategic policy conversation. No one else has the daily, tactical insight into the failure of the status quo. For you, this can become an influence campaign almost immediately - a form of empowerment.
In my posting on supply chain confidence I asked everyone to think about what might be a triggering event - what would push the higher education voice into the forefront and thus become a springboard for a national influence campaign. We have examples of national press highlighting the threat, for example “Cyberattacks’ harm to universities is growing — and so are their effects on research” in Nature, but this and similar pieces focus on the downstream impact on education or research. We need to highlight how these attacks stem from structural weaknesses in national policy. To say as the article does, “Many universities have older, outdated security systems as well as diverse digital infrastructures and communities that can make it easy for hackers to infiltrate such systems” is plainly true. But it ignores that those diverse digital infrastructures are increasingly made up of contemporary commodity services. We have older, outdated security systems (for whatever that means), because we’re spending all of our resources responding to the flaws innate in our software and services. Or shoring up services with basic security functionality that ought to be delivered with the product. This requires discipline and a commitment to a campaign of messaging, again, something we can start as soon as tomorrow.
Finally, we should think about what it means to practice cybersecurity in higher education. Most of us have spent careers negotiating with our institutions for the resources to implement commonly accepted best practices. The more mature institutions have adopted some standard or a framework such as NIST CSF, and systematically chip away at the gaps in their implementation. It’s hard to see that changing - or a reason to change it. These standards and frameworks represent the collective wisdom of the field. Typically when asked a question such as “what is the approach to infosec in higher education,” we respond with our cacophony of voices - we’d survey some subset of institutions and pray that it was broadly representative. I suspect we’d paint this as a tailoring and scaling exercise, to wit: “every institution has unique characteristics and thus choose a framework and standards that align with each school’s unique needs and risk tolerance,” that is, our eccentricities.
Yet in the minds of our federal policy makers the world map consists of Russia, China, and ‘Other’, as such I fear that tailoring and scaling message appears weak. Worse, in that academia presents itself as the national braintrust, such a message can only further erode confidence in our ability to self-manage8. I know, and have at times argued, that part of our strength is our heterogeneity - monoculture is as dangerous for cybersecurity as it is for agriculture. Nevertheless we have to acknowledge that how we administer ourselves, including managing institutional cyber risk is more similar across institutions than not. Institutional distinctiveness is not found, nor required, within institutional cybersecurity posture.
Answering how higher education addresses cybersecurity with a response focused on standards and our uniqueness sidesteps the issue. Higher education’s cybersecurity problem is no longer technical—it is civic. It is civic because cybersecurity now reflects the choices a society makes about regulation, accountability, and the digital commons. Perhaps it has always been this way.9 So when we’re asked what we’re doing about cyber risks, or how could we have allowed a breach to occur, we need a civic response. Not a plaintive cry about resources or uniqueness; but that in the modern age, cybersecurity breaches and the damage they do to individuals, corporations, and the national health and security have become the cost of doing business. The only reasonable response is either capitulation or to change how business is done. Achieving that falls not to us alone, but to those who control the playing field. But we, collectively, should become a voice the policy makers listen to. Policy makers need credible voices pushing for that change. Our daily experience managing vendor failures gives us credibility no other constituency possesses. Fearing entering the game because it is hard, or politically fraught, is a form of anticipatory defeat, and one we cannot afford.
It’s a bit dated but this is a good start for ISACs and ISAOs.
Having the distinction of authoring an essay on the essential nature of the higher ed ISAC, the REN-ISAC, I have to confess feeling its time has come and gone. For some time it’s been little more than a mailing list and it has failed to evolve from its roots twenty years ago. While other ISACs have professionalized, the REN has doubled down on its clubhouse vibe, some of that constraint probably results from its coupling to IU.
Such as the ones I call out in this blog. But as I said earlier, I think these make a good list, but further debate might evolve or change it significantly.
I’m not going to say much about the effectiveness of these organizations. They all do good work, some more broadly impactful than others (such as the ACLU). But in the ebb and flow of societal change, they seem to be eddies rather than rip-tides. That’s merely my impression, and isn’t informed by any analysis or study.
I think the former may be the necessary question, for it’s hard to imagine the cybersecurity community - on its own - galvanizing and representing the wishes of higher education. Most CISOs need permission from their public affairs offices merely to speak to the press, let alone offer an institutional posture towards an issue.
More bluntly, anything not racist is now attacked as being racist. Orwell couldn’t have made this up https://www.mapresearch.org/2024-dei-report.
Prepwork that we can act on, without antagonizing the current administration.
The obvious component to this discussion I’ve ignored is the role of academics in this conversation. Clearly there is a more established presence for them, as public intellectuals. However, I’m struck by their general absence in the public debate around cybersecurity, as well as the struggle for persistent partnership between academic researchers in the cyber space and cybersecurity practitioners. It too, where it exists, tends to lean into technical issues, rather than civil.
To quote a wiser and smarter colleague, “One of our study’s goals is to re-energize the R&E community to actively participate in policy making, just as they did during pivotal moments such as the establishment of DMCA safe harbors and early Internet governance. John Curran, CEO of ARIN, has highlighted how the technical and research communities must remain active participants in shaping Internet infrastructure governance, security, and stability. We agree that community involvement is vital to preserving the collaborative and resilient nature of Internet resources in the R&E community and beyond.” https://pulse.internetsociety.org/blog/are-research-and-education-networks-critical-infrastructure.
Did some quick digging and found that UL (now called UL Solutions has a number of Cyber standards already in place. 🔐 UL Cybersecurity Standards — Key Published Standards
Standard Full Name / Scope Purpose / Use Case
UL 2900-1 Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements General cybersecurity baseline: tests software for vulnerabilities, software weaknesses, malware; ensures secure architecture/design and risk-management for any network-connectable product.
shopulstandards.com
UL 2900-2-1 Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Healthcare and Wellness Systems Focused on network-connectable medical devices and healthcare systems; aims to integrate cybersecurity with safety and essential performance requirements.
UL 2900-2-2 Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems Addresses cybersecurity requirements for components used in industrial control / operational technology (OT) contexts — e.g., PLCs, SCADA, process control systems.
UL 2900-2-3 Software Cybersecurity for Network-Connectable Products, Part 2-3: Particular Requirements for Security and Life Safety Signaling Systems Designed for software in electronic physical-security and life-safety (alarm systems, access control, fire alarms, surveillance, etc.), providing baseline cybersecurity standards for such connected systems.
10 years ago, politicians were focused on the need for cybersecurity training at the k-12,community college, higher ed level. Here in VA, that emphasis led to the creation of the VA Cyber Range (virginiacyberrange.org) that was created at VT. I wonder if we can use this "angle" to get politicians to pay attention to the problem you mention. "EDU" is going to be the 4-letter (ok, maybe EDUs) word for the next 3 years. Create a policy shift by using the "we're teaching you and your kids to be safe online" approach. Look at how the auto industry went from being extremely opposed to seat belts to incorporating them in every vehicle. What about creating a cyber version of the Underwriters Lab (UL) for electrical devices? Mudge tried to do this a couple of years but I think his timing was too early for the general public. The Cyber UL wouldn't try to analyze actual vendor code (no vendor will release their code), rather, it'd analyze the susceptability of a software product to "all" of the known software attack vectors. The Cyber UL creates a "safety/risk" scale of vendor products based on a product's external view instead of the internals.