Preface

The idea for this book coincided with a conference on Cyber Security Policy (SIT 2010). The conference had sessions ranging from security technology investment decisions by venture capitalists to the implications of cyber security policy on personal privacy. Though all speakers were experts in their field and were asked to address cyber security policy topics, many instead focused on strategy or technology issues. Even where it was clear that policy was being discussed, policies were often not articulated clearly enough for panelists and audience members to participate in informed debate. This observation itself became the buzz at the conference and made it a truly memorable experience for many who attended.

The experience made it clear that cyber security policy means different things to different people, even those who work in cyber security. This conclusion led us to the format of this book. That is, the book is designed to lead the reader through concepts that are individually easy to assimilate, and collectively provide a solid understanding of the field of cyber security and the place of policy within it.

We also knew that there is no one person experienced enough in cyber security to have been able to single-handedly write this book. The team was chosen to ensure that all the major fields of experience in cyber security were covered. Each contributed to chapters and sections that were specific to their experience. However, all chapters were scrutinized by all authors to ensure a cohesive presentation for the expected variety of readers. Policy is the domain of authoritative executives. Executive authority may stem from the social contracts by which governments are established or the domain of a private enterprise. This book was written with those executives in mind, but it is not intended solely for their consumption. In order that cyber security policy analysis receive the critical scrutiny essential to sound legislation on both public and private fronts, the audience for this book must extend to executive advisors, educators, researchers, legislative staff, and practitioners in the field. Though each member of the audience brings his or her own background and experience to the material presented herein, we expect that current concepts on cyber security policy will be enriched by sharing this common presentation framework and nomenclature with colleagues in the same field, whose professional experience has exposed them to cyber security issues of varying scope. Most literature about cyber security falls into two categories: technology and advice. This book will refrain from technical jargon and also from recommendations with respect to decisions in any given case of cyber security policy. Although the book endeavors to explain technology issues in cyber security, it does so in layman’s terms. At the same time, the book emphasizes the importance of critical and analytical thinking about decisions with respect to cyber security and will equip the reader with descriptions of the impact of specific policy choices, letting the reader decide whether to view that impact as positive or negative.

This guidebook integrates explanations of cyber security policy alternatives across potential executive, legislative, judiciary, commercial, military, and diplomatic action. Readers across these disciplines are expected to view its contents through the lens of their own area of expertise and also gain insights from issues encountered by others. It will be an introductory text for the uninitiated, while at the same time providing a holistic reference for experts in the field of cyber security.

Originally, the outline of the book was divided into policy domains as defined in the conference, and from these were created book sections assigned to each author. Once work began, however, there was immediate skepticism and doubt among the authors on the approach. Some topics at the conference were broad in scope. For example: Law Enforcement, Privacy, Civil Rights, and Personal Liberties; Emergent Technologies, Innovation, and Business Growth; and Global Implications of Cyber Security Policies. Others were focused on a specific type of system, such as Next Generation Air Transportation System and Electric Power Distribution. No one thought that simply combining policy content from each section would achieve the mission of the volume. The volume could not appear splintered into sets of issues of interest to only one industry while still achieving its goal of educating an outsider on what a cyber security policy issue was. This recognition led to the development of a more holistic, unified view of the guidebook approach.

Chapter 1 introduces the reader to the relationship between cyberspace, cyber security, and cyber security policy. Chapter 2 provides a brief history of cyber security. It provides the background necessary for a lay person to understand the current state of the art as well as the state of the practice in establishing security controls in cyberspace. The chapter is not a chronicle of cyber crime or legislative attempts to establish cyber security controls, but it does highlight significant events that have influenced the evolution of controls.

Chapter 3 describes the state of the practice in measuring cyber security. It revisits the history of Chapter 2 from the perspective of security goals and objectives. It discusses various approaches that have been used to determine whether goals for cyber security have been met. Three case studies of cyber-enabled systems illustrate the approaches. The case studies are of e-commerce, industrial control systems, and personal mobile devices.

Chapter 4 provides guidance for executive decision makers charged with large organizations or constituencies that are cyber security stakeholders. It emphasizes that cyber security management is not unlike other management activities in that successful execution requires clearly articulated goals and corresponding program management. It provides an outline of how to begin to establish a cyber security strategy and associated cyber security policy effort. It suggests a perspective on cyber security issues that is integrated with the mission and purpose of the organization.

Chapter 5 introduces a catalog approach to the examination of cyber security policy issues. It places the history of cyber security and metrics of Chapters 2 and 3 against the context of cyber operations in order to separate the security issues into areas of responsibility. The word “policy” in the domain of cyber security applies to different dimensions of societal issues across multiple organizations and industries. Hence, Chapter 5 describes a demarcation in the scope of issues faced by decision makers in different positions of influence. That is, the policy decisions faced by a telecommunications executive will be very different from the policy decisions faced by a military strategist. However, these divisions are purposely described in chapter sections and not as domains of influence or responsibility because they significantly overlap. The division is made to enhance clarity of explanation and is not meant to introduce nonexistent boundaries.

Chapter 6 builds on the concepts and definitions described in Chapters 1 to 5 to explain the cyber security environment faced by decision makers in each of the five sections of cyber security policy that were introduced in Chapter 5. Each section includes a list of cyber security policy issues faced by different organizations and industries who are stakeholders.

Chapter 7 chronicles the efforts of the U.S. government to align cyber security strategy and policy and observes the impact of historical events on cyber security policy. It closes with references to literature that suggest alternative courses forward.

Chapter 8 presents a summary and shows how the content of each chapter presents different perspectives on the same topic, which is cyber security policy. It emphasizes that approaches to cyber security policy are necessarily different for different cyberspace stakeholders and that the value of security measures must be weighed against their efficacy in achieving individual cyberspace strategy objectives.

We are all five left with a deep appreciation for the depth and breadth of our adopted field. Marcus Sachs’ first-hand experience in both the public and private policy arena was invaluable when it came to chronicling history. Jason Healey’s wealth of experience in policy analysis in both government service and private research shed light on a rich array of issues in nation-state and global diplomacy. Joe Weiss’ in-depth expertise in industrial control systems prevented us from losing focus on critical attributes of our technology infrastructure. Paul Rohmeyer’s academic and business experience in technology management consistently made sure that our narratives were not only meaningful to decision makers, but also that the whole carried a strategic purpose that was obvious to our target audience. Jeff Schmidt’s career-long immersion in Internet governance and software engineering issues provided a sound sanity check on completeness. Jennifer Bayuk’s solid technical background and layman-accessible writing skills framed the presentation of concepts that made sense of it all.

Together, we dedicate this volume to cyber security policymakers, whether vocal or silent. May you achieve success in your respective missions.

Jennifer L. Bayuk
Jason Healey
Paul Rohmeyer
Marcus H. Sachs
Jeffrey Schmidt
Joseph Weiss