8

Conclusion

Each chapter in this book introduces a different perspective on cyber security. Though each may stand on its own as an essay, together they illustrate that cyber security policy is a multidimensional topic. Chapter 1 framed cyber security policy in the context of its current state of professional practice. Chapter 2 presented the field of cyber security as a rapidly expanding arms race for technology control. Chapter 3 reflected on the goals of cyber security policy, and described attempts to both verify and validate that goals are achieved. Chapter 4 emphasized that decision makers need to carefully evaluate the impact of cyber security policy alternatives in the context of strategic enterprise goals. Chapter 5 explained the catalog approach to cyber security policy. Chapter 6 provided a plethora of examples of policy issues. Chapter 7 described how cyber security policy is addressed by government.

Each chapter introduced a different layer of detail with which to frame the overall cyber security decision-making process. However, these layers are not cumulative levels of abstraction, but entirely different perspectives on the same basic ground truth: the evolving complexity of security issues presented by cyberspace. Combined, the chapters illustrate the complexity of cyber security policy, and the corresponding difficulties faced by cyber security policymakers. Even cyber security policymakers who have clear goals and organizations firmly grounded in principles are hesitant to state mandates, and are constantly monitoring cyberspace to ensure that policy does not result in unintended consequences. We conclude that, as cyberspace and corresponding cyber security measures evolve, so will any taxonomy of cyber security policy issues.

Hence, a great deal of the effort in creating this book has been to summarize enough background information to ensure that the reader is prepared to face, understand, and reason analytically about any cyber security policy issue, whether legacy or new. To that end, it has been necessary to encourage a thorough understanding of the past, in order for our readers not to repeat it. Nevertheless, the pace of change in cyberspace is accelerating so much that those immersed in cyber security policy issues may find omissions in the range of possibilities for topics that might potentially have been included. To those whose favorite issue has been unintentionally omitted, we leave it for you to publicize, and just hope that this book will bring more informed participants to your cyber security policy debates.

We hope that at least one message is clear: that there is no blueprint available to produce cyber security, no standards provide a magic bullet, no course of action is clear of potential obstruction. It should also be crystal clear that the choices made by cyberspace strategists and entrepreneurs to date have not been based on cyber security concerns, nor are they likely to be in the future. Every stakeholder, whether an individual Internet user, a small business, a global conglomerate, or a nation-state, must decide its own strategy for maintaining security in cyberspace, and this strategy should be utterly dependent on their own mission and purpose in cyberspace occupation. Whatever cyber policies are adopted should be critically scrutinized by all for compatibility with one’s own strategy.

It is indeed a situation in which every person must decide their own best interests. There is no Magna Carta of cyberspace, and no constitution. Like colonists in the New World, what governance exists is remote and has little power without the consent of the governed. Like the wild west, lawlessness and vigilantism operate in parallel while helpless victims and bystanders frequently succumb to attacks. What laws exist are antiquated for the purpose of prosecuting cyber criminals and some parts of society sometimes appear to celebrate Billy the Kid over the banks and the railroads.

This book does not champion control over cyberspace by any one or more entities. The solution most likely lies in the balance between control over cyberspace operations and maintaining the flexibility that is required for innovation. However, today’s choices between control and flexibility are usually not made conscientiously by those who feel the impact of the consequences of such choices. In general, cyberspace stakeholders are naively unaware of the circumstances that lead to their inability to protect themselves against cyber attack. We hope this book will reduce the level of such naiveté.

Even if it did, mere recognition of the factors that led to today’s cyber insecurity is not a sufficient condition for successful achievement of cyber security. Even the most enlightened and benevolent governance structure would have its hands full trying to address the myriad of cyber user policy issues and at the same time keeping a lid on cyber conflict. This strange new world requires new paradigms in cyber security policy beyond the current nation-state and diplomatic structures that exist today. For example, it is necessary for private sector global conglomerates to set internal cyber security policy that is consistent across such boundaries and still maintains harmony with all of them.

Cyber security policy development is not an easy task, and it is not confined to the boundaries of law, or management, or technology. It requires a blended way of thinking that crosses professional boundaries and highlights requirements for innovation. As in the dawn of the industrial revolution, new ways of thinking about the world must prevail. This is not to say that cyber security policy decisions should be the sole province of the digital generation. It is rather to say that, unless this generation comes to terms with the potential for catastrophe that is consequent in not dealing with this problem, the society who built the Internet will undoubtedly continue to lose ground to well-organized, well-equipped, determined threats who know how to define, articulate, and achieve cyber security goals which are adversarial to our own.

To assist with this coming-to-terms, we have established a reference framework for cyber security policy issues and a taxonomy within which they may be interpreted. It is hoped that this reference will contribute to the layman’s ability to properly interpret cyber security directives and to assist today’s cyber security policymakers in creating these directives. With this groundwork, future editions of this guidebook, or others like it, can use the foundation herein as a launch point to describe the ever-altering cyber security landscape of the future.