On September 28, 2017, the New York Cyber Task Force produced a set of recommendations for enhancing cybersecurity. It included a key finding: “A more defensible cyberspace is possible, but only through leverage: innovations that give defenders the most advantage at the greatest scale at tleast cost.” The debater in me might like to disagree, but I cannot. It has been very clear for some time that “...the greatest problem in cyber security is security at scale,” and that the situation will continue to grow worse, not better, especially with the expanding Internet of Things.
As I wrote in June, an overarching cybersecurity problem “…is scale. We are making more devices “smart,” filling them up with functionality provided by millions of lines of code, and connecting them to the Internet. Trying to secure even one very smart device, with perhaps tens of millions of lines of code, is a very difficult task by itself, because no one knows how to write vulnerability-free code in a commercially-reasonable way – so millions of lines of code means thousands of vulnerabilities. And there are billions of smart devices with vulnerabilities.”
So how does one attack this problem? The Task Force provides a great list and analysis of technologies, operational developments, and policies that in the view of its members give defenders the most bang for the buck. Which brings me to the Global Cyber Alliance, which has a unique approach for taking the problem of scale and providing return on investment. The GCA methodology focuses on systemic cyber risks – broad risks affecting many entities across sectors and regions. Where there appears to be an effective solution to that systemic cyber risk, but it is not being widely deployed, we and our partners take the task of driving implementation of the solution and eradicating the risk.
To use the language of the Task Force, GCA looks for solutions that provide leverage – solutions that have great effect (addressing a systemic cyber risk) at a low cost (the solution already is known or exists, and a community of people aided by a small nonprofit (GCA) may make a difference).
Our first two projects were great examples of this. With our partner Packet Clearing House, we built a global DNS infrastructure that blocks access to bad domains, which was recently made available to the public as Quad9. It provides scale and leverage by extending an enterprise class security measure to anyone on the Internet, free-of-charge, that is easy to set up, and which once set up helps protect people and companies automatically. Driving the deployment of DMARC also provides leverage: with billions of consumer inboxes already DMARC-enabled, any time an enterprise or government deploys DMARC, millions or billions of people are protected from spoofed phishing emails for the deploying domain.
What is different about what GCA does is that we actually build and deploy tools and solutions that provide leverage, not as a for-profit activity, but because it is the right thing to do. In the physical world, charities build houses for the homeless and provide clean water to the thirsty. GCA works to provide online security to the vulnerable.