Superconductor

The government’s current approach to cyber-security isn’t working. The government has apparently acknowledged this, and last week, held the National Cyber Leap Year Summit, a meeting that was sponsored by the White House Office of Science and Technology Policy (OSTP) and the Federal Networking and Information Technology Research and Development Program (NITRD).

This event was designed to bring together experts from academia, industry and government to find “game-changing” ideas and ways to implement them. I was one of the people from industry who were invited to participate in this event, so I spent last week at the Crystal Gateway Marriott in Arlington, Virginia, talking about how to change the government’s approach to cyber-security.

I was one of very few representatives from security vendors at the meeting, and I’m not sure how to interpret this. There were industry representatives, like people from the big government contractors, but including people like that isn’t really the same thing as including security vendors.

From one point of view, it’s good to see that Voltage is being recognized as being a thought leader in the area of cyber-security. We’ve certainly created our share of innovations and continue to do so. On the other hand, it was also a bit puzzling that more security vendors weren’t invited. Even vendors that aren’t known for lots of innovation have a solid understanding of the security market, what the current threats are and how their customers are dealing with them, and we definitely could have used more of this point of view at the meeting to balance the views of academics and government people.

We talked about five main areas at this meeting:

• Cyber-economics, or how to create the right incentives and disincentives that we need for cyber-security to succeed
• Digital provenance, or how to base trust decisions on verified assertions
• Health-inspired network defense, or how to move from forensics to real-time diagnosis of security problems
• Moving-target defense, or how to ensure that attacks work only once, if at all
• Hardware-enabled trust, or how to leverage hardware security to create a more secure computing environment

I’m not a big fan of management fads, so for me, the biggest downside to the meeting was the fact that the organizers tried to use the “colored hats” framework that Edward de Bono describes in his book Six Thinking Hats. Even this didn’t work out to badly, however.

The biggest problem was that even though the meetings went from roughly 8 am to 10 pm each day, that still wasn’t enough time to discuss any ideas in much detail. Because of this, many good ideas didn’t really get the attention that they deserve, and I hope that the organizers of the event will find a way to deal with this.

Over the next few days, I’ll be talking about some of the things that I learned at this meeting.