Cybersecurity
Resources for Measuring Cybersecurity
Announcing an annotated partial bibliography of publicly available cybersecurity measurement methodologies.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Fellow at the R Street Institute. He is also a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University and a Board Member of the Journal of National Security Law and Policy.
Subscribe to this Lawfare contributor via RSS.
Announcing an annotated partial bibliography of publicly available cybersecurity measurement methodologies.
Andrew McCabe, the former deputy director of the FBI who was uncharitably fired the day before his intended retirement, has been under criminal investigation for more than a year—some say at the inappropriate insistence of President Trump. McCabe may recently have received a bit of good news.
President Trump, in his zeal to complete a border wall before the next election, has reportedly told his staff to disregard the law—in this specific instance, to take private property without due process—and not worry about the consequences.
Cybersecurity is a bit like obscenity. It seems that we know it when we see it, but we have a great deal of difficulty describing it, categorizing it or counting it. Much as with obscenity, there are some obvious answers on which all can agree—having an “internet of things” system with a hard-coded password of “123456” is insecure by any measure—but there is a vast gray area in between the poles where tradeoffs, cost-benefit assessments, and issues of practicality and scalability lurk.
In a remarkable interview with Axios on HBO, Jared Kushner, a senior adviser in the White House (and, coincidentally, the president's son-in-law), made a number of notable statements. Among them is his ambivalence regarding how he might handle a Russian approach (akin to the infamous Trump Tower meeting) if it were to happen again.
How do we quantify safety and security? That fundamental question underlies almost all modern national security questions (and, naturally, most commercial questions about risk as well). The cost-benefit analysis inherent in measuring safety and security drives decisions on, to cite just a few examples, new car safety devices, airplane maintenance schedules and the deployment of border security systems. In a world where resources are not infinite, some assessment of risk and risk mitigation necessarily attends any decision—whether it is implicit in the consideration or explicit.
It isn't as sexy as the overall question of Russian information operations or the president's obstructive criminal behavior, but as someone focused on cybersecurity more generally, I thought it would be amusing to tease out a few of the issues in the Mueller report that bump up against my day job.