The Defender’s Dilemma

The Defender’s Dilemma: Charting a Course Toward Cybersecurity

Martin C. Libicki
Lillian Ablon
Tim Webb
Copyright Date: 2015
Published by: RAND Corporation
https://www.jstor.org/stable/10.7249/j.ctt15r3x78
  • Cite this Item
  • Book Info
    The Defender’s Dilemma
    Book Description:

    Cybersecurity is a constant, and, by all accounts growing, challenge. This report, the second in a multiphase study on the future of cybersecurity, reveals perspectives and perceptions from chief information security officers; examines the development of network defense measures—and the countermeasures that attackers create to subvert those measures; and explores the role of software vulnerabilities and inherent weaknesses.

    eISBN: 978-0-8330-9103-1
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. i-ii)
  2. Preface
    (pp. iii-iv)
  3. Table of Contents
    (pp. v-vi)
  4. Figures
    (pp. vii-viii)
  5. Tables
    (pp. ix-x)
  6. Summary
    (pp. xi-xxii)

    Cybersecurity is, in part, a world of secrecy. Organizations charged with protecting information from disclosure are understandably prone to concealing at least some of the practices used to hide that information. Further, the world of cybersecurity suffers from short-sighted analysis: There is great debate about what malefactors are doing to networks, but less discussion about the short- or long-term effects of this activity. Malicious hackers, whose success requires subverting computers, are certainly not putting out statistics on their activity. Moreover, surprise is endemic to cyberattack.¹ Compromising an assiduously defended system or network (or subverting diligently written software) is often accomplished...

  7. Acknowledgments
    (pp. xxiii-xxiv)
  8. Abbreviations
    (pp. xxv-xxvi)
  9. CHAPTER ONE Introduction
    (pp. 1-8)

    Delving into the future of security in cyberspace would seem a fool’s errand. Cybersecurity is a world of secrecy, where there is great dispute about what malefactors arecurrentlydoing to networks but very little focus on the effects of such activity. Organizations charged with protecting information from disclosure are understandably prone to concealing at least some of the practices used to hide that information. Malicious hackers, whose success requires subverting computers, are certainly not putting out statistics on their activity. High levels of classification characterize both offensive and defensive operations within all governments, not just the U.S. government. Further,...

  10. CHAPTER TWO Chief Information Security Officers Surveyed
    (pp. 9-22)

    As a way to help ground our thinking in the current realities of the struggle in cyberspace, we talked to 18 CISOs.¹ We sought to gain their perspective on how they viewed the struggle today and how the struggle might evolve over the next two to five years. Our sample of CISOs is random in the sense that it was not systematic, but not random in the statistical sense. We drew on informal networks and opportunities that either presented themselves to us or were presented by our sponsor. Of the 18 respondents, eight were from services, four from communications, one...

  11. CHAPTER THREE The Efficacy of Security Systems
    (pp. 23-40)

    This chapter reviews evolution of cybersecurity systems to the current state of affairs, in part to remind us of how the current system came into being, and in part to build a logical foundation for the parameters of the heuristic model presented in Chapter Five.

    It was more than 25 years ago that the contest got under way between organizations wishing to defend information systems they had connected to the Internet, and the countermeasures used by those who wished to evade such defenses. Over time, the market and development cycle of tools, techniques, and defensive measures to mitigate both the...

  12. CHAPTER FOUR Improving Software
    (pp. 41-60)

    Software vulnerabilities are what allow hackers to induce systems to behave in ways that their designers never intended and their users hardly expect. Even though software vendors might aspire to having secure software (assuming it does not prevent getting their product to market), vulnerabilities have not yet disappeared and will likely continue to characterize new software products. Their persistence and recurrence arises from the increasing complexity of software (NRC, 2009; Anderson and Hundley, 1998) coupled with the growing awareness of the money to be made by exploiting systems. This is exacerbated by the proliferation of devices connected and made available...

  13. CHAPTER FIVE A Heuristic Cybersecurity Model
    (pp. 61-98)

    In this report, we have described the various factors affecting the choices that organizations can make about their cybersecurity and the possible consequences of such choices. This chapter draws on those factors to generate a heuristic model of cybersecurity.¹ Its aim is to illuminate these factors, put some plausible numbers behind them, and observe how they might interact. We seek to understand these forces systematically as a way of creating aframeworkfor thinking about cybersecurity choices.

    Although this exercise will yield forecasts, these forecasts should not be understood as predictions. On the one hand is the dynamic (measure-countermeasure) nature...

  14. CHAPTER SIX Lessons for Organizations and Public Policy
    (pp. 99-108)

    By every indication, the risks for cyberspace are persistent, evolving, and growing more worrisome. The good news is that organizations are growing more conscious of the threats and of their own vulnerabilities. Breaches, data leaks, and cyberattacks occupy a greater share of a CEO’s business day. This portends the increasing allocation of resources and a greater willingness to institute cybersecurity regimes, even at the cost of inconvenience. That noted, there is a great skepticism that the security industry is about to start handing out silver bullets. Most CISOs express the need for better blocking and tackling rather than a long...

  15. APPENDIX A Questionnaire
    (pp. 109-112)
  16. APPENDIX B Model Specification
    (pp. 113-122)
  17. APPENDIX C Baseline Parameters
    (pp. 123-126)
  18. Bibliography
    (pp. 127-135)