From Policy To Practice: Navigating the Cybersecurity Recommendations in RAND's Identifying Critical IT Products & Services Report

In 1997, the President’s Commission on Critical Infrastructure Protection wrote, “life is good in America because things work . . . we are able to assume that things will work because our infrastructures are highly developed and highly effective.”[1] Interestingly, this was not because cyber attacks were not yet a thing. We know this to be true because in 1988, the Morris Worm brought down 10% of the internet [2], and we caught a glimpse of our digital vulnerabilities. 

Now decades later, we can’t say with the same degree of confidence that our systems and infrastructure is that secure.  As our reliance on technology and the internet has increased, vulnerabilities have multiplied exponentially. Which makes me wonder, were the systems in 1997 developed with more cyber resilience than the way we develop software and systems today? And is it possible that we can still deploy systems that are more secure and resilient? 

At its core, the RAND report shares a timely idea. We need a comprehensive, adaptive framework to identify and protect our most critical IT assets. This isn't just about preventing breaches—it's about fortifying the very foundation of our digital society.

In the report, Sasha Romanosky, John Bordeaux, Michael J. D. Vermeer, Jonathan W. Welburn, Aaron Strong, and Zev Winkelman delivered very powerful and novel insights into understanding software risk, and made a claim that to their knowledge, “The ability to associate and visualize vulnerability severity with exploitability has never been possible before” - It sounds like a great framework that would be valuable to the National Risk Management Center.

In the words of Kingdon, “An idea whose time has come is an irresistible force…” - Is it time for these recommendations? - Let's find out as we delve deeper, examining the feasibility, challenges, and potential impacts of implementing the report’s recommendations.

How likely is it that the policy recommendations will be implemented as presented?

The RAND report offers a novel and comprehensive framework for accessing cyber security risks. As l said in my previous memo - it revealed additional dimensions of software risk that previously were not accounted for. It proposes a multi-faceted framework that considers software vulnerabilities, business interconnectedness, and the mapping of National Critical Functions (NCFs) to specific IT firms. However, this very comprehensiveness may pose challenges to implementation.

The possibility of implementing recommendations as presented is at best moderate. And here is why?

Complexity: Because the report’s recommendations cover multiple domains, they require coordination across various government agencies and private sector entities. This complexity could lead to challenging or fragmented implementation at best.

Private Sector Buy-in: Many critical IT assets are owned and operated by private companies, including those outside the United States. Their cooperation is crucial but not guaranteed, especially if implementation costs are high. Understanding these challenges is vital.

1. Communication. Is there anything in the communication of the report or recommendations that you would change? - Yes.

The report, while thorough, gets more into the technical details and lacks the sense of urgency,  the call to action. In Kingdon’s Multiple Streams Framework, he best describes it as creating a “policy window”, where the problem, policy, and politics streams converge. The report lacks this kind of inertia, which usually results in great ideas staying un implemented.

Recommendation: To make it accessible to the decision makers, the report author’s should have reframed the key findings into a compelling narrative that inspired action. To do this, they could have:-

Explicitly highlighted the potential consequences of inaction. While the report mentions that high-risk vulnerabilities could lead to a "full compromise of a computing system," it would be beneficial to illustrate the potential real-world consequences of such compromises. For instance, the report could provide examples of past incidents where similar vulnerabilities led to significant damage, emphasizing the potential for catastrophic effects on public health, economic security, or national security.

Provided a phased approach: Such a deep risk analysis requires a clearly outlined multi-staged implementation plan, allowing for quick wins that can build momentum.

Used visual storytelling: They should have incorporated more infographics and flowcharts that improve understanding of findings and simplify complex concepts of system dependencies, making it more digestible for non-technical stakeholders. 

As described in Memo 1, the report is meant for the National Risk Management Center which is a component of the U.S. Department of Homeland Security (DHS), and yes, while the audience is clear, based on where the implementation of recommendations would happen, it would have been valuable to tailor the communication as well for other stakeholders, such as policymakers, private sector entities and other federal agencies. Including summaries and factsheets that give such audiences their needed insights would help ensure that each audience receives the information most relevant to them, facilitating quicker action and broader adoption.

2. The Cultural Shift: Is organizational/cultural change required? 

Certainly. The report’s recommendations necessitate a fundamental shift in how organizations approach cybersecurity. In a way, it urges re-wiring the DNA of organizations to prioritize digital security at every level. Such a move towards a more proactive, risk-based approach to cybersecurity requires a cultural shift within government agencies and private entities.

Such areas of change include:

Risk Perception: Moving from a reactive to a proactive stance on cybersecurity risks.

Cross-sector Collaboration: Breaking down silos between government agencies and between public and private sectors.

Continuous Learning: Promoting a culture of ongoing education and adaptation to evolving threats with emerging technology.

Such changes require:

Leadership Buy-in: Top-level executives must champion such a shift.

Training and Education: Comprehensive programs to upskill existing workforce and attract new talent.

Incentive Structures: Aligning organizational rewards with cybersecurity goals.

3. Resource Allocation: Do the recommendations involve money or manpower?

Yes, cybersecurity is a technical skill that requires highly specialized talent, given that the report recommends a deeper dive into the interconnectedness of software systems and businesses, there is a need for specialized talent acquisition. And such requires money allocation.

However, the report fails to provide a detailed cost-benefit analysis, which is crucial for securing funding in a budget-constrained environment.

As a recommendation: The report should have developed a phased implementation plan that prioritizes critical vulnerabilities while spreading costs over time. It could have included public-private partnerships to leverage resources and expertise since these software and system vulnerabilities are spread over government agencies as well as private or commercial entities.

4. Implementation: Are the recommendations implementable? Why or why not?

The short answer is - Yes! But with caveats.

The authors’ recommendations provide a solid theoretical framework, to identify both software and business risk, measure the vulnerability level of software applications and their underlying open source libraries as well identify ownership of such libraries.

The ability to combine a firm-level inventory of public internet-accessible software, together with severity and exploitability of a vulnerability at a national scale, as the report states… “is a capability never previously achieved…” This is a significant feat, and can easily be leveraged.

The easier part: Is using the provided framework to improve how critical infrastructure vulnerabilities are identified. The report provides powerful clues on how to do this. However, just because the recommendation is novel doesn’t mean translating it into practical, day-to-day operations will be easy. As Binder & Watkins suggest, “Policy implementation often faces challenges not anticipated in the design phase...” 

As a bonus to their integrity, the authors of the report admit the fact that web applications are complex - they are composed of collections of libraries that have their own risk profiles. And, the landscape of these libraries is constantly changing because libraries are added and updated frequently, making it challenging to quickly assess the implications for risk mitigation.

To Binder and Watkins point, the real challenge the report did not anticipate is securing free and open source software. It is really challenging partially because of the lack of developer  motivation to do it, and also the fact that some of the open source libraries are owned by non US-Citizens. Securing the Free and Open Source ecosystem presents a long-term endeavor requiring substantial financial investment, community engagement, and policy interventions. Given the heavy reliance on such libraries, investing in their security is crucial. 

Such a task would require financial support for open-source projects, incentivizing developers to prioritize security, and promoting the adoption of secure coding practices within the open source community. Such investments would require a sustained commitment from both the government and private sector.

5. What will the policy maker have to do to lead the implementation of the recommendations?

The policy maker must become the voice of this “revolution” because leadership in this context isn't just about making decisions—it's about being the driving force behind such a cultural shift. As Kotter puts it “For change to stick, it must become part of the core of the organization…” Such requires sharing a deeper vision, communicating the urgency of this mission and the cost of inaction. As earlier stated, that’s why arming the policy maker with illustrations of how ignoring vulnerabilities have resulted in significant consequences in the real world could help them to share the vision in a more clear and compelling way.

Beyond the vision sharing, the policy maker must nurture cross-sector collaboration. Effective cybersecurity requires a collective effort, the policymaker must actively foster collaboration between government agencies, private sector organizations, and open-source software communities. Such a collaboration can be achieved by:-

Establishing platforms and mechanisms for information sharing: This includes secure channels for sharing vulnerability data, threat intelligence, and best practices.

Providing incentives for information sharing: This could involve legal protections for companies that share vulnerability data in good faith, promoting the adoption of common cybersecurity standards and frameworks.

Convening stakeholders for regular dialogue and coordination: This ensures ongoing communication and alignment of efforts between different entities.

But also the policy maker must make tough decisions - about resource allocation and prioritization: They will need to:-

Determining which areas of cybersecurity require the most urgent attention: This could involve conducting updated risk assessments of critical infrastructure dependencies on IT products and services, and evaluating the potential impact of cyberattacks

Allocating funding for critical cybersecurity initiatives: This includes supporting research and development of secure technologies, providing grants for security audits and training programs, and incentivizing the adoption of secure coding practices

Prioritizing vulnerabilities based on both severity and exploitability: This is so that resources are directed towards addressing the most pressing threats

6. Will change management be involved? 

Yes, and interestingly, it's not just change in one agency, organization or system. This is a deep change that touches the talent, processes and relationships of agencies, private entities, developers and policymakers. The need for significant shifts in cybersecurity approaches, particularly for identifying and securing critical IT products and services across government and industry aligns with the core principles of change management. The growing complexity of software applications and their reliance on open-source software libraries presents a significant challenge for risk assessment and mitigation. 

This requires stakeholders to gain a fresh understanding and manage these dependencies, new tools, processes, and expertise to track vulnerabilities and ensure the integrity of software components across the supply chain. And this requires change management.

7. What would a successful outcome be? In what timeframe(s)?

Successful outcomes would look like making sure risk assessment of critical infrastructure products and services is no longer based simply on application-level analysis but the interconnectedness, severity and exploitability of software systems, integrated open source libraries, and business connectivity. Then starting immediately in securing these vulnerabilities. This could actually be achieved relatively faster in the short term of (1-2)years.

In the Mid-Term (2-5)years: It would be building effective collaboration and information sharing mechanisms which requires ongoing engagement and trust-building efforts. And in the long-run ( a decade or more ) it would be securing the Free And Open Source ecosystem, a continuous process that demands ongoing investment and commitment over an extended period.

Ultimately, success would be building secure and resilient software systems, and business processes, then anticipating vulnerabilities as technology evolves and fortifying systems before these vulnerabilities are exploited. Then and only then would we, like the President’s Commission on Critical Infrastructure say, “life is good in America because things work”

8. Is this an “idea whose time has come?” Why or why not?

I say ABSOLUTELY! - The time is ripe for implementing the report's recommendations. The increasing reliance on software, the growing complexity of the digital landscape, and the escalating threat of cyberattacks all point to the urgent need for a more proactive and comprehensive approach to cybersecurity.

As a burning motivation, we know that our adversaries are looking to disrupt us. - In 2023, hackers linked to Russia released a “first ever” malware toolkit, called PIPEDREAM, capable of being leveraged to infiltrate a variety of U.S. systems. And now with the fast advancement of AI, we must secure our systems and fortify our infrastructure swiftly before it’s too late.