A recent report by the New York Cyber Task Force, with senior-level experts from across New York and elsewhere, drawn from finance, cybersecurity companies, former government, and academia, included recommendations that would help make it easier to defend cyberspace without sacrificing the utility, flexibility, and convenience that has made the Internet so essential to our economies and personal lives. This talk will cover the report’s findings and recommendations on how to make cyberspace more defensible.

What sets this report apart? The members of the NY Cyber Task Force started from a basic premise, that we need to give cyber defenders the advantage over attackers, and a strategy to do so, based on leverage: those innovations across technology, operational, and policy which grant the greatest advantage to the defender over attackers at the least cost and greatest scale. The task force then made a recommendation to achieve leverage, based on lessons drawn from five decades of past innovations, laid out in a simple but rich graphic. The report brings new insights, such as even the best innovations have an expiration date, traveling a curve “from essential to albatross,” after which it is far costlier for defenders to implement than for attackers to circumvent. The report especially stresses the importance of operational innovations (such as information sharing and creation of new organizational structures like CERTs and CISOs) and policy innovations (as through new laws or executive orders) which can unlock further operational and technology innovations. 

Key learning objectives, then, for practitioners include: employing the concept of leverage; accepting that security innovations have a shelf life and planning accordingly; and recognizing that operational and policy improvements to security tend to have greater and longer-lasting impact than technological innovations.