What is a ‘cyber moonshot,’ anyway?
Boosters say it would provide a unifying national goal on a key national security issue. Critics argue that using a space-travel analogy is all wrong.
Like it or not, the “cyber moonshot” is becoming a thing.
Earlier this month, a presidential advisory committee debated the concept, and on Wednesday, former CIA CTO Ira “Gus” Hunt used a keynote at CyberTalks to call for one. Such a project would create a single national goal for a much-needed cybersecurity game-changer.
But framing the problem in terms of a huge singular goal pursued by a lone government agency isn’t necessarily helpful, argue critics. And even supporters don’t seem sure how the characteristics of the moonshot map to the much diverse cybersecurity problem set.
“The cyber moonshot is a call to action,” said Hunt, now the federal cybersecurity practice lead for Accenture. It involved setting “a big, hairy audacious goal … shifting the balance of cyber-power [toward defenders from the attackers] … within five years.”
The cyber moonshot concept, according to Accenture’s website, was inspired by the speech President John F. Kennedy gave before a joint session of Congress on May 25, 1961, setting the U.S. on a course to send a man to the moon and return him safely to earth.
“Things are bad and getting worse in cyberspace,” Hunt said, noting that, for the burgeoning Internet of Things, or IoT, “security is an afterthought in the rush to market.”
Despite more spending than ever before on cybersecurity, he said, there was no sign that security was improving.
“We have to switch from reactive defense to proactive defense,” he said. “We have to stop firefighting and start fireproofing.”
“Clearly our current approach isn’t working, hence the call for a cyber moonshot,” he concluded.
There were three characteristics of Kennedy’s call to put a man on the moon, he told a packed house at the Andrew Mellon Auditorium: “First there was inspirational leadership, second there was a call to action and third there was a commitment from Congress for sustained funding to deliver the outcome.”
The original moonshot took eight years, he said. “Think of this as a journey … we must bring a different mindset to the table.”
At the meeting of the blue-ribbon presidential National Security Telecommunications Advisory Committee Oct 10, Chuck Romaine, the director of the Information Technology Lab at the National Institute of Standards and Technology listed three rather different characteristics:
- It was seen as “impossible, or nearly impossible, to achieve.”
- It was “pretty easy to describe.”
- It was “also easy to know when you’ve succeeded.”
But none of the expert participants seemed able to articulate how those characteristics mapped to the cybersecurity challenge. And some cyber experts have privately criticized the analogy.
“The paradigm’s not perfect,” Hunt acknowledged to CyberScoop in a brief interview after his speech, “We’re in a very different environment than we were then,” he said, “The federal government doesn’t have the influence on technology that it did in the 1960’s … It’s a highly shared environment and we absolutely need [private sector] leadership.”
“But it’s a good paradigm,” he continued, “because, like the original moonshot, it’s hard. Really hard.”
“I first started talking about [the cybersecurity problem] as the next ‘national grand challenge,'” he explained by email. “Then as the ‘Cyber Moonshot’ a year ago at the Nation Cyber Coalition conference in Colorado Springs, led by [Democratic] Colorado Gov. John Hickenlooper.
“The idea was inspired by the need to find solutions to secure cyberspace, where government, industry and citizens all pull together to focus our financial resources, ingenuity and capabilities to solve this national cybersecurity emergency and become safer in the next five years.”
“We have to come together,” he said, “the consequences of failure are too high.”