Bossert doubtful on ‘cyber moonshot,’ preferring to focus on risk management
The problem with thinking about confronting the nation’s cybersecurity challenge in terms of a “cyber moonshot” is that it implies an end-state where the goal has been reached, White House homeland security adviser Tom Bossert said Tuesday.
“The call to go to the moon had a clearly measurable end point,” just as do other analogies — for example eradicating a disease — he told reporters Tuesday on the sidelines of the Palo Alto Networks’ Ignite federal cybersecurity conference. “In the cyberspace, I think it’s going to be a more appropriate analogy to employ a risk-management set of terminology, the idea being that you will always have to manage that risk and mitigate it.”
Cyberthreats wouldn’t end, Bossert pointed out, even if there was a game-changing national achievement such as that posited by the moonshot’s supporters. The concept has been used with increasing frequency recently to describe a proposal for a huge national effort to secure the digitally connected world.
Bossert likened government cybersecurity activities to combatting conventional crime — an ongoing process of managing a continuing problem. “We wouldn’t want to set a goal for ourselves of eliminating all neighborhood crime for ever and ever — we’ll never meet that goal,” he said.
Earlier, in an on-stage conversation with Palo Alto Networks CEO Mark McLaughlin, Bossert raised other objections to the analogy, noting that there was a single objective and a single competitor to beat. “We were in a space race … with one adversary and the solution was to collectivize all our resources … you had the leadership … and the sense of timing necessary to make that happen.
“But in this [cybersecurity] case, we don’t have one adversary,” he continued, “we have a fundamentally unsafe medium [the internet] and we’ve got adversaries everywhere.”
He also suggested that, despite the lengthening list of breaches, the level of public concern in the country might not be high enough to justify such a project.
“Any moonshot conversation has been doomed to fail in the past because, by comparison” the level of anxiety about the Russian’s successful launch of the Sputnik satellite in 1957 had been much greater when President John F. Kennedy made his call in 1961. “I’m not sure if we’re there [at that anxiety level] yet so I think our first responsibility … is to see if there’s an appetite for a call to action,” Bossert said.
In expressing doubts about the analogy’s usefulness, Bossert was joining a debate that the supporters of the moonshot say they want to have. Earlier this month, government scientists discussed the idea at the president’s National Security Telecommunications Advisory Committee.
“This is the beginning of a conversation,” Vice Chairman Scott Charney told CyberScoop at the time. Other supporters, like former CIA CTO Gus Hunt, acknowledge the criticisms of the analogy but insist that it’s useful “because, like the original moonshot, it’s hard. Really hard.”
Bossert, too, acknowledged the inspiration the analogy could inspire. “A moonshot is a good terminology in terms of galvanizing a call to action for the nation,” he said.
Palo Alto Networks’ Chairman and CEO Mark McLaughlin agreed, calling the moonshot “A catalyzing national goal … to mobilize the U.S. towards a shared strategic vision and an ambitious [objective]: Making the internet safe in 10 years.”
“As soon as I say that, ” he added, acknowledging criticism of the moonshot analogy, “I might get beat up … All the obvious questions come up: What does that mean? The difference between getting a man to the moon and bringing him back versus something nebulous like a safe internet.”
“I’ve heard them all,” he said of the critiques. Like Hunt, McLaughlin emphasized that it was the setting of an ambitious goal that was important.
“The basic point is, can we rally as a nation and as an international community to say it’s important enough to have a very ambitious goal like that and to liberate our thinking to make it come true.”
But Bossert was not the only one to address the shortcomings of the cyber moonshot concept at Tuesday’s event. Rep. John Ratcliffe, chairman of the House Homeland Security Cyber Subcommittee, said a clearer definition of the goal was needed.
The original moonshot “wasn’t easy to do, but it was easy to define,” Ratcliffe, R-Texas, said, “Before we work towards our own cyber moonshot, we need to define the objectives of that moonshot with great precision and clarity.”