As state-sponsored intrusions and high-end criminal activity in cyberspace have evolved, they are producing novel kinds of risks. Our present security paradigms fail to protect us from those risks. These paradigms have tolerated inherent structural security deficits of information technology for too long; they create the impression that policy is simply captive to this highly vulnerable environment. A new remedy favored in some countries seems to be active defense, but this emerging preference may be ineffective and more dangerous than helpful.
We call for a new ecology of cybersecurity. It is based firmly on the disruptive concept of highly secure computing, relying primarily on passive security measures, independent of attack attribution. It also helps to preserve freedom and privacy. Our approach is based on a reassessment of the balance between four components of cybersecurity: the public needs in the face of novel and serious risks; the relative security levels of commercially available technology; disruptive options for high security technologies; and patterns of policy and market behavior in the ICT sector. It will recommend strategic government intervention to overcome persistent market and policy failures and to stimulate wider investment in and application of the necessary technologies.
Due to its growing urgency and in light of its alternatives, we propose highly secure computing as a new priority for cybersecurity policies internationally. Governments should send clear signals to enable security-driven IT innovation, starting top-down with the highest security requirements in the highest value targets. They should cooperate internationally to realize this new paradigm quickly and to stem the evolution of high-end cyber attackers before they can inflict more damage. Once adopted, this new paradigm would help the market to adjust by itself and open up interesting new lines of commercial opportunity, thus becoming a win-win-win strategy for security, freedom and prosperity.