The Cyber Trough of Disillusionment

I’ll call the moment: the cyber security field is now past its giddy buzzword peak.

Gartner is well known for preparing “hype cycle” analysis of technology sectors, as in their recent publication of the 2009 “Hype Cycle for Social Software.” That report got a lot of attention on Twitter and in blogs, naturally; social medians are nothing if not self-reflective regarding their community. I thought an interesting take was by an IBM developer, who compared the 2008 version against the new one, measuring the changes in predicted “time to maturity” for individual technologies, and thereby coming up with something like a measure of acceleration. By that measure, individual blogging and social search made the most rapid gains.

But I notice something missing on the full list of 79 Gartner hype cycle reports: there’s not one about “cyber security.”

Gartner Hype Cycle 2009 Emerging TechnologiesTo the left you can see their uber-cycle, the latest chart of all “Emerging Technologies.” Among the dozens of “technology, topic and industry areas” across all their charts, the closest thing to covering the “cyber” world is the Data and Application Security Hype Cycle, which lists no fewer than 21 contributing analysts but still can’t see fit to reflect the broadest reaches of internet security. Its abstract alludes to Internet security, but makes clear that its focus is on several specific (not to say narrow) technical approaches:

Enterprise boundaries continue to blur as data is shared across the Internet between partner organizations and unmanaged endpoints, increasing concerns about data leakage and manipulation. This is encouraging greater use of application layer and data layer security controls.

Now, those topics are of course related to information security and assurance, and yet they don’t approach the overall breadth of the tangled spaghetti of technical, policy, and political issues that make up the messy cyber-security realm.

This week I expected to get a snapshot of where that messy realm stands, by attending the “National Cyber Leap Year Summit” in Arlington, Virginia. It was a joint DoD-White House production, by invitation only, and sponsored by the White House’s Office of Science and Technology Policy (OSTP), and the Office of the Assistant Secretary of Defense for Networks and Information Integration (NII).

They wisely used as an organizational umbrella the Federal Networking and Information Technology Research and Development (NITRD) Program, the quiet but important organizing construct for federal R&D. NITRD describes itself as

the primary mechanism by which the Government coordinates its unclassified networking and information technology (IT) research and development (R&D) investments. Thirteen Federal agencies, including all of the large science and technology agencies, are formal members of the NITRD Program, whose combined 2007 IT R&D budgets totaled more than $3 billion.”

Member agencies include DARPA, DOE and the National Labs, NASA, NIH, NIST, EPA, NARA, AHRQ, NOAA, NSA, NSF, OSD, and the DOD Research Labs. All of those groups were represented at the Cyber Leap Year Summit this week – along with a panoply of top names from corporate and academic security work and research – you name ’em, they were represented.

And yet I came away slightly disappointed – not with the effort by the event’s organizers, but with the outcome. The premise of the session was to provide “leap-ahead, game-changing” ideas and proposals. Some were indeed offered in sessions, kicked around, and debated, dismissed, or set aside for further exploration. There were five tracks in the conference:

  • Digital Provenance → basing trust decisions on verified assertions
  • Moving-target Defense → attacks only work once if at all
  • Hardware-enabled Trust → knowing when we’ve been had
  • Health-inspired Network Defense → move from forensics to real-time diagnosis
  • Cyber Economics → crime doesn’t pay
  • Each track wound up having valuable brainstorming sessions, with some innovative ideas and approaches generated, all of which are now being captured in a wiki.  (Participants were provided with password access to the wiki; if it is opened to broader access I will update this post with a link.)

    I mostly attended the Cyber Economics sessions, which had the closest relevance to government policies as far as I could tell.  Our ideas ranged from innovative ways to raise the economic costs to bad guys on the Internet, to establishing something like a “cyber NTSB,” which would mirror its Transportation Safety counterpart in collecting, analyzing, and reporting out data on cyber attacks and information-security incidents. Good ideas, but nothing game-changing on its face.

    I stuck my head into the other groups from time to time as well, and listened closely at the wrap-up “mix ‘n’ match” discussions at yesterday’s final sessions, hoping to hear a breakthrough idea.  I’ll admit, I personally had none to contribute – cyber security is not my native field of expertise though I do my best. But unless I’m mistaken, no one else had a true “game-changing” breakthrough either.  Overall there was a sense of “heard it all before” quietly sitting like a ground-hugging fog in the conference rooms.

    Now, that’s not necessarily dire; this is tough stuff and you can’t expect a single conference, even with the biggest brains in attendance, to produce elegantly brilliant policy and technical solutions to enormous challenges of long standing. But it indicates to me that the publicly-discussed field of cyber security is echoing certain stages on the Gartner Hype Cycle.

    Down in the Valley

    That cycle charts “Expectations” against a Time axis in the life of technologies or industries. Over the past couple of years, I would say that Cyber security has ramped quickly up the “Inflated Expectations” hype curve. I’d argue that it approached its “Peak of Inflated Expectations” the moment that presidential candidate Barack Obama pledged on the campaign trail that “I’ll declare our cyber-infrastructure a strategic asset and appoint a National Cyber Adviser who will report directly to me.”

    How’s that promise coming along? Not well.  The inflated expectations crested the moment Melissa Hathaway published the much anticipated, now nearly forgotten, 60-Day Cyberspace Policy Review. You can see my previous pieces on the Cyber Czar debacle, read an adamant op-ed in this week’s Business Week titled “The U.S. Needs a Cybersecurity Czar Now,” or read one of DC’s keenest political observers, The Atlantic’s Marc Ambinder, who now believes that the leadership vacuum is increasing “jitters about whether the Obama administration is devoting enough bandwidth to the issue.” Marc’s piece (“On Cyber, Homeland Security Isn’t Waiting“) argues that DHS is picking up the baton in the vacuum, but many of the folks I know up at Ft. Meade scoff at that, and are quietly quietly burrowing away at the bureaucratic-politics game themselves.

    There’s a lot of effort going on to secure things all right – things like bureaucratic turf, budget billions, and presidential face-time.

    Per Gartner’s paradigm, cyber security as an issue is heading straight down into the “Trough of Disillusionment.”  That’s not an indictment of those working in the field. Indeed, in Gartner’s methodology, to be successful, technologies almost inevitably follow a path “from overenthusiasm through a period of disillusionment to an eventual understanding of the technology’s relevance and role in a market or domain.”

    The Slow Climb to Enlightenment

    So what is to be done, down here in the valley? Well, I’d argue that technologists just ignore the politics and the Time-magazine covers and the frenzied Twitter chronicles of who’s in and who’s out.  I’ll try to avoid that stuff as well, as a prime offender (no promises), and do a fair job of tracking the technical progress of promising research.

    To that end, I’ll end with a nod to a cool Microsoft Research project being unveiled this week at the SIGCOMM 2009 conference in Spain: “De-Anonymizing the Internet Using Unreliable IDs.”  Researchers Yinglian Xie, Fang Yu, and Martin Abadi have just published a great paper (available in PDF here) detailing their “Host Tracker” work aimed at malicious traffic which cannot typically be “held accountable” in today’s open, anonymous Internet of free traffic from any host.  “HostTracker tracks dynamic bindings between hosts and IP addresses by leveraging application-level data with unreliable IDs.”

    As the early coverage in Technology Review  puts it, Internet anonymity can be both a blessing and a curse, because “the same technologies allow cybercriminals to hide their tracks and pass off malicious code and spam for legitimate communications.” TR goes on in their assessment:

    [HostTracker represents] a way to remove the shield of anonymity from such shadowy attackers. Using a new software tool, the three computer scientists were able to identify the machines responsible for malicious activity, even when the host’s IP address changed frequently. “What we are really trying to get at is the host responsible for an attack,” said Yinglian Xie, a member of the Microsoft team. “We are not trying to track those identifiers but associate them with a particular host.”

    The prototype system, dubbed HostTracker, could result in better defenses against online attacks and spam campaigns. Security firms could, for example, build a better picture of which Internet hosts should be blocked from sending traffic to their clients, and cybercriminals would have a harder time camouflaging their activities as legitimate traffic. – Technology Review

    HostTracker is squarely aimed at several of the questions across the five-track sections in the Cyber Leap Year Summit, including the “Digital Provenance” and “Moving-Target Defense” areas.  If it’s successful, it could begin to chip away at the economics of cyber attacks as well – at least until the attackers’ next innovation, which will drive the cycle of good-guy research again.

    Hmm – a cycle. Gartner, get to work!

    Email this post to a friend

    AddThis Social Bookmark Button

    10 Responses

    1. Lewis,
      Cyber-security is becoming more and more of an “issue” that no longer is just something academic to think about, but one that hits home quite fast in today’s inter-connectivity driven society. The recent attacks on Twitter, Google and Facebook demonstrated several things:
      1. DDoS attacks are becoming more and more focused and driven by professional hackers such as Foreign Countries.
      2. Denial of DNS attacks are just becoming known as a threat, yet this is like an achilles heel.
      3. There is lots of yammering about protecting computers, but less attention being paid on protecting public facing and serving data networks such as banking, energy, and communications while these are where the gaping holes are and where the economic damage would be most devastating from any sort of coordinated attack.
      4. The cyber-terrorists are honing their craft, so must the defenders.

      Thanks for posting this thought provoking piece!

      Alan W. Silberberg
      CEO, You2Gov
      @you2gov -twitter


    2. Thanks for the summary, even though it’s somewhat depressing. We were hoping for more.

      Q: Was the scope of discussion in Cyber Economics limited to disrupting attacker ROI (as described in the Summit agenda) or was it more broad?

      If anyone is interested, I co-authored a “call to action” on this topic a couple of years ago, proposing game-changing ideas and research directions in cyber security economics and related disciplines. The full paper: and the 8 page summary:

      Earlier this year these ideas were compressed into the *TWO* page submission format and submitted to the NCLY conference organizers but apparently they didn’t latch on to any of the ideas. I don’t know why.


    3. I got the general impression that the NITRD CLY organizers were looking for “silver bullets”, and that somehow through their multiple RFI process and this three-day brainstorming session, these “silver bullets” would magically appear.

      Is the best way to solve truely hard, multi-disciplinary problems? I think not.


    4. Lewis,

      the challenge is figuring out how to disrupt the business model of cyber attackers. Its more than tech in this mix, there is a dynamic that involves human nature and economics. What is the center of gravity of all of this activity? Identity, authentication, encryption? Money, reward, and punishment? Reliability?


    5. Lewis —
      I spent most of my time in the Health Inspired Network Defense session and my sentiments would mirror yours. There was some interesting cross-talk and concepts but nothing I’d call “game changing”. There were some proposals which recycled and updated concepts people have looked at and that can be a good thing (what didn’t make sense legally or economically in the 90s might be worth re-visiting). I think I got some good, incremental ideas and will be interested to see how the wiki evolves and what the final conference report comes out with.


    6. Lewis,

      Thanks for the great post and the analogy.

      I’m wondering, especially with the construct you promised to expand upon called ET2.0 shouldn’t we be defining security and functionality in the same breath? Security is how you ensure functionality. So it is about protecting data, but is also about keeping the systems running, including keeping them running in the face of ET2.0.



    7. […] The Cyber Trough of Disillusionment – Lewis Shepherd, Shepherd’s Pi […]


    8. Greetings all.

      I remember reading Guy Kawasaki’s comment in his piece “the Art of Innovation” :

      “those on the first curve are unable to comprehend, let alone embrace the second curve.”

      I’m quite sure that just about everyone in attendance at the summit has two feet squarely planted on the first curve.

      When one attempts to solve a problem, one tends to turn to what has worked in the past. To truly innovate and think out of the box, one must be able to unlearn everything he or she knows. How many experts can check their egos at the door and do that?

      That does not make for a great probability of success.


    9. Lewis,

      One of your best and most thoughtful blogs yet. A touch of irony, given the company you now work for — but I’ll give you a pass since you’ve only been with them a short time.

      I like Gartner’s hype cycles — and agree that a precise and hard-hitting cyber security hype cycle report from them might further energize industry, academia and government and generate the big new ideas. My sense, though, is the recent constant drumbeat from government and other industries that have information assurance, privacy, security and trust as non-negotiable underpinning bottom-lines, is already causing some of the right effects in the IT and policy communities.

      When companies like Lockheed Martin create things like their Center for Cyber Security Innovation (CCSI), and, just last month, Bob Gourley’s old company, Northrup Grumman, stood up their new Cyber Security Operations Center (CSOC), I’m encouraged that, eventually, industry is going to find enterprise-class solutions to the enterprise-class problems companies like MicroSoft have dealt the federal government and thousands of other industries. So the hype cycle is good — it gets people cracking, in places where the charter to crack has pretty good pay-off. Not, alas, internal to the government.

      So, by extrapolation… I could really give a hoot of POTUS appoints a cyber czar or not. I don’t think in-the-government agencies like DHS, NSA, DoD, NITRD, DARPA or others you might think of as being in this business are equipped or well-enough led to solve these kinds of problems. The USG will waste billions, maybe trillions, trying — making a lot of congressman and senators happy that high-tech federal workers are bringing big paychecks to their states and districts. So the federal funding will continue, and will rise, as overall USG TOA permits, and, ultimately, we will have to buy the solutions in a wrapper from one or another vendor.

      Here’s another guy out there who is likely inclined to agree with me…

      I think I agree with him more than I disagree.

      Hope all is well.

      Aloha, Dave


    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    %d bloggers like this: