In Greek mythology, Sisyphus was a king who thought himself more clever than the Gods and was condemned for eternity to roll a rock up a hill, only to see it roll back down each time he almost completed his task.
During the last several days, as I listened in various fora to experts and policymakers discuss cybersecurity, I realized that our current efforts may be dooming us to a Sisyphean task. Over the years, we have talked about progress and seen report after report, strategy after strategy, all seemingly creating a flury of actions that pushes the cybersecurity rock forward. And repeatedly, we seem to find ourselves back at the bottom of the hill, wondering how to get the rock up the hill.
One reason we find ourselves in this dilemma is that cybersecurity is not static. The threat is constantly evolving -- security measures become archaic, laws need updating, and policies lag behind each new technological advance. As a field, cybersecurity has been relegated to being reactive in nature -- we respond to risks as they become threats. The only way to overcome this problem is to build cybersecurity into technologies at the forefront, which is not an easy task given the desire for innovation that is user-friendly and easily accessible. (Not to mention, innovative products that are based on business models that necessitate lenient privacy practices for profitability).
Another reason the rock continues to roll back is that we have not been able to fully embrace what approach we should take to cybersecurity. Should we incentivize producers, implementers, and users to make cybersecurity a priority? Should we mandate cybersecurity, especially for those responsible for critical infrastructures? How do we tackle data breaches and responses to cybersecurity so that we can learn from mistakes? Is the answer a hybrid approach? These are issues Congress continues to struggle with as it figures out how to tackle the problem.
Perhaps the last significant reason the rock continues to roll back is that we have no clear definition of cybersecurity. The term means a little bit of something to everyone. We are trying to tackle a problem that at once means securing our national security systems and protecting grandma's desktop. If we are to believe that the entire system is only as secure as "its weakest link," then pushing the rock up the hill and keeping it there becomes nearly impossible.
Of course, if we accept that the cybersecurity rock will never make it to the top of the hill, then perhaps it does not really matter, so long as we are content to keep pushing it. As Albert Camus wrote in the Myth of Sisyphus, "the struggle itself towards the height is enough to fill a man's heart." In the end, I'm with Camus in believing that once we recognize the futility of thinking cybersecurity will be solved, then we can accept the absurdity of believing it will go away as an issue. There will always be more to do.