Communications of the ACM

of attack, for all attack classes, will be equally difficult, and above the cost and risk thresholds of the attackers.

Implications. This depth-and-
breadth principle implies that the cy-
bersecurity engineer must have a firm
understanding of the entire spectrum
of cyberattacks, not just a few attacks.
More broadly, the principle suggests
the cybersecurity community must de-
velop better cyberattack taxonomies
that capture the entire attack space,
including hardware attacks, device
controller attacks, operating system
attacks, and cyberattacks used to af-
fect the beliefs of people. Further, the
principle also means that cybersecuri-
ty measures must be properly charac-
terized in terms of their effectiveness
against the various portions of the
cyberattack space. Those who create
or advocate for various measures or
solutions will be responsible for creat-
ing specific claims about their cyber-
attack-space coverage, and analysts
will be responsible for designing tests
to thoroughly evaluate the validity of
those claims. Lastly, cybersecurity
architects will need to develop tech-
niques for weaving together cyberse-
curity in ways that create true depth,
measured by how the layers alter the
probability of success an adversary
will have for the targeted attack class.
Said a different way, the effectiveness of
depth could be measured by how miser-
able it makes an attacker’s life.

• Failing to plan for failure guaran-
tees catastrophic failure { 20.06}.

Description. System failures are inevitable { 19.01, 19.05}. Pretending otherwise is almost always catastrophic. This principle applies to both the mission system and cybersecurity subsystem that protects the mission system. Cybersecurity engineers must understand that their systems, like all systems, are subject to failure. It is incumbent on those engineers to understand how their systems can possibly fail, including the failure of the underlying hardware and other systems on which they depend (forexample, the microprocessors, the internal system bus, the network, memory, and external storage systems). A student of cybersecurity is a student of failure {07.01} and thus a student of dependability as a closely related discipline. Security requires reliability; reliability requires security {05.09}.

Rationale. Too many cybersecurity engineers forget that cybersecurity mechanisms are not endowed with magical powers of nonfailure. Requirements can be ambiguous and poorly interpreted, designs can be flawed, and implementation errors are no less likely in security code than in other code. Indeed, security code often has to handle complex timing issues and sometimes needs to be involved in hardware control. This involves significantly more complexity than normal systems and thus requires even more attention to failure avoidance, detection, and recovery {05.10}. Yet the average cybersecurity engineer today seems inadequately schooled in this important related discipline.

Implications. Cybersecurity engineering requires design using dependability engineering principles. This means that cybersecurity engineers must understand the nature and cause of faults, how the activation of faults lead to errors, which can propagate and cause system failures. 1 They must understand this not only with respect to the cybersecurity system they design, but all the systems on which the system depends and which depend on it, including the mission system itself.

•Strategy and tactics knowledge

enemy of cybersecurity because of the difficulty of arguing that complex systems are correct { 19.09}.

• Depth without breadth is useless;
breadth without depth, weak {08.02}.

Description. Much ado has been made about the notion of the concept of defense in depth. The idea is often vaguely defined as layering cybersecurity approaches including people, diverse technology, and procedures to protect systems. Much more precision is needed for this concept to be truly useful to the cybersecurity design process. Layer how? With respect to what? The unspoken answer is the cyberattack space that covers the gamut of all possible attack classes as shown in the accompanying figure.

Rationale. One must achieve depth with respect to specified attack classes. Mechanisms that are useful against some attack classes are entirely useless against others. This focusing idea fosters an equally important companion principle: defense in breadth. If a cybersecurity designer creates excellent depth to the point of making a particular class of attack prohibitive to an adversary, the adversary may simply move to an alternative attack. Thus, one must cover the breadth of the attack space, in depth. Ideally, the depth will be such that all avenues

Defense depth and breadth in a cyberattack.

Depth = 2

Depth = 1

Depth = 3

Attack space Attack class within the attack space where size corresponds to number of attacks in the class The subset of attacks classes covered by a security control