Cybersecurity Interrupted

Last night, in collaboration with Foreign Policy Interrupted, we hosted a discussion addressing the key geopolitical trends and challenges in cybersecurity. We were fortunate to have a great group of experts with backgrounds in academia, government, and industry discuss some of the most important foreign and domestic cybersecurity policy issues.

We kicked off the panel discussion with a series of comments and recommendations on the President’s impending Executive Order (EO) on cybersecurity, a draft of which had been released earlier in the week. The role of the private sector dominated a range of the discussion. This wasn’t the normal public/private partnership information sharing discussion that by this point is passé at best. Instead, there was an emphasis on getting that relationship right across a range of areas, including incentives for the private sector to pursue better ‘cyber hygiene’ (everyone’s least favorite industry term). Since the draft EO references the need for these incentives, we addressed what these incentives may look like in practice.

Similarly, instead of focusing a large review effort on a well-known area such as the adversary landscape as the draft EO recommends, we analyzed the utility of a cross-sector review of those best practices and lessons learned from previous private-public sector responses to digital intrusions. Panelists argued that these should range from collaborative efforts such as FBI-Microsoft collaboration to bring down the global Citadel botnet, to incident response, such as the response to the Sony attack. There are numerous examples of these collaborative efforts, yet little insight has been gleaned and shared to improve defenses and responses.

 

fpi2.png

 Our panel included experts from academia, government and industry

 

It was also noted that there is plenty of room to grow the relationship between the public and private sector, especially when it comes to innovative policy. Current US policies are decades old and still are reminiscent of the Cold War landscape. These desperately need to be modernized, and require private sector input to help avoid another Wassenaar Arrangement, which had good intentions but can decrease defensive capabilities.

Several members noted that in addition to the well-known cultural divide between DC and Silicon Valley, the actual lexicon further hinders policy progress in information security. The use of terms like ‘cyber bomb’ and grouping every kind of intrusion as a cyber attack does nothing but hinder collaboration, confuse the public about the nature and impact of various kinds of intrusions, and limits any advances in policy. Panelists also called for moving beyond narrowly defined concepts of deterrence (which confusingly import conceptual frameworks directly from nuclear deterrence). This lack of conceptual fidelity regarding terminology and common lexicon is well known, but yet remains largely under-addressed.

Fortunately, there also are plenty of efforts to build upon, and no need to reinvent the wheel. For instance, the draft EO notes the necessity of workforce pipeline challenges. In many regards, this reinforces former President Obama’s Cybersecurity National Action Plan (CNAP), and the $3.1 Billion for IT modernization, as well as an emphasis on protecting privacy and public safety, and the workforce. Our panel discussed the well-known workforce shortage, but also reinforced the necessity to think even broader than computer science and STEM. While those should absolutely be the bedrock of growing the workforce, we must not forget the socio-technical nature of information security. For example, there is a dearth of lawyers with expertise in this area, policymakers who can straddle tech-policy, or designers specializing in information security.

In addition, the draft EO addresses the need for a holistic review of vulnerabilities across the government. Again, this is an intuitive recommendation, and supports well some of the most innovative efforts in the government right now, including Hack the Pentagon and follow-on Hack the Army bug bounty programs. Instead of relying on reviews that are muddled in bureaucracy, the government should build upon agile, impactful, and cost-saving approaches to both identify vulnerabilities and strengthen defenses.

As often happens when you get a group of experts passionate about their work, it was a lively discussion, but by no means could we cover everything within such a short time-frame. There is plenty left to discuss for future events like this, including the global expansion of censorship, the impact of AI, declaratory policies, and the role of norms, just to name a few. Thanks to everyone who joined us last night, including Michèle Flournoy (CNAS), Nancy Youssef (Buzzfeed), Shannen Parker (Cyber Command), Nina Kollars (Franklin & Marshall), Emmy Probasco (JHU/APL), and Lauren Bohn (Foreign Policy Interrupted) for their contributions and participation.

FPI wall.jpg