Advice for the Next President on Cyber Security
Given that a new Administration will take office in the US this coming January, the Billington CyberSecurity Summit assembled a panel of experts to review policy recommendations for whomever is elected in November.
Moderated by Major General (retired) Earl Matthews (now with Hewlett Packard Enterprise), the panel included NIST's Kiersten Todt (Executive Director, Presidential Commission on Enhancing National Cybersecurity), Cylance's Global CISO Malcolm Harkins, Karen Evans (Co-Chair of the Center for Strategic and International Studies Task Force on Cybersecurity for the 45th Presidency), and Admiral (retired) Thad Allent (now of Booz Allen Hamilton).
Matthews opened by outlining the key elements of US cyber strategy and asking the panel to comment on them. Evans took up issues surrounding data. The US, she said, must come to grips with data ownership, because much flows from simply understanding who owns data. She thought it an absurdity that responsibility should be so often bifurcated. "Data is information," she said, so why do we now see Chief Data Officers as well as Chief Information Officers?
Harkins took up privacy. In his view, the security discussion is too often separated from the privacy discussion. "We should design for both."
Policy inevitably deals with authority. Todt wanted the next Administration to arrive at clarity with respect to lines of authority—these lines continue to evolve, in part because they tend to respond to the opportunism the threats display.
Allen thought the most important thing for a new Administration to realize is the way society is now fully, holistically connected. "There's a new ecosystem," Allen said, and he called the shift to that new ecosystem "the sociological equivalent of climate change."
With respect to commerce and both domestic and international law, the panel characterized the existing legal framework as being, essentially, one that antedates cyberspace. Its basic foundation goes back to the 1980s, but in some cases in the US back to the Communications Act of 1934. We want growth and freedom, but not lawlessness. Harkins agreed. We're in a globalized IT ecosystem, but we live within an old linear approach that's outstripped by the trade and policy issues that new ecosystem poses. "Innovation always outstrips security," Todt said, and we have yet to create agreements that can govern a global economy.
Observing (to general applause) that "the last way you want to solve a problem is by regulatory action," Allen called for the next Administration to foster a cooperative approach by government and the private sector to the challenges of cyber security. He sees the government's role as shifting from regulation to oversight. In such cooperation, Harkins suggested that the parties take an "outcomes-based approach," asking always how what they did affected the outcomes for other stakeholders. Evans agreed that there should be certain minimal regulatory standards, but that the market should be permitted to drive wherever it's possible for the market to do so. "Security will become a market differentiator. Industry always responds when the dollars move." In Todt's view we already have a positive model in the NIST Framework, which she characterized as one of the most productive approaches to security on offer in recent years. She noted that the private sector, facilitated by NIST, is the source of the policies and practices that Framework suggests.
Turning to international norms, Matthews asked the panel what world bodies the US should look to in order to improve cyber behavior. Harkins demurred that "bodies" were unlikely to be effective, and that the best results would be achieved by state-to-state contact. Allen and Todt agreed. Some global bodies have their utility, but progress was likely to come only from nation-to-nation negotiation and understanding.
If, as Matthews suggested, the next Administration would seek to continue promotion of the values associated with classical liberal democracy, how should it do so in cyberspace. The panelists offered a range of reactions. Harkins thought attempts to regulate legitimate use technology would prove to be challenging, and Allen said that the next Administration would need to understand and embrace technology. Evans dis as well, observing that new technology typically discloses its value and its application only through use. Harkins thought the Cold War era Voice of America might serve as a historical model of engaging users of social media, and commended that model for study. Todt advised looking at human behavior. When we create products, people find new uses (and abuses) for them, and Allen agreed: we should prepare ourselves to recognize threats that emerge from technologies that are benign in their origin and design.