Common risks, common responses, and the ambivalence of innovation.
The remarks of policy leaders who spoke at the third annual Billington CyberSecurity Summit, held March 21st, 2018, in Washington, DC, exhibited in both content and tone a striking agreement on the normalization of cyberspace, more evidence of the domain's having become a regular part of government and industry planning and operations.
Partnership involves acceptance of common risk.
In his keynote, Harry Coker, Jr., Executive Director of the US National Security Agency, reviewed such advances in cooperation and respect approvingly. He noted that partnership involves acceptance of common risk. Most critical infrastructure lies outside the scope of national security systems, but it's none the less important and vital for all that.
There were familiar discussions of the importance of information-sharing among government and industry partners, but it was also clear that such sharing is now regarded as far more routine, far less aspirational cliché, than it has been, with increasingly well-understood mechanisms in place to facilitate it.
Cybersecurity exercises are now mainstream.
Cybersecurity exercises, for example, have developed into common practices that increasingly include partners. They've also developed along familiar military lines, planned with a view to both test and train, and subjected to thorough after-action reviews upon conclusion. They now form an important part of government, alliance, and even industry planning cycles, with lessons learned in exercises figuring prominently in planning.
There's also general recognition that collaboration involves realistic recognition of the resources various stakeholders in different sectors control. Governments recognize that every threat transits privately owned infrastructure at some point, and many, arguably most, critical assets are in private hands. There's also a question of capacity, particularly in a labor market as constrained as cybersecurity's.
Smaller nations are strongly motivated to punch above their weight.
Taimar Peterkop, Estonia's Director General, Information Systems Authority, referred several times to the importance of "like-minded nations" working together to manage the risks posed by a common threat. The phrase is a significant one: as important as formal alliance structures (NATO, the EU, ASEAN, and so forth) remain, they were seen by participants as more enabling than restrictive. The "like-minded" can and do work together bilaterally to address common problems.
That the stakes can be unusually high for smaller nations, particularly highly developed ones, seems beyond dispute. Mohammed Altura (Kuwait's Chief, Information Technology Sector (CITRA)) noted that his country has a high level of connectivity and digital penetration, and that it had taken as national objectives inculcating a culture of cybersecurity and cybersecurity awareness, safeguarding national assets, and establishing collaboration among international partners.
David Koh, Commission of Cybersecurity for Singapore, said that, while his country placed first in ITU's recent cybersecurity index, it can't afford complacency. Singapore is a very highly connected city-state, with the world's fastest broadband and some two smartphones per citizen. It hosts vital supranational infrastructure in both finance and transportation. The country depends upon trust for its future, and thus must manage cyber risk effectively and attentively. He put the challenge it faces starkly: Singapore regards cybersecurity as "an existential issue."
A public health model of international cyber cooperation (but also imposition of consequences).
Jeanette Manfra (Assistant Secretary, Office of Cybersecurity and Communications, National Protection and Programs Directorate, US Department of Homeland Security) said in her keynote, "Interconnection makes our domestic mission inevitably international. We must begin to think in terms of international cyber public health." For all of globalization's many advantages, systemic risk grows with the growth of a global supply chain. She argued that information-sharing "at scale and at speed" was the essential next step in strengthening digital public health.
She also offered some interesting comments on last week's Joint Technical Alert the FBI and the Department of Homeland Security issued with the cooperation of US-CERT. That alert unambiguously attributed a multi-stage campaign against critical infrastructure, particularly the electrical power grid, to Russia. Manfra explicitly linked the sanctions the US Administration shortly thereafter imposed on Russia to that alert, and she commended this as a good example of imposing costs on bad actors. Her connection of the latest round of sanctions to Russia's ongoing campaign against US critical infrastructure was striking. Most reports had cast the measures as principally, even exclusively, a response to Russian information operations during the 2016 US elections.
The ambivalence of innovation.
Many cybersecurity discussions tend to represent innovation as an unmixed good. If there's a problem, the way out is innovation. The speakers at the Billington International CyberSecurity Summit took a far less panglossian view of the matter.
Robert Strayer (Deputy Secretary for Cyber and International Communications and Information Policy, US Department of State) called out one particular innovation, the coming of fifth-generation mobile technology, as representing a particularly risky inflection point. More generally, Kuwait's Altura specifically called out the "adverse consequences of technological advances" as one of the most important classes of threats his country faced.
But Singapore's David Koh offered the most extensive consideration of innovation's dark side: "We have to get a better understanding of the risks and vulnerabilities of new technologies. We can't concentrate only on the upside of technology and disregard the downside. That's a recipe for disaster. We exploit the technology, and run the risk of being exploited ourselves."