Risk management, regulation, and public policy.
By The CyberWire Staff
Mar 12, 2018

Risk management, regulation, and public policy.

On March 8, 2018, Robert Rodriguez (SINET CEO) moderated a discussion between Kiersten Todt (President, Liberty Group Ventures) and Joseph Sullivan (former Commissioner, US Presidential Commission on Enhancing National Cybersecurity) both of whom worked together to formulate the Presidential Commission's recommendation on cybersecurity. They offered a broadly optimistic take on the direction of US national cybersecurity policy, but the two former Commissioners agreed that we're starting to see technologies being weaponized and used in ways we're not prepared for. They also agreed that they wanted to see more Government involvement and collaboration, but not necessarily more regulation.

Positive signs with respect to cyber risk management.

According to Todt, "The Trump policy is founded on risk management, and this is a positive first. We've begun to see the efficiencies of industry being pulled into Government." That said, she acknowledged that Government organization for cybersecurity remains a struggle. Breaches are inevitably driven from the news by other, fresh horrors, and we can expect to see a pattern of Congressional overreaction. 

As Sullivan looked back at the Commission, he recalled wanting to see more information sharing, and this has happened with the Government's having mandated its own use of the NIST framework. He also wanted to see the Government use its spending power to influence private sector purchasing decisions. Government spending power can usefully push security. 

Remaining work in cyber risk management: tech laggards, career paths, and collaboration.

Sullivan also felt that the Government had been a tech laggard. He also hasn't seen improvement in career paths-there may even have been a regression. By "career paths" he meant mainly the back-and-forth between government and the private sector one sees in the legal profession. A young lawyer works as a junior associate, moves for awhile to service as a Federal prosecutor, then returns to a law firm, then returns to a Government position, and so on. He sees this as a positive model, and would like to see it replicated in cybersecurity. "Who in Government makes sure the Internet is good for small business? It doesn't feel that anyone does," he observed.

Problematic career paths aren't confined to Government. Sullivan argued that the immaturity of the CISO profession accounted for CISOs' under-representation on boards.

Rodriguez offered his own view that the Government had a cultural propensity to punish as opposed to reward risk-taking. Todt saw the movement of private sector veterans into Government as a positive development. "The question is," as she put it, "how do you bring industry into Government operations?" The Commission talked about pre-incident collaboration. Government knows nation-state activity better than anyone else. Being able to bring both sides together before something happens is necessary, and she saw some exchange programs becoming important.

"It's striking that cyber is the only place we expect a company to defend itself against a nation-state attack", Sullivan said. He thought we needed more incentives to foster collaboration and transparency if we're to redress this problem.

Risk management, responsibility, and risk aversion.

Security leaders aren't business leaders. They're risk managers, and this can pose problems for the security sector as a whole. Rodriguez noted that the two people he knew during his own time in the Secret Service who really improved the agency, "who were glassbreakers and risk-takers," never made it beyond GS14. So, he asked, should there be a cabinet secretary responsible for cyber security? Todt thought there were certainly strong reasons to look at how the Government handles cyber, but cautioned against "over-rotating on a problem" by creating a new bureaucracy. She did see the current Administration's fixing Departmental responsibility for cybersecurity on the Department's Secretary, "but we have a lot of things we have to sort out before we consider organization."

Clouds, critical information, and the race between technology and regulation.

In response to Rodriguez's question about the effect of cloud migration on cybersecurity, Sullivan observed that security teams have stopped attending to network security, focusing instead on endpoint and application security. As a profession we should have embraced the cloud, he believed, but with a default of a minimum level of security. 

Governments are increasingly looking at the protection of critical information. Where, Rodriguez asked, should Government take a role in such protection? Todt thought that Government eventually must do something with respect to aggregation of critical information. "We're just on the brink of understanding how this kind of information and the technology that carries it can be weaponized against us," she said. And Sullivan noted that the rate of technological change should serve as a cautionary principle with respect to regulation. "Government's role needs to change from regulation to collaboration and inspiration. Whenever we've tried regulation, we've seen that technology moves too fast."