Cybersecurity Policy in Flux
A number of key drivers for change in cybersecurity policy are in play, including significant legislation pending, more than a few international regulatory bodies meeting, companies beginning to publicly complain about hacking from allegedly government entities, and now the United States State Department raising access to Cyber as a fundamental policy of the United States. A conference hosted by the Stevens Institute on January 19 and 20th, chaired by Michael W. Wynne, 21s Secretary of the Air Force, addressed the dynamics of cybersecurity policy.
A Consensus to Protect the “Freedom of Cyberspace”
The goal of the conference was to shape an academically focused guidebook to be used by all parties as a sourcebook for Cybersecurity Policy as the leadership in corporate and government discern how to balance the push for productivity and economic benefit to society, on the one hand, with the growing demands for government intervention to protect this newly seen Freedom of Cyberspace from malefactors, and malicious behavior stemming from individual and group actions, on the other.
Panels from Energy, Financial, Medical, and Government as well as service providers gave their perspective of the current state of policy. Two areas came to the fore quickly.
- Directing Accountability
First, there is a need to increase the capability of attribution and forensics in the area of directing accountability. This is balanced by the concern for suppression by coercion activists by the same attribution. As was brought out early in the conference was the thought that attribution and forensics by law enforcement or by the military or even by corporations needed as well an explanation for what purpose, and to what end coupled with some higher moral or legal permissions such that actions would benefit society.
- Attributing Liability
The second area that came out was safe software or liability attribution for unsafe software or connectible infected hardware. At present the domain is a buyer beware sales area with great toleration for patches and updates to fix problems.
There seemed to be similar pressure as with the electrical industry early in its maturity that led to the use of ‘Underwriter Laboratories’ but no strong central authority such as the insurance companies to be the backstop. As the cautious aviation industry explores the next generation air transport system they are planning on vetting each piece of software, and conducting multiple tests of the hardware coupled with active security architectures aimed at increasing safety and reliability, while gaining productivity. This frames the alternative, with the developer, here the Government, taking on the liability for each element. In the case of the service providers, they evidenced a very high sensitivity to security, but their primary thrust is increasing client access, speed, and utility; and their concern was the general premise that regulation tends to slow the speed of evolvement, and therefore their market.
A Tough Balancing Act
The medical panel felt the pressure of the President’s objective for electronic records to increase productivity but worried as the opposing pressure from wireless technologies exposed them to intrusion and privacy issues. The venture capital panel hit hard on the current lack of funding available for technology starts and wondered about whether legislative thrusts would further inhibit funds available. They also went through the legislation and characterized some of its stronger parts as to roles and missions, and the strong educational thrust. There was as well a desire to lift some of the current immigration rules as they apply to technology workers.
All of the panels suggested strong international cooperation and collaboration and some international representatives went over the present state of regulation and concerns in their own countries. This was reinforced by the lunch and dinner speakers that each asked for a voluntary framework for security policy but acknowledged that randomness of intensity and application left the field open to problems.
That said the framework of the Rockefeller-Snowe Bill was used as a foil and deemed as overreach; but also was acknowledged as a sign that the legislative side was hearing complaints without satisfaction. The allegation of government-sponsored attacks, though with at present circumstantial logic for proof, has also stirred nationalistic calls for stronger, and better technologies in this clearly asymmetric area of technology. With today’s military relying on greater net-centric command and control continuing to strengthen defenses to allow continued operations is an imperative.
* The academic oriented Guidebook for Cybersecurity policy is well underway, with active contributions by attendees as requested by the Conference Technical Chair Dr. Joseph Mitola, and strong editing by author Jennifer Bayuk of the Stevens Institute Faculty. It was looked at in draft by the attendees for comment, and should be available widely by mid to late spring.
** On a final note: Melisa Hathaway was awarded the Steven Institute Award for professional excellence, the first time it has been granted, for her body of work under two Presidential Administrations in the field of Cyberspace Policy.
***Posted January 26th, 2010