Associate Provost at Georgetown University and cyber expert on the CSIS Cyber Security Commission Professor Marjory Blumenthal spoke with The New New Internet about the White House Cyber Security Policy. Professor Blumenthal believes a trial and error model is needed to create effective change in cybersecurity and that international cyber law will eventually be utilized and could be similar to OECD. Research is key to solving the cybersecurity problem according to Professor Blumenthal, a contrast to recent TNNI interview with ISA’s Larry Clinton.
The New New Internet: What do you believe the role of academia will be in the White House with the new emphasis on cybersecurity?
Marjory Blumenthal: The most important academic role is in research. Academia is where a lot of the new ideas for computing and communications originate. The truly new ideas for changing paradigms and for more-than-incremental improvement come from the academic side. Academia also analyzes the nature of policies, of course.
The New New Internet: What does a Cyber Coordinator need to be successful?
Marjory Blumenthal: This is, in some ways, the $64,000 question. To begin with, people are not exactly sure what the national-level Chief Technology Officer will be doing. There is maybe greater understanding of what the Chief Information Officer will be doing (but still some uncertainty), and then when you add in this other position that at least seems to overlap with the CIO position, there are a lot of questions. The Cyber Coordinator position is squarely involved with policy. The person will ideally coordinate the defense perspective with the economic perspective–they are both very important but sometimes competing; that is the concern. If there is an individual who can actually do meaningful coordination and help with balancing of interests, that would be a step forward.
The New New Internet: In order for government to cooperate with the private sector should a monetary incentive be used?
Marjory Blumenthal: We don“™t have a well-functioning insurance system, and we don“™t have that kind of monetary or market incentive in cybersecurity, as we do in other arenas. It“™s hard to underwrite the cybersecurity risk. When it comes to something like fires you can model certain circumstances that are associated with fires: how do they get started, how long do they last and how bad are they, and so on. Cybersecurity is fundamentally a creature of human misbehavior. It“™s very unpredictable. There is not the same kind of science with it as with other risks, and that has made it hard for people to underwrite and for the insurance markets to develop. Ultimately, liability is something that can be connected with insurance, and it can provide an incentive for people to make sure that they have done the most that they can to protect themselves, recognizing that they may not be able to do a good enough job figuring out what they are trying to protect themselves against.
It“™s hard to underwrite the cybersecurity risk. When it comes to something like fires you can model certain circumstances that are associated with fires: how do they get started, how long do they last and how bad are they, and so on. Cybersecurity is fundamentally a creature of human misbehavior. It“™s very unpredictable.
The New New Internet: How important is increased public awareness compared to all of the other key points mentioned in the 60-Day Cyberspace Review?
Marjory Blumenthal: Public awareness is a perennial–no comprehensive national strategy would be complete without it. There are real questions of how far you can go with it. The nature of the cybersecurity problem can be a little bit abstract, and the reality of our daily lives is that most people can function even with a compromised system without realizing that there is a problem. If you look at what has happened with the anti-virus software market, growth in public awareness allowed the market to take off, validating that public awareness can be helpful.
The New New Internet: Do we need a cybersecurity international institution or does one already exist? Is regulation of cybersecurity on a global level necessary?
Marjory Blumenthal: There are some basics that are needed; people have to agree on what is criminal activity. Somebody in country A may do something that isn“™t a crime but it affects us in country B, where it a crime. A little bit of trial and error is needed, but over time you get greater alignment. The OECD, which brings together developed nations, has fostered a lot of discussion about how member nations can collaborate on both diagnosing the problem and on cooperating and addressing problems, but that“™s 30 nations out of a much larger number. There are other forums that try to cast a more truly global network of discussion, but not every country sees it as in its interest to collaborate. Right now this is a great time of exploration of how to think about the international problems and what the solution space looks like. We“™re just not there yet. The discussions that are taking place in forums like the OECD make up one of several necessary steps for getting people in different countries, different kinds of government agencies, and different levels of authority or expertise to talk to each other about what would work on a global basis because there is only so much we can do unilaterally. There is only so much impact that our U.S. legislation is going to have because of the global context. I think the new structures that will emerge coming out of the sixty-day plan will also address the international relations aspects, but we have a long way to go to seeing clearly the kinds of outcomes that we would like to have and the kinds of tactics, regulatory or other, that we need to get from here to there.
The New New Internet: What will cybersecurity look like in two to three years if all things go well?
Marjory Blumenthal: I think the best possible scenario is that we get a coordinator that really does advance coordination. That is the first step, and it would help us to move closer to a true strategy engaging multiple parts of the government in a meaningful way, with effective connections to the economy. In the 1990s there was great enthusiasm for the “national information infrastructure,“ and although the process was messy, you saw a lot of people in a lot of agencies and in the private sector talking about the same set of issues. That was a kind of model of coordination. It would be good to see clearer thinking and a more explicit discussion about the balance between security and protection of civil liberties. We have national interest on both sides, and sometimes when the conversation focuses only on security you can, for example, get people saying “Ok, we“™re trying to have more accountability, therefore we need to have more authentication.“ They roll out the authentication without thinking about how the design of a product or the implementation of a system can be done with more (or less) sensitivity to the privacy implications. Encouragement of privacy-sensitive security would be in the national interest. Finally, if we want to grow the capability to solve tomorrow“™s problems, which we expect to be a lot worse, then we have to get going with the research that we need today because it will take a long time for that to bear fruit.