“This is essentially a memo to the next president, a transition memo.”
That’s how Tom Donilon, former National Security Advisor to President Obama, described the report that the Commission on Enhancing National Cybersecurity will present to the White House in December.
Donilon was speaking at the June 21 meeting of this commission, which was established by President Obama earlier this year to provide his successor with an understanding of the landscape of cybersecurity challenges facing the nation. The meeting, held at UC Berkeley’s International House, was hosted and coordinated by the Center for Long-Term Cybersecurity, in partnership with a team from the National Institute of Standards and Technology (NIST).
“As the economy moves on to new tech platforms, the security challenges evolve as well,” Donilon said. “How do you think about these security challenges in the future—and how should we in government, in the private sector, and as citizens address these challenges? What are the signal ideas that can form the basis of programming for the next 5-10 years?”
Among the questions raised at the meeting: how can the federal government better promote collaboration with the private sector? Should the government impose rules, like seatbelt laws, to encourage Internet users to use the web more safely? How can the public and private sector work together better in sharing threats and developing standards? Should makers of refrigerators and “internet of things” devices be required to maintain security for the products they sell?
“I’m really glad to see, as a Cal alumni, that Berkeley is making itself a player in the intersection between technology and policy on cybersecurity issues,” said Alex Stamos, Chief Security Officer for Facebook, in an interview. “The next president is going to be the first president where cybersecurity is one of their top national security concerns. It’s great that, at the end of this, people will be thinking about, what kind of recommendations should be on the desk of the next president on day one?”
Addressing Security Challenges
The commission’s meeting at UC Berkeley was structured around a series of panels, in which leaders from industry, government, and philanthropy shared ideas and recommendations with the commission.
In a panel on “Addressing Security Challenges to the Digital Economy,” panelist Patrick Heim, Chief Trust Officer for Dropbox, noted that there has been a “failure of economics in security” because the long-term costs of keeping technology devices secure are not sufficiently built into their initial price. “Technology appears cheaper than it actually is,” Heim said. “How do you truly identify the long-term cost to maintain security of the system?”
Several panelists suggested the government could do more to promote education and training around cybersecurity. Hemma Prafullchandra, Executive Vice President and Chief Technology Officer of Products for HyTrust, a Silicon Valley security company, recommended more pre-K through 12 education. She also said that an “internationally holistic approach” is essential because cybersecurity policy “is not just something the nation decides.”
She also suggested improved standards, similar to safety standards that helped normalize the electricity industry. “Nobody worries when plugging into power outlets, but it seems that we’re still waiting for a major disaster before we take adequate measures,” she said.
Facebook’s Stamos also recommended more government-supported efforts to train cybersecurity experts for the future. “We have a real lack of talent in our space,” Stamos said. “That’s something the government is good at, creating long-term educational incentives.” Stamos also noted that the government could make it easier for companies to create a “regulatory safe space,” where companies can more effectively share information about bugs and attacks.
A key goal of the commission is to gather insights from institutions outside government. General Keith Alexander, a commissioner and former director of the National Security Agency, said that the commission should be wary of focusing too much on U.S.-based companies, and he noted that more global collaboration is necessary, pointing out that a plan by NATO to make cybersecurity an operational priority “presupposes that everyone has the same definition of what we’re going to do.”
“Our government can’t do this without industry support, and shouldn’t do it without working internationally,” Alexander said. “The real question is, how do government and industry move the discussion forward in a more reasoned way?”
Philanthropies should also be in the dialogue, said Eli Sugarman, Cyber Initiative Program Officer for the William and Flora Hewlett Foundation—the seed funder of the Center for Long-Term Cybersecurity. Sugarman pointed out that, while Hewlett is the largest investor in tackling the cyber challenge, “an order of magnitude larger of funding is needed on cyber policy issues.”
He encouraged the government to do more, and pointed out that “unfortunately, few leading innovators or entrepreneurs are investing in a secure, stable, resilient internet from which they have built their companies.”
Eric Grosse, Vice President of Security Engineering for Google, encouraged more collaboration around identifying threats, and encouraged more effective use of the types of “red team” exercises that security professionals use to identify security gaps. Asked by commission-member Joe Sullivan, Chief Security Officer for Uber, what the role of government should be in helping private companies improve security, Grosse said “the best the government could do is set a better example itself.”
In a panel on “Innovating to Secure the Future of the Digital Economy,” Gilman Louie, Partner with Alsop Louie Partners—and former CEO of In-Q-Tel—noted that nations should think about cyberspace “like any other natural resource,” and he stressed the importance of long-term thinking on this issue. “We’re not investing to solve today’s problems, we’re investing to solve problems that we project out 5-10 years from now,” Louie said. “Understanding that policy framework, understanding what that international deal is going to look like, understanding the capabilities and technology is critical to making this happen.”
Mark McLaughlin, Chairman, President, and CEO of Palo Alto Networks—and Chair of the National Security Telecommunications Advisory Committee—also reminded the panel of the importance of getting out ahead of the challenge, particularly as “increasingly automated adversaries are dramatically outpacing what is increasingly a manual defense.“
McLaughlin pointed out that “increasingly efficient and sophisticated attacks are leading some to question whether the technological foundation upon which we’re building the future of smart homes and self-driving cars and the new digital economy have some very deep structural flaws, so this is ultimately just a matter of trust.”
Ted Schlein, Managing Partner for Kleiner Perkins Caufield & Byers (KPCB), a leading venture capital firm, presented five recommendations to the panel, including improving standards for measuring corporate cyber risk; he called for a “risk preparedness index” to measure the “people, processes, and policy and technology configurations by each critical infrastructure sector of our country.” He also suggested that companies in certain sectors should be required to have a cybersecurity expert on their boards, similar to a financial auditor.
Following this third panel, Professor Steven Weber and Faculty Director for the CLTC, spoke about the need for universities, government, and companies to continue to work together on “shortening the transmission belt” required to turn basic research into policy, action, and market-ready innovations. “Technologies are taking too long to find their way out of the lab and into the product,” Weber said. “As that transmission belt shortens, you’ll be creating the kind of incentives that university researchers need to actually do things that serve the public interest in an immediate and focused way.”
In keeping with CLTC’s mission, Weber also spoke on the importance of thinking about the long-term landscape of cybersecurity. “The notion of a transition memo focuses people’s minds on the 100-day window during which a new administration can make dramatic moves and profound decisions,” Weber said. “I’d like to highlight some thoughts that have come out today—and from our work [at CLTC]—about the 1000-day memo, which I think the transition memo ought to address as well.”
CLTC would like to thank our partners at NIST for their excellent support throughout the planning and execution of this meeting. Audio recordings of the proceedings can be found below. You can also join the conversation about the event on Twitter at https://twitter.com/hashtag/whcybercomm. A video showcasing highlights from the event can be found here.