Endgame CEO Nate Fick opened the morning by offering 10 propositions about the cybersecurity community. Number one was that the security community is failing. According to Fick, $50 billion was spent on cybersecurity last year, yet at least 75% of large enterprises were breached and adversaries were able to dwell on networks for an average of about 100 days before detection. For Fick, the security community is “in a state of systemic failure; we are not stopping the attackers.”
2. But that doesn’t mean the pursuit of cybersecurity is a lost cause.
In her remarks to close out the conference, New America CEO Anne-Marie Slaughter acknowledged that, while the cybersecurity industry may be in a state of systemic failure, cybersecurity itself has not yet failed, likening a total failure of cybersecurity to a complete breakdown in law and order. Even Fick noted that, “despite some bleak observations,” he believes that “the forces of order will prevail.” One thing nearly all of the speakers throughout the day could agree on: the future of cybersecurity is in developing the capacity of people in industry, government, and the general public as a whole.
3. To address cybersecurity at a policy level, policymakers need to begin to segment the issue.
In an unmoderated conversation with former NPPD head Suzanne Spaulding, former Special Assistant to the President and Cybersecurity Coordinator Michael Daniel observed the tendency—particularly in policy spheres—to view cybersecurity monolithically. Cautioning against this lens, Daniel suggested that in order to address cybersecurity policy shortcomings as a whole, policymakers need to break the issue down into bite-sized chunks. Daniel suggested a couple of ways to dissect the issue: based on actor type, like hacktivists, criminal groups, and nation states; and based on desired effects, like the theft of information, business disruption, or physical impact. To Daniel, each of these segments of the cybersecurity equation will require different policy responses.
4. Expect a new DHS cybersecurity strategy soon.
In a conversation with Ian Wallace, Cybersecurity Initiative Co-Director, Jeanette Manfra, Acting Deputy Under Secretary for Cybersecurity at DHS’s NPPD, told the audience that as early budget proposals signal more money flowing to DHS, the department is also working on a new strategy, particularly for securing the .gov. On the list for the new strategy? Improving IT infrastructure and procurement as well as creating a government-wide “dashboard” that will help DHS generate a better understanding of the risk profile across the federal government.
5. The states hold more data than the federal government and states play a crucial role in the cybersecurity of the nation. All 50 governors agree: cybersecurity is one of the most important policy issues at the state level.
In a conversation with New America CEO Anne-Marie Slaughter, Virginia governor Terry McAuliffe asserted that there is no bigger threat in the minds of the governors than cybersecurity. State governments hold more data than the federal government does, including critical private information like driver's license data, health data, and state tax information. As the chair of the National Governors Association McAuliffe has made it his mandate to get all 50 states up to a “basic protection level.”
6. Speaking of the workforce, there is a “talent shortage” for cybersecurity, but not a “shortage of talent.”
In a late afternoon panel, New America Fellow Ted Johnson opened the conversation by noting that we have a talent shortage in the cybersecurity field, but not a shortage of talent to tap into. Representative Jim Langevin argued that we need to start developing the cybersecurity workforce earlier, noting that his state of Rhode Island recently became the first state in the US to offer coding classes at every high school in the state. In the end, we have many qualified candidates, who for any number of reasons may lack the credentials that make them easily appealing to organizations looking for cybersecurity talent, an issue Microsoft’s Angela McKay addressed head on, noting that credentials and qualifications are not the same thing and that industry needs to rethink its hiring strategy based on that recognition. In the end, McKay argues that the problem isn’t just with the cybersecurity workforce. Because nearly every company is now a tech company in some form, we cannot just focus on building a cybersecurity workforce; we must also focus on building cyber-savvy into the broader workforce.
7. Internationally, efforts have fallen short of delivering global cyber stability.
Shifting to international affairs, Marina Kaljurand, former Foreign Minister of Estonia and the head of the new Global Commission on Stability in Cyberspace, told former National Intelligence Officer for Cyber Issues Sean Kanuck that international efforts, while productive, have fallen short of delivering global stability thus far. Kaljurand argued that the GGE, while useful, cannot solve all the problems, as ideological differences persist globally. Some see the benefits and opportunities of ICT, while others still view connectivity as a threat to stability. Nonetheless, for small countries like Estonia, international law and norms are security and stability, but there is still disagreement about the application about their application to cyberspace. Moving forward, state practice and political decisions will begin to drive norms as much—if not more than—diplomatic negotiations.
8. So what can we expect from major international players?
In a panel moderated by Cybersecurity Initiative Policy Analyst, Robert Morgus, Elaine Korzak, Jackie Kerr, and Graham Webster that philosophical differences persist over international cybersecurity policy. Webster and Kerr highlighted that Chinese and Russian thinking on cybersecurity issues have continued to evolve, but remain couched in domestic concerns like the stability of the state, which often translates to an expansion of cybersecurity to include the state’s ability to control information and narratives. In contrast to Russia and China, Elaine Korzak used the new German and UK cybersecurity strategies as examples of how western strategies continue to view cybersecurity more narrowly, focusing on the network security of government networks and critical infrastructure.
9. What do Justin Bieber, Nigeria, and blenders have in common? Cybersecurity in 2023, apparently.
In an improvised panel that took its cues from Twitter and the audience, Ross Schulman and a panel of UC Berkeley’s Betsy Cooper, the NTIA’s Allan Friedman, and Public Knowledge’s Megan Stifel wargamed a future internet apocalypse involving insecure IoT-connected Christmas presents manufactured in Nigeria, a Justin Bieber data breach, and insecure IoT-connected blenders. When pushed on what sorts of policy interventions could prevent this bleak future, the Director of Cybersecurity Initiatives at the NTIA Allan Friedman argued that we cannot fix the consumer cybersecurity problem by getting people to “nerd better.” Instead, we need to put policies in place that incentivize companies to think about security instead of just “quickness to market,” according to Betsy Cooper, the Executive Director of UC Berkeley’s Center for Long-Term Cybersecurity.
10. Diversity matters.
A refrain spoken throughout the day was, “this doesn’t feel like a typical cybersecurity conference.” It didn’t look like one either. The broad range of people present among the audience and speakers alike fostered rich and unique conversations, demonstrating precisely the same fact that presenters emphasized throughout the day: diverse teams generate better thinking. Moreover, broadening the image of who belongs in cybersecurity also allows the industry to tap into larger talent pools, and to quote Endgame’s Nate Fick in his opening statement at the conference, “the arc of great talent bends towards diversity.”