Ten Key Takeaways from Cybersecurity for a New America 2017

1. Cybersecurity
companies are not delivering on their promise.

Endgame CEO Nate Fick opened the morning by offering 10
propositions about the cybersecurity community. Number one was that the
security community is failing. According to Fick, $50 billion was spent on
cybersecurity last year, yet at least 75% of large enterprises were breached
and adversaries were able to dwell on networks for an average of about 100 days
before detection. For Fick, the security community is “in a state of systemic
failure; we are not stopping the attackers.”

2. But that doesn’t mean the pursuit of
cybersecurity is a lost cause.

In her remarks to close out the
conference, New America CEO Anne-Marie Slaughter acknowledged that, while
the cybersecurity industry may be in a state of systemic failure, cybersecurity
itself has not yet failed, likening a total failure of cybersecurity to a
complete breakdown in law and order. Even Fick noted that, “despite some bleak
observations,” he believes that “the forces of order will prevail.” One thing
nearly all of the speakers throughout the day could agree on: the future of
cybersecurity is in developing the capacity of people in industry, government,
and the general public as a whole.

3. To address cybersecurity at a policy level,
policymakers need to begin to segment the issue.

In an unmoderated conversation with former NPPD head
Suzanne Spaulding, former Special Assistant to the President and Cybersecurity
Coordinator Michael Daniel observed the tendency—particularly in policy
spheres—to view cybersecurity monolithically. Cautioning against this lens,
Daniel suggested that in order to address cybersecurity policy shortcomings as
a whole, policymakers need to break the issue down into bite-sized chunks.
Daniel suggested a couple of ways to dissect the issue: based on actor type,
like hacktivists, criminal groups, and nation states; and based on desired
effects, like the theft of information, business disruption, or physical
impact. To Daniel, each of these segments of the cybersecurity equation will
require different policy responses.

4. Expect a new DHS cybersecurity strategy soon.

In a conversation with Ian Wallace, Cybersecurity Initiative Co-Director,
Jeanette Manfra, Acting Deputy Under Secretary for Cybersecurity at DHS’s NPPD,
told the audience that as early budget proposals signal more money flowing to
DHS, the department is also working on a new strategy, particularly for
securing the .gov. On the list for the new strategy? Improving IT
infrastructure and procurement as well as creating a government-wide
“dashboard” that will help DHS generate a better understanding of the risk
profile across the federal government.

5. The states hold more data than the federal
government and states play a crucial role in the cybersecurity of the nation.
All 50 governors agree: cybersecurity is one of the most important policy
issues at the state level.

In a conversation with New America CEO
Anne-Marie Slaughter, Virginia governor Terry McAuliffe asserted that there is no
bigger threat in the minds of the governors than cybersecurity. State governments
hold more data than the federal government does, including critical private
information like driver’s license data, health data, and state tax information.
As the chair of the National Governors Association McAuliffe has made it his
mandate to get all 50 states up to a “basic protection level.”

6. Speaking of the workforce, there is a “talent
shortage” for cybersecurity, but not a “shortage of talent.”

In a late afternoon panel, New America Fellow
Ted Johnson opened the conversation by noting that we have a talent shortage in
the cybersecurity field, but not a shortage of talent to tap into.
Representative Jim Langevin argued that we need to start developing the
cybersecurity workforce earlier, noting that his state of Rhode Island recently
became the first state in the US to offer coding classes at every high school
in the state. In the end, we have many qualified candidates, who for any number
of reasons may lack the credentials that make them easily appealing to
organizations looking for cybersecurity talent, an issue Microsoft’s Angela
McKay addressed head on, noting that credentials and qualifications are not the
same thing and that industry needs to rethink its hiring strategy based on that
recognition. In the end, McKay argues that the problem isn’t just with the
cybersecurity workforce. Because nearly every company is now a tech company in
some form, we cannot just focus on building a cybersecurity workforce; we must
also focus on building cyber-savvy into the broader workforce.

7. Internationally, efforts have fallen short of
delivering global cyber stability.

Shifting to international affairs, Marina Kaljurand,
former Foreign Minister of Estonia and the head of the new Global Commission on
Stability in Cyberspace, told former National Intelligence Officer for Cyber
Issues Sean Kanuck that international efforts, while productive, have fallen
short of delivering global stability thus far. Kaljurand argued that the GGE,
while useful, cannot solve all the problems, as ideological differences persist
globally. Some see the benefits and opportunities of ICT, while others still view
connectivity as a threat to stability. Nonetheless, for small countries like
Estonia, international law and norms are security and stability, but there is
still disagreement about the application about their application to cyberspace.
Moving forward, state practice and political decisions will begin to drive
norms as much—if not more than—diplomatic negotiations.

8. So what can we expect from major international
players?

In a panel moderated by Cybersecurity Initiative Policy Analyst, Robert
Morgus,
Elaine Korzak, Jackie Kerr, and Graham Webster that philosophical differences
persist over international cybersecurity policy. Webster and Kerr highlighted
that Chinese and Russian thinking on cybersecurity issues have continued to
evolve, but remain couched in domestic concerns like the stability of the
state, which often translates to an expansion of cybersecurity to include the
state’s ability to control information and narratives. In contrast to Russia
and China, Elaine Korzak used the new German and UK cybersecurity strategies as
examples of how western strategies continue to view cybersecurity more
narrowly, focusing on the network security of government networks and critical infrastructure.

9. What do Justin Bieber, Nigeria, and blenders
have in common? Cybersecurity in 2023, apparently.

In an improvised panel that took its cues from Twitter and the audience, Ross Schulman and a
panel of UC Berkeley’s Betsy Cooper, the NTIA’s Allan Friedman, and Public
Knowledge’s Megan Stifel wargamed a future internet apocalypse involving
insecure IoT-connected Christmas presents manufactured in Nigeria, a Justin
Bieber data breach, and insecure IoT-connected blenders. When pushed on what
sorts of policy interventions could prevent this bleak future, the Director of
Cybersecurity Initiatives at the NTIA Allan Friedman argued that we cannot fix
the consumer cybersecurity problem by getting people to “nerd better.” Instead,
we need to put policies in place that incentivize companies to think about
security instead of just “quickness to market,” according to Betsy Cooper, the
Executive Director of UC Berkeley’s Center for Long-Term Cybersecurity.

10. Diversity matters.

A refrain spoken throughout the day was, “this
doesn’t feel like a typical cybersecurity conference.” It didn’t look like one either. The broad
range of people present among the audience and speakers alike fostered rich and
unique conversations, demonstrating precisely the same fact that presenters
emphasized throughout the day: diverse teams generate better thinking.
Moreover, broadening the image of who belongs in cybersecurity also allows the
industry to tap into larger talent pools, and to quote Endgame’s Nate Fick in
his opening statement at the conference, “the arc of great talent bends towards
diversity.”