What We Should Be Talking About During Cybersecurity Awareness Month

Are we all cyber-doomed?

Well, that’s a natural question to ask at this time. At which time, you ask? During unprecedented anxiety about whether our systems are vulnerable to foreign influence? Well, I was actually talking about during National Cybersecurity Awareness Month—a time when U.S. tech experts and novices alike are forced to confront our risks. And the truth is, it’s a pretty scary world out there. Between the astronomical rise of internet-enabled devices, concerns about election security, a new domain for global conflict, and seemingly irreconcilable workforce shortages, it’s certainly important to be aware of the problems facing policymakers, practitioners, and, well, all of us.

Yet as we spend our time documenting how the sky might be falling, it’s easy to miss all of the good work emerging across the cybersecurity community. These meaningful steps in the right direction, however small they may be, are beginning to establish a path toward a more reliable, secure, and private internet. Of course, in order for these early signs of progress to gain momentum, we first need to better understand the trends within cybersecurity.

In this two-part series, we’ve asked some of our top cybersecurity experts what they find most promising for the future of cybersecurity. Part I, below, focuses on issues facing governments, policymakers, and society at large. Part II, coming next week, considers strategies and options available to the private sector, consumers, and the whole of the cybersecurity industry. (And if you’re interested in international cybersecurity, check out our DigiChina blog, which provides expert translations and analysis of major Chinese laws, regulations, and policy documents.)

Rizwan Ali

Managing Director, cyMars

During the past year, NATO declared cyberspace as a domain of operations. This marked one of the biggest policy shifts for the Western defense alliance. Many of our European allies are using NATO’s cyberspace policy development to invigorate their own internal cybersecurity policies and strategies. Over the next year it will be useful to keep an eye on how NATO implements its cyberspace policy. It’s likely that many NATO members will pattern their implementation based on the direction set by NATO.

Emefa Addo Agawu

Program Associate, New America

The past year saw increased attention to the critical role different levels of governments play in the nation’s cybersecurity posture. Conversations about the cybersecurity concerns of the 2016 election emphasized for a wider audience the key role states and localities—who administer U.S. elections—play in cybersecurity policy outcomes. This important role is the case across a number of cybersecurity policy issues, and hopefully this realization will lead to an even richer understanding of the federal, state, and local policy ecosystem in which cybersecurity policy decisions are made and implemented.

Dani Charles

CEO and Co-Founder, Charles Bernard Ventures

U.S. government technology procurement is a slow and convoluted process, often driven by a four-letter acronym: LPTA (lowest price technically acceptable). LPTA does not mean best value or best product—the government may be spending less money, but it isn’t maximizing its ROI, and it definitely isn’t getting the best tech. When it comes to cybersecurity, this can translate to increased risk and, ironically, increased costs. That said, 2017 has made me hopeful: I have seen more best value awards than ever before. They’re still few and far between, but hopefully they represent a trend toward better tech and away from LPTA.

John Costello

Senior Analyst for Cyber and East Asia, Flashpoint

The reemergence of Chinese advanced persistent threat (APT), which denotes a prolonged attack often initiated by a government or agency, in the last year betrays a growing sophistication, maturity, and division of labor in Chinese cyber forces. A continuing drop in Chinese APT following the Xi-Obama agreement has assuaged any notion that anyone other than the Communist Party, not-for-profit, or personal interest is commanding Chinese cyber forces. This development makes Chinese forces more dangerous in the long term, but it also creates a firm expectation that forces are acting under state control. This is foundational in both holding Chinese leadership accountable and pressuring it to abide by norms of responsible behavior in cyberspace.

Mailyn Fidler

Cybersecurity Policy Fellow, New America

The South African government revised its proposed cybercrime bill in response to pushback from civil society and other actors for the way the bill proposed handling, among other things, computer-related terrorist activity, copyright offenses, and free speech. Although still containing problematic provisions, it's generally seen as an improvement over the original 2015 draft. This event shows that advocacy around cybercrime can be effective, even as developing and emerging states view cyber laws as an important tool of state power.

Scott Handler

Academy Professor and Director of International Relations, U.S. Military Academy

The experimentation with and maturing of public-private partnerships has the potential to offer a whole-of-nation approach to creating a more secure cyberspace. The public and private sectors must continue to find ways to overcome collective action and trust issues between and among each group, while also clarifying areas where public and private sector actors can focus their energy and resources to maximize the capabilities and efficiencies of each—leading to greater collective security.

Trey Herr

Fellow, Harvard University Belfer Center’s Cybersecurity Project

I have hope because many of the problems we find so pernicious in cybersecurity were made, and thus can be unmade, by people. Making improvements with great speed, scale, or architectural depth remains a challenge, but in the last year there appears to be less weight given to magic blinking boxes and more given to what people can do for security. I’m hopeful that will continue.

Hwee-Joo Kam

Assistant Professor, University of Tampa

I think cyber competition among nations is becoming more and more prevalent. The attributing factors that shape hacktivism may need some attention due to a dearth of research in this area. Other than the technological perspective, we may want to look into the cultural and social dimensions that motivate hacking into a foreign nation’s critical infrastructure, a move that eventually triggers “cyberwarfare.”

Brian Nussbaum

Assistant Professor, University of Albany

The rise of embedded computers in everything from pacemakers to driverless cars to “smart cities” will vastly increase the consequences of cyber attacks. Attacks on data integrity and data availability will be particularly challenging when they have physical and operational impacts. On the bright side, I’m hopeful that our increased reliance on these embedded computer systems may finally force us to come to grips with some tough questions about vulnerability, liability, and who bears the cost of insecure computing.

Ashley Podhradsky

Associate Professor of Digital Forensics, Dakota State University

The focus on including more women in cybersecurity has given me hope for the future.  Diversity is proven to produce better results, and we leave behind half the population when we don’t include women in the discussion. For many years I have been told that girls are “just not interested” in the field, though this is untrue because their demand is loud and clear. When we have opportunities for them at a young age, they create a life-long anchor to the field. We have to include, in particular, middle-school girls in the discussion if we want more women at the table in the future.

Peter Singer

Strategist and Senior Fellow, New America

The French and German elections. While the 2016 U.S. election was a model for everything not to do about foreign cyberattacks and influence operations, France and Germany were targeted by the same actors and tactics, and yet weathered the storm. They set up intelligence operations and raised political party and media awareness, while social media companies shut down tens of thousands of Russian front accounts (versus the laughably small number in the United States, such as 201 at Twitter). What they actually did is the great U.S. “what if?”