By Christopher Folk
(Re-published from Crossroads: Cybersecurity Law & Policy | Jan. 26, 2017) The Center for Strategic and International Studies (CSIS) produced cybersecurity recommendations in December 2008 for the 44th presidency (CSIS-44) and built on that to produce a report in January of 2017 for the 45th Presidency (CSIS-45). What follows is a short comparison of the two reports …
CSIS-44 touted increase use of private-public partnership and the various benefits that could be derived therefrom. CSIS-45 recognizes the cold hard reality that those partnerships simply failed to materialize and that delivered very little (if any) value to our cybersecurity posture. CSIS-45 goes so far as to say that this type of approach that “encourages” cooperation is doomed to fail since it neither mirrors market realities nor is there any “stick” (i.e., the private sector will only act if market forces dictate action or if action is mandated via regulations, etc.)
Another lesson learned from CSIS-44 was the attempt to focus on authentication and digital identities. CSIS-45 acknowledges that programs such as the National Strategy for Trusted Identities in Cyberspace (NSTIC) were grandiose in vision and lackluster in practice.
One other area covered here is the need for a national data breach policy. CSIS-45 postulates that a federal data breach policy will enhance security since entities will understand their requirements and the policies and procedures they must implement.
Take-away: Ideas and vision are wonderful; however, if there is no mechanism for regulation or enforcement, they are unlikely to come to fruition. Thus, the Trump Administration needs to recognize the bounds and limits of its influence and work with (rather than against) the legislative branch to effect the best possible outcomes.
With respect to the national data breach legislation, I agree that is important; however, I don’t think it is as significant a cybersecurity issue as CSIS-45 postulates. Not everything that moves from the state level to the federal is wiser or more efficient. In some respects, states and localities may have more flexible and tailored data breach notification rules than trying to create a one-size-fits-all. A single standard would certainly be easier, but it is not clear how data breach notification rules applied federally will in and of itself create a higher level of cybersecurity. For instance, what if a locale currently has a very strident data breach policy and the federal policy is less stringent. In such a case, wouldn’t the result be decreased cybersecurity?
CSIS-45 includes several paragraphs on encryption and discusses the need to balance the national security implications of privacy, security, and innovation. One would have thought that the various issues surrounding the infamous “clipper chip,” coupled with the FBI/iPhone “All Writs Act” court case, would have made encryption a more prominent topic in CSIS-45 and would have warranted at least a mention in CSIS-44. With respect to breaches and exfiltration of PII, one could argue that encryption is at the very heart of any discussion; however, interestingly enough while some specific vulnerabilities are raised, scant attention is paid to this.
What CSIS-45 does say is that private-sector encryption should be encouraged but should also include private-sector cooperation to ensure that lawful access to encrypted data can be achieved. Hopefully, efforts in this area also will include an independent party that is able to make a neutral and detached decision regarding whether or not data can be unencrypted in a lawful manner. Furthermore, it will be essential to ensure that the tools to effect this do not use the proverbial back-door approach, since the government does not seem to be particularly adept at preventing the exfiltration of tools and software that it utilizes (for instance, consider recent tools that made their way into the public market, as well as the Snowden revelations).
Take-away: Merely saying that you need to balance privacy, liberty, and security does nothing to ease the misgivings of privacy crusaders, tech companies, and First Amendment supporters. Stating that encryption should include a mechanism by which a lawful process can decrypt data strikes fear in the hearts of many. For one, there has been no proposal as to “who” can make such a determination—would it be the judiciary? Additionally, who would retain the technological capability of decryption? If the private companies or the industry has this, then who will safeguard it? How will the use of decryption be monitored, logged, and accounted for? What happens when a new authoritarian figure takes office with the support of a willing and able legislature and is able to define “what” they can access and decrypt? How much liberty and privacy should we sacrifice for our security?
The Cloud & the Internet of Things
While CSIS-45 specifically discusses both increased use of cloud devices as well as the proliferation of Internet of Things (IoT) devices and then goes on to say that any strategy must be fluid in order to accommodate the rapid pace of technological change, this approach seems rather narrowly focused. While it is easy to view the movement to the cloud and the advent of IoT as disruptive technologies that require a revised strategy, that isn’t the case. Networked storage is not a new phenomenon, nor is software-as-a-service (SAAS); taken together and coupled with centralized provider services, this is more evolutionary than revolutionary. The underlying strategy, if purpose-built to discuss data and Personally Identifiable Information (PII), should be largely unchanged irrespective of the underlying technology or architecture. Similarly, with respect to IoT, this is more so an issue of scale versus some revolutionary new technology. Neither the intended uses nor the ubiquity of IoT devices should impact a comprehensive cybersecurity strategy.
Take-away: CSIS-45 states that the growing number of IoT devices will result in an immense number of connected devices and then proposes implementing a rating system similar to the NHTSA crash test system. With the exponential growth in IoT devices, how would such a system be managed? The overhead and administrative burden of operating a program to rate IoT devices would be mind-boggling. Further, with the rate of technological change and both software and hardware updates, this system would be impossible at the very least and unwieldy and unworkable at the very best. Once again, the problem is one of focus—looking at the device and the perimeter vs. what really matters: PII.
Offensive Cyber Operations
CSIS-44 devotes a fairly large section to a discussion of the use of the military and developing appropriate response thresholds, whereas CSIS-45 merely talks about identifying the split of responsibility along the military and civilian spectrum to ensure that no issues arise with respect to use of forces barred from domestic response during a cyber event. CSIS-45 thus recommends strengthening the US Department of Homeland Security (DHS) and simultaneously building capabilities within the National Guard and Reserves, either of which could be rapidly deployed to the states until Title 32 or Title 10/50 (this would have the added benefit of creating citizen-soldiers with expertise in cyber operations).
Take-away: CSIS-45 should likely be viewed in the context of CSIS-44, which provides a wealth of additional background and delves deeper into the concepts of necessity and proportionality (without ever spelling them out). Ultimately, however, the issue will continue to arise where one force is deployed and tasked with monitoring and defensive operations and a separate force conducts offensive cyber or kinetic operations (especially in the case of cyber events initiated by nation states). What this issue really comes down to, and what really needs to be extrapolated, is the attribution element. The ability to confuse, inveigle, and obfuscate renders the question of cyber or kinetic offensive operations somewhat moot, which also raises the issue of asymmetry (a topic best left for a separate post).
CSIS-44 and CSIS-45 both allude to the fact that an effective cybersecurity strategy is going to require clear leadership with well-defined authority, preferably flowing directly from POTUS to a highly-placed official with operational control over the moving pieces. Here, CSIS-45 builds on CSIS-44 and states that DHS could continue to be the lead on this if the (1) the DHS Cyber Mission is fully defined; (2) Cybersecurity is put into an independent operational component of DHS; and (3) supporting agencies are strengthened and given key roles (e.g. State, FBI, Commerce, national intelligence agencies).
Take-away: the recommendations from CSIS-44 were never followed, so we do not have a single lead-agency with the requisite power to manage cyber operations across the landscape. The report doesn’t specifically call this out, but the OPM data breach, the Sony hack, and the IRS hacks all point to a rather poor cybersecurity posture using the weak-DHS model. In CSIS-45 it almost seems as though the authors have accepted the way things are and are pushing for modest, incremental change. However, if creating a standalone cybersecurity model (such as other nations are doing) is the best, most efficient approach, shouldn’t CSIS-45 continue to advocate for that? A kind of “shoot for the stars and reach the moon” approach vs. CSIS-45’s poor me approach.
In this area CSIS-44 and CSIS-45 both advocate for training and education to develop a cybersecurity workforce. CSIS-44 may not have been dire enough in its prediction of the number of skilled cybersecurity professionals that were going to be needed. CSIS-45 pays a little more heed to this but still discusses it at a very high level. With all of the rhetoric over the past several months about college tuition and the need for a skilled workforce and the need to build and re-build private-public partnerships, it seems as though a key opportunity has been missed by CSIS-45. The obvious truth is that the supply of cybersecurity professionals has been outstripped by demand by a very large factor. Thus, this problem impacts the private and public sector alike.
Take-away: it might be best to use a workforce shortage to create a long-term supply reaching all the way down to the elementary level, targeting persons whose inherent skills and aptitude make them ideal candidates for a cyber career path. Private industry could help defray the costs of training and education, with the benefit of a skilled worker at a reduced rate of pay for a specified duration. Credits could also be given for the training expense incurred by persons that enter the public vs. the private sector—thereby strengthening the public/private relationship and creating a long-term solution to a specific need. This effort would also create the infrastructure needed to develop similar pipelines for other skills, thus allowing some level of career pre-determination (several eerie science fiction movies have been based on similar premises!)
In many respects, CSIS-45 builds upon what was crafted and delivered in CSIS-44. Little of what is in it is revolutionary, and it is largely just an extension of the CSIS-44 principles. However, taken together these recommendations could serve to bolster US cybersecurity. The key will be to get the White House and Congress to acknowledge the scope of these issues and to devote the necessary time and resources to both short and long-term solutions. The development of a workforce that targets elementary age children puts the horizon out several presidential terms, which dictates that action should be taken in conjunction with congress rather than simply via presidential fiat.
Christopher Folk is a candidate (2017) for both a master’s in Forensic Science and Technology (Syracuse University) and a Juris Doctor degree (SU Law). Also a software engineer, Folk’s legal externship is with Chertoff Group company Delta Risk, where he focuses on legal and policy analysis pertaining to US and International cyber law.
 It is interesting to note that the CSIS-45 report has an entire section on previous attempts to model government after the private sector and building in the typical C-Suite executives (CTO/CISO/CIO) and how this has been ineffective since C-Suite positions lack real authority and thus pushing a private sector organizational model into the public sector falls short. Since this dialogue was lacking in the CSIS-44 report, one can only wonder that if a non-business person was assuming the helm, then language dictating the pitfalls of trying to apply a private-sector business organization to the government model would have been included?
 With obvious trade-offs and incentives within each. For instance, the lure of an NSA job may be using and developing cutting-edge tools and access to some fascinating technology contrasted with the public sector, which can offer more financial incentives than the public sector.