Building a Cybersecurity Roadmap: Developing America’s Edge

Recently the Lab sent member Aaron Alva to Washington DC (from one Washington to another!) to attend a cybersecurity event co-hosted by the Center for National Policy and the Christian Science Monitor. The event included a Q&A with the White House cybersecurity coordinator Michael Daniel, and a panel with experts including DEF CON founder Jeff Moss.

In the below post, Aaron highlights key takeaways from the event, specifically from the White House coordinator.

Mr. Daniel shared a few key areas that will be important to our nation’s cybersecurity progress in the future:

  1. Cybersecurity is a hard policy problem;
  2. the cybersecurity workforce needs to grow—in numbers, skills, and disciplines;
  3. the White House will attempt piecemeal legislation for cybersecurity since wholesale bills haven’t worked; and
  4. the National Institute of Standards and Technology (NIST) Cybersecurity Framework, while voluntary, is important and will be emphasized by the White House.

Mr. Daniel had some insightful comments on cybersecurity as a policy issue. He noted that cybersecurity is emerging as one of the defining policy challenges for the 21st century, yet it is not obvious why cybersecurity is such a difficult problem. Cybersecurity could be an easy problem. It could be ensuring that everyone patches vulnerabilities so that intruders cannot get into systems. But, taking a step back, cybersecurity is difficult because it cuts across social, private, and public lives. Mr. Daniel asserted that cybersecurity is not merely a technical problem—it is also an economic, political, and human behavior problem. It is a “wicked problem.” It is a problem that will take a wide variety of disciplines to help solve.

Second, Mr. Daniel emphasized the need for a cybersecurity workforce. His idea of a cybersecurity workforce encompasses two main themes—size and diversity of skills. Mr. Daniel noted that the workforce needs to be much bigger. He referenced government initiatives to increase workforce size. These initiatives include increasing the number of university Centers of Excellence in Information Assurance (UW is a Center of Excellence in Academics & Research). They also include growing the NSF CyberCorps scholarship program (of which I am a recipient). Mr. Daniel also described the need for more diverse skills for the cybersecurity workforce. He referenced the National Initiative for Cybersecurity Education (NICE initiative), which has developed a heatmap of cybersecurity roles necessary for a robust workforce. He noted that cybersecurity careers need to include individuals who understand how cybersecurity interacts with industries, businesses, and the law.

Third, the White House cyber czar briefly described his role as coordinator, and his new approach to cybersecurity legislation. He described his role is as a soft power in the White House. His goal is to align policy within the government bureaucracy. Mr. Daniel asserted that cyber is too big to put one person in charge, and the more appropriate role for the White House cyber coordinator is to get various agencies to coordinate.

Mr. Daniel also emphasized the need for cybersecurity legislation, and that legislation was long overdue. He stated that the White House will try a new approach. The White House will work to pass pieces of cybersecurity legislation however possible. The new piecemeal approach is in contrast to the typical approach of attempting to pass cybersecurity legislation all within a single bill.

Fourth, Mr. Daniel discussed the NIST Cybersecurity Framework. The Framework was developed by NIST by direction of an Executive Order from the White House. The Framework emphasizes that organizations should use risk management practices for cybersecurity through five categories. Organizations should Identify assets to secure; Protect those assets in a manner consistent with risks; Detect attacks; Respond efficiently after an incident to mitigate harm; and Recover from an incident.

Mr. Daniel believes that the Framework should be voluntary, but stressed that the US has a long history of effective voluntary standards. He noted that ultimately market forces will push the Framework forward. In a number of questions, Mr. Daniel referred back to the Framework’s main categories to emphasize the need for organizations to use risk management practices to deal with cybersecurity issues.

Finally, as part of the Q&A, I had the opportunity to ask Mr. Daniel a question. I asked what can be done to change the conversation from fear of being breached to one more realistically tailored to the fact that breaches will occur. I referenced recent headline breaches of Target, JPMorgan Chase, Home Depot, and others. I noted that these headlines primarily focused on the incident itself, rather than what the companies did in response to being attacked. His answer was telling, and I think he was correct. Mr. Daniel used the NIST Cybersecurity Framework to illustrate that there’s a missing part to the conversation. “But what [the NIST Cybersecurity Framework] is really saying is you got to actually figure out what information you have that you care about, and why do you care about it? What do you actually want to protect it from? Is it exposure at all? Or is it that you want to protect it from manipulation, that’s your greatest concern. And so that starts to define how you think about it and how you protect it, which is that second step.” See the full exchange here.
Aaron 2
In conclusion, the White House cybersecurity coordinator provided helpful insights into the executive branch’s approach to cybersecurity. Mr. Daniel’s emphasis on the policy challenges, workforce needs, legislation, and risk management practices show a White House that desires to engage on a number of cybersecurity issues. Mr. Daniel remained optimistic that progress can be made on these issues, and that itself was welcomed news to the DC audience.



Robot Research at Winter Scholars’ Studio

Spotlight on Tech Policy Lab Scholar Bryce Newell

The Tech Policy Lab is lucky enough to host half a dozen wonderful student scholars from four departments across campus.  Today we wanted to highlight the work of Bryce Clayton Newell , a Ph.D. Candidate at the University of Washington’s Information School.  Bryce’s research focuses on the use of emerging technology by law enforcement and the tension between privacy, free speech, and open access to information.  His ongoing and future work looks at these issues in the contexts of policing, public disclosure laws, and undocumented immigration.  Bryce has several pieces of scholarship being published in the next few months, and is producing and directing a documentary film on immigration.

We asked him what first started him down this line of research:

“My current research agenda began to take shape while taking a class in Criminal Procedure in law school about 5 years ago. That experience spurred a strong interest within me to understand Fourth Amendment law and the role that constitutional criminal procedure plays in structuring the relationship between a state and its citizens.  As my research has developed over the years, I have become more and more interested in how empirical research and political and legal theory can be combined to create more coherent information policy.”

Below are a few of the many pieces Bryce has coming out this year.

In The Massive Metadata Machine: Liberty, Power, and Secret Mass Surveillance in the U.S. and Europe (forthcoming in I/S: A Journal of Law and Policy for the Information Society), Bryce explores the relationship between liberty and security implicated by secret government mass surveillance programs, drawing on legal cases where parties have challenged secret government surveillance programs on constitutional or human rights grounds in the US and Europe. Citizens recording police has become increasingly common in recent years. Citizen media can have a substantial impact on policing and police image management – and thus effect public perceptions of police legitimacy. On the other hand, police departments are increasingly utilizing sophisticated visual surveillance technologies, such as officer-mounted wearable cameras, to document police-citizen encounters.

In Crossing Lenses: Policing’s New Visibility and the Role of ‘Smartphone Journalism’ as a Form of Freedom-Preserving Reciprocal Surveillance (forthcoming in the University of Illinois Journal of Law, Technology & Policy) Bryce examines the role that citizen media should play as a liberty-preserving form of reciprocal surveillance, what forms of respect ought to be owed by camera-wielding citizens, and what moral and legal obligations citizen journalists may or may not have to wiretapping laws.

In Local Law Enforcement Jumps on the Big Data Bandwagon: Automated License Plate Recognition Systems, Information Privacy, and Access to Government Information (forthcoming in the Maine Law Review), Bryce presents his findings from an empirical analysis of more than 1.7 million license plate scans by the Seattle Police Department between December 2012 and March 2013. In this context, the more recognizable tensions between protecting privacy and ensuring efficacious policing are compounded by a direct tension between privacy interests and freedom of information and citizen oversight – as an important form of freedom-preserving reciprocal surveillance.

After Edward Snowden leaked classified intelligence records to the press in June 2013, government metadata surveillance programs – and the risk that large-scale metadata collection poses to personal information privacy – has taken center stage in domestic and international debates about privacy and the appropriate role of government. In this paper, Me, My Metadata, and the NSA: Privacy and Government Metadata Surveillance Programs (forthcoming in the 2014 iConference Proceedings) Bryce and his co-author Joe Tennis approach these questions by drawing upon theory and literature in both law and archival studies. They conclude that, because metadata surveillance can be highly intrusive to personal privacy and that certain types of metadata are inextricably linked with the records of our digitally mediated lives, legal distinctions that draw a line between communications “content” and metadata are inappropriate and insufficient to adequately protect personal privacy.

Libraries have long maintained strong protections for patron privacy and intellectual freedom. However, the increasing prevalence of sophisticated surveillance systems in public libraries potentially threatens these core library commitments. In The Panoptic Librarian: The Role of Video Surveillance in the Modern Public Library (also forthcoming in the 2014 iConference Proceedings), David Randall and Bryce present the findings of a qualitative case study examining why four libraries in the US and the UK installed video surveillance and how they manage these systems to balance safety and privacy. They examine the experience of these libraries, including one that later reversed course and completely removed all of its previously installed systems. They find that the libraries who install surveillance initially do so as either a response to specific incidents of crime or as part of the design of new buildings.