2016 Conference on Communications Policy Report
Download The Report
RECOMMENDATION 3. Building a Trust Environment
The third and final set of recommendations focused on actions to address the continuing challenges posed by threats to cybersecurity and privacy. In introducing these recommendations, Aspen Institute Communications and Society Program Executive Director Charlie Firestone noted, with some understatement, that “cybersecurity is thorny.” In fact, it is a topic that has come up with some regularity in previous meetings without any definitive resolution.i
One could argue that the cybersecurity landscape has become progressively less secure over time, despite all the efforts to bolster it. Large-scale cyber-attacks seem to occur almost continuously. Just in 2016, victims of major intrusions included the Department of Homeland Security, the Commission on Elections, Cox Communications, Apple Health Medicaid and, probably, most notoriously, the Democratic National Committee, which has been attributed to Russians. In mid-October, a massive denial of service attack that made use of a botnet that included many lightly protected connected devices such as webcams, thermostats and baby monitors caused a widespread day-long disruption of online businesses such as Twitter and Spotify both in the U.S. and abroad. And just before Christmas 2016, Yahoo announced that a security breach that happened in 2013 had compromised personal information from more than one billion accounts, making it the largest breach to date, affecting twice as many accounts as a 2014 attack that it had reported earlier in the year.
The increase in the frequency and intensity of these incidents raises the specter of an even more disruptive event that causes so much damage that users (which is now almost all of us) become sufficiently scared that they avoid going online. In fact, just before the election, a report from the consulting firm Forester predicted that the new President would likely face a major “cybercrisis” within the first hundred days of taking office. There are also separate reports that the U.S. has been developing plans for an offensive cyber counterstrike if there were an attack on U.S. assets deemed sufficiently serious to warrant retaliation. This would raise cyber conflict to a new level of intensity.
Looking farther ahead, it is possible to foresee even more dire challenges as the world of bits converges with the physical world, raising the prospect not simply of the hacking or theft of digital assets but the possibility of the disruption of connected devices ranging from implanted medical devices to autonomous vehicles.
The group recognized that in a post-Snowden world, security and privacy threats are no longer confined to just the tech sector but now reach virtually every individual and every sector of the economy. It also noted that as U.S. industry “locks itself down” with end-to-end encryption to defend against cyber threats, it runs the risk of isolating itself globally, while the government could lose access to information important for national security. This conflict is graphically illustrated by the FBI’s struggle to get Apple to unlock the iPhone that belonged to the shooter in San Bernardino.
Events like this suggest a substantial divergence between the perspectives of the public and private sectors toward security. The Aspen group saw an urgent need to find ways of rebuilding trust between industry and the U.S. government, which will require an unprecedented level of openness and collaboration on the part of government as well as the private sector. Some efforts, such as those dealing with topics like encryption, may require multi-lateral consensus-building internationally. The goal for all parties is to build a “trust environment” that will allow all users to feel safe in accessing online resources.
The Aspen recommendations focused on improving both cybersecurity and privacy. The group identified actions that the government should take—particularly steps to clarify potentially conflicting roles and identify both gaps and redundancies—and initiatives within the private sector. It also addressed “the government/industry interface,” which includes opportunities for more effective cooperation between the two sectors.
In addressing these two issues, the group acknowledged the widespread perception that they are mutually exclusive—that is, improving security inevitably involves compromising privacy. Some questioned the accuracy of this perception. For example, Marjory Blumenthal of RAND proposed that “strengthening security is necessary but not sufficient for protecting privacy,” but from a practical point of view, the two issues should be addressed separately.
Cybersecurity. There is a long history of attempts to develop effective responses to security challenges that includes both public and private sector initiatives (see sidebar).
Public and Private Sector Cybersecurity Initiatives
The “Rainbow Series.” In the 1980s and 1990s, the National Computer Security Center, which is part of the NSA, issued a series of guides intended to promote good security practices in the private sector by defining criteria to evaluate and certify “trusted systems.” The Rainbow Series (so-called because of the different colors of the covers of the documents) included “The Orange Book,” which contained evaluation criteria for computer systems, and “The Red Book,” which provided criteria for trusted networks. Unfortunately, the criteria defined in the series did not work well in practice: the highest tier of security was nearly impossible to attain, and even the lower tiers were difficult to meet.
Common Criteria. The Rainbow Series has been largely supplanted by the Common Criteria (CC), an international set of standards for computer security certification. The criteria enables vendors to assure the security of their products based on a standardized process of evaluation and certification. Certification does not guarantee security but does guarantee that claims made about the security of various products have been independently verified.
In participating countries, CC certification is provided by government-approved testing laboratories. In the U.S., the National Institute of Standards and Technology (NIST) accredits Common Criteria Testing Laboratories. To date, more than 1,000 products are CC certified, including biometric systems, databases, smart cards, operating systems and trusted computing devices. See https://www.commoncriteriaportal.org.
PPD-41. In July 2016, President Obama released a Presidential Policy Directive (PPD) focused on United States Cyber Incident Coordination. The directive was designed to improve coordination of government responses to “significant” cyber attacks. The PPD assigned lead roles to the Department of Justice in investigating attacks, the Department of Homeland Security for asset protection, and the Office of the Director of National Intelligence to lead intelligence support activities. The directive also codifies a severity scale (0 to 5) to quantify the seriousness of an attack and establishes a new Cyber Unified Coordination Group to ensure that responses are properly coordinated. See https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident.
There are also several non-governmental technical groups in the U.S. that could contribute to defining and promoting good security practices:
CA/B. The CA/Browser Forum, founded in 2005, is a voluntary group of certification authorities (CAs), vendors of Internet browsers, and others. The CA/B Forum provides certificates that verify the identity of Internet domain owners and supports efforts to improve the security of Internet users. See https://cabforum.org.
NANOG. The North American Network Operators Group is a professional membership organization for Internet engineering, architecture and operations. Members include carriers, content providers, hosting and cloud companies, data centers and interconnection service providers. The group’s goal is to improve “the technologies, practices and facilities that make the Internet function,” which includes improving security. See https://www.nanog.org.
BITAG. The Broadband Internet Technical Advisory Group provides a forum for discussing technical issues related to the operation of the Internet. The group takes up issues in response to a member or non-member request or in response to a request from a government agency such as the FCC. In June, 2016, the group announced that it was initiating a study of privacy and security issues related to the Internet of Things. See https://bitag.org.
In some areas, the private sector can and should take the lead. Industry groups such as the CA/B Forum, NANOG and BITAG could identify and promote best practices for cybersecurity and support their implementation by their member organizations and beyond. The 2016 Aspen participants suggested one specific strategy for improving security that has been proposed for many years: develop a “UL-like” rating for digital devices, software or networks that can convey their security quality in a relatively straightforward way. One obvious candidate for this kind of certification is the rapidly growing number of consumer-oriented connected smart home device such as webcams and thermostats that are known to be highly vulnerable to outside attacks.
However, participants noted that the UL model is not a perfect fit for dealing with cybersecurity. One major issue is the money and time required to get a digital product certified, especially when certification is typically provided only for a specific version of a hardware or software product, and any change introduced in a new version, however minor, typically requires re-certification. Secondly, no certification can provide complete assurance of security. It can only guarantee that a product conforms to security protocols that assume a given set of circumstances that may not anticipate all threats. (In fact, hackers routinely attempt to exploit previously unknown vulnerabilities that, by definition, are not subject to prior testing and certification.)
While the private sector has an important role to play, the government has unique capabilities that it can bring to bear such as diplomatic measures or economic sanctions. Determining the appropriate role that government should play in dealing with cybersecurity issues will depend on an assessment of the magnitude of the threat in terms of its probability versus the scale of the consequences. Most serious would be state-sponsored attacks that could be the equivalent of acts of war. Other threats that might demand different types of responses include lower level attacks originated or sponsored by foreign governments, cyber threats or terrorism from non-state actors, industrial espionage from unknown sources, or economically motivated actions such as cyber fraud.
The recent Presidential Policy Directive (PPD-41, see sidebar above) represents a useful step toward improving coordination of responses to cyber attacks within the Executive Branch. But mobilizing an effective governmental response to cybersecurity threats remains challenging. One problem is a fragmentation of responsibility in both the executive and legislative branches. In the House of Representatives, for example, at least five different committees have some responsibility for security and privacy issues, and for some of them, particularly the smaller committees, these issues are typically a low priority.
More also needs to be done to coordinate public and private responses. Companies want to know where they should focus their contributions, and the government could provide them with a framework to guide their decision making. And government may also have a legitimate role to play in helping companies that are attack victims when the risk is too great or the tools are too limited for them to retaliate on their own.
Participants recommended that the new Administration, along with Congress, should convene a blue-ribbon public-private group to map what key entities currently do and do not do, identify gaps, and recommend improvements to shore up security. This group should make recommendations for improvement in the structure of the government, including possible consolidation of responsibilities across agencies, to improve coordination of responses. In addition to looking at the role of the U.S. government, the group should also consider the roles of states and international bodies in cybersecurity.
Privacy. The reality is that consumers do not understand their exposure and the greater risks to their privacy that have resulted from the shift from the comparatively secure and private channels of communications, such as traditional land line telephone networks and mail sent through the U.S. Post Office, to the more efficient but more open and insecure world of the Internet and IP-based communications. We need better ways to inform consumers about their privacy risks and what they can do about it.
The participants called for creation of a unitary framework for privacy protection that is both comprehensive and comprehensible. A useful first step would be a call from the Administration or jointly from the FCC and the FTC for proposals for actions that could be taken to better protect privacy. Then, somewhat like the proposal for cybersecurity, a multi-stakeholder group (that includes members of Congress) should work through key issues and agree on a set of principles for a unified privacy protection framework.