No Clear Strategy for U.S. Cybersecurity: 2016 Cyber Media Roundtable

CISAC co-director Amy Zegart (center) speaks during a simulated cybersecurity breach group exercise at the 2016 Cyber Media Roundtable at Stanford. CISAC co-director Amy Zegart (center) speaks during a simulated cybersecurity breach group exercise at the 2016 Cyber Media Roundtable at Stanford.

Despite growing consensus about the magnitude of cyber security threats, a clear strategy for securing the United States’ critical digital infrastructure has yet to be reached. This is partially due to the complexity of cyber security issues, which intersect computer science, law, policy, economics, public opinion, and ethics. In recent years, however, the Hoover Institution has helped scholarship and dialogue on cyber security to move forward by channeling the expertise of Hoover fellows, Stanford University, and Silicon Valley, as well as extending these resources to policy makers and the media.

Hoover’s Cyber Security Boot Camps, led by Hoover fellows Amy Zegart and Herbert Lin in partnership with Stanford University’s Cyber Policy Program and the Center for International Security and Cooperation (CISAC), are key components of these efforts. Past boot camps have assembled senior congressional staff from both sides of the aisle for expert briefings and discussions about the law, policy, and technology pertaining to cyber security. This year, Zegart and Lin shifted the program’s focus toward national media, partnering with Hoover’s public affairs team to host a cyber security themed Media Roundtable.

Following the format of previous Media Roundtables, Hoover brought dozens of reporters from leading outlets such as the Wall Street Journal, Washington Post, and New York Times together with cyber policy and technology experts on May 16, 2016. The program featured presentations, interactive discussion, and thought-provoking exercises designed to aid reporters in understanding and communicating cyber security news and debates. The interactive atmosphere also helped strengthen lines of communication between the reporters, technology experts, and strategists tasked with making sense of the changing cyber security landscape.

Amy Zegart, Davies Family Senior Fellow at Hoover, introduced attendees to the unique challenges of crafting cyber security policy. Zegart discussed the exceptional vulnerability of powerful countries to cyber threats, consumer driven connectivity as a factor that increases cyber risks, and the obstacles to protecting privately held cyber infrastructure at a time of acute mistrust of government.

John Villasenor, a professor of electrical engineering, public policy, and management; visiting professor of law at UCLA; and a national fellow at the Hoover Institution, introduced the technical challenges associated with cyber security. Villasenor discussed the irreversible growth of cyberspace as mobile connectivity proliferates and data storage costs plummet, the overwhelming complexity of cyber systems, and the startling capabilities of hackers in identifying and exploiting security weaknesses.

Herbert Lin, Hoover research fellow and senior research scholar for cyber security and policy at CISAC, applied his expertise to an often-overlooked topic in cyber security: the role of offensive cyber tactics. Where passive defenses such as network security or law enforcement fail, offensive measures can prove critical in disrupting or identifying the source of cyber security breaches. Lin also discussed the potential use of offensive cyber tactics against our adversaries without waiting for incoming attacks, which he likens to “punching” in cyberspace, rather than “punching back.”

Carey Nachenberg, a vice president and fellow at Symantec Corporation and prolific developer of cyber security technology, delivered a technical primer on cyber exploitation. Nachenberg described ways that design flaws, human error, and the sheer complexity of cyber systems create potential vulnerabilities. He also provided a step-by-step walkthrough of various tactics hackers use to exploit these weaknesses, including denial of service attacks, computer worms, and manipulating human agents.

Jack Goldsmith, senior fellow at Hoover and the Henry L. Shattuck Professor of Law at Harvard, discussed the complications of applying international law designed to address traditional uses of force to cyber hostilities. Goldsmith highlighted the problematic distinction between cyber attacks, which constitute illegal acts of international aggression, and exploitations, which constitute legal acts of espionage.

Elaine Korzak, a W. Glenn Campbell and Rita Ricardo-Campbell National Fellow at Hoover, reported on the evolving UN response to cyber security concerns. After decades of review, UN action on cyber law gained traction in 2014 with a milestone report recognizing the applicability of international law to cyberspace. A subsequent 2015 report recommended several cooperative steps on cyber security, although the proposed rules and norms rely on voluntary implementation.

The roundtable also featured interactive exercises to expand media perspectives on cyber issues, including a detailed simulation of a cyber security breach at a major web services company. Participants formed groups to address technical, legal, public relations, and other concerns related to the breach and presented their strategies to real-world private-sector cyber security experts. Hoover invited four other cyber security leaders to discuss what the media is getting right and wrong on cyber coverage and how reporters can develop stronger relationships with private sector sources.

The 2016 Cyber Media Roundtable covered a wide range of complex topics, and the engagement of participants signaled strong interest in internalizing the material. Discussion periods spilled into breaks, and participants asked penetrating questions characteristic of good reporting.

Reflecting on the outcomes of the event, Amy Zegart stated:

The media cyber boot camp was a great success—giving some of the nation’s top national security reporters a fast and deep dive into key cyber issues, developing broader networks of experts to help inform the public debate, and enabling candid conversation with industry leaders about what the press can do to improve coverage of cyber issues.  Our vision is to hold a boot camp every year to educate a wide range of key policymakers and influencers—including congressional staff, federal judges, and the press.

Moving cyber policy forward will require continued attention to issues raised in the Media Roundtable. How can tensions between government and the private sector be eased to allow for greater cooperation? Can current international rules and norms be applied to cyber issues? To what extent do legal and ethical considerations permit “hacking back” or even hacking first? Where should reasonable expectations for cyber security be set in light of the overwhelming complexity of cyber systems?

As the larger policy community expands their focus on these and other key cyber security questions, Hoover’s ongoing research and outreach will help inform their answers.