Introducing Cyberspectives, a new podcast analyzing the cyber issues of today with host John Villasenor.
In the inaugural episode, guest Andrew Grotto provides analysis on a broad range of cyber issues, including questions regarding areas of cyber most in need of national level attention, aspects of cyber that are underappreciated, emerging opportunities in the commercial cybersecurity sector, and how the academic community can best contribute to the cyber policy dialog.
About the guest:
Andrew Grotto is a William J. Perry International Security Fellow at the Center for International Security and Cooperation and a Research Fellow at the Hoover Institution, both at Stanford University. Before coming to Stanford, Grotto was the Senior Director for Cybersecurity Policy at the White House in both the Obama and Trump Administrations. Prior to that, he was Senior Advisor for Technology Policy to Commerce Secretary Penny Pritzker.
(the text below has been condensed and edited for clarity)
Is there anything less obvious that you'd say about aspects of cyber that you think are particularly deserving of national level attention—other than the obvious such as protecting critical infrastructure?
To me, one issue that really jumps out at me based on my experience, is I think there's a lot of open questions around the appropriate allocation of responsibility between the government and the private sector for defending against cybersecurity threats, and so I'll use an analogy from the physical world: we would never expect in a million years the operator of a power plant to defend a plant against a North Korean ballistic missile. That mission is squarely the government's job.
And, the cyber analog to that, though, is a little tricky because if North Korea conducted a highly sophisticated cyberattack against a plant, we might say, “Okay, yeah, maybe it's unreasonable for the plant to be able to defend against that kind of sophisticated attack.” But, what if it was just a criminal group, a domestic criminal operator who happened to come up with a sophisticated attack? Does it matter that the identity of the perpetrator was a nation state vs. some ambitious vandal?
And then, on the opposite end of the spectrum, if North Korea were to send in a lone agent to break into the power plant and sabotage it, and the sabotage caused catastrophic power outages and damages to the economy and loss of life, obviously, that's still a national security matter for the government to devote resources to both preventing and remedying, but we would also have a lot of questions about whether or not the power plant operator did its job. We would want to know, "Okay, so did you have perimeter security? Did you lock the front door? Why was your security vulnerable to such a single point of failure?"
So there's a blended responsibility. And, I don't think that that line is clear in the cyber context because a nation state adversary could use a relatively low-end, even unsophisticated attack to conduct an attack with national security implications, partly owing to the fact that it was a nation state that did it. In that case, it's a national security issue.
So you're saying that this sort of allocation, it's easy to come up with the extreme ends of the spectrum. But, most of the stuff that we actually encounter in terms of cyber challenges is going to be somewhere in the less clear middle ground, and you're saying that allocation of responsibility is hard, and I think that's a terrific point. The other thing I wanted to briefly reflect on is: You made a really important comment. You stated, correctly, of course, it's clear that there's a lot of energy spent responding to crises, cyber crisis of one form or the other. My question in response to that observation is, is that also a risk? It's a risk in any domain, but is it a particular risk in this domain that our energies understandably get directed towards solving crises, but in doing that, we then fail to sort of take a step back and look at the big picture and take some of the steps that could make some of these crises not happen in the first place?
Yeah, it is a challenge, and I think if I could pick a point of optimism here: it's that part of the reason why, I hope, why crises consumed so much bandwidth during my time in government is because oftentimes these crises presented matters of first impression for decision makers, especially the time when the broader cyber mission space was evolving within and across different agencies of the government. It meant that getting decisions made on cyber questions just took a lot more time, energy and resources than they might take in other domains.
So, my point of optimism is that as the government develops some muscle memory around how to deal with policy challenges in the cyber context, those decision costs will start to come down. They may still be high relative to other domains, but they hopefully won't be quite as high as I thought they were, at least, during my time.
Are there any areas of cyber that you think are particularly underappreciated, in other words, that aren't getting the attention they deserve in light of their potential importance?
I mentioned the allocation of responsibility question for critical infrastructure. That's one. I'll offer two additional ones. The first is a lack of really reliable data around the cost of cyber incidents. There are various studies out there on what a data breach costs. What we're seeing more and more is scholars and statisticians pulling some pretty divergent conclusions from this data, which says something about the data.
So, I think that's an area where I would like to see a lot more scholarly attention and focus by industry and government, because I think if we can generate better data about the cost of cyber incidents, it will help enterprises across the country manage their risk more effectively, and then potentially even create a more vibrant insurance market.
And then the other area that [needs] more attention is sort of what I call third-country issues and offensive cyber operations. In a cyber context, that identity relationship between the physical location of the adversary and the target, as it were, the physical target, isn't in place, so, an adversary may be in country A operating malicious cyber infrastructure in country B, and so, an operation against that adversary in country A may actually have to take place in country B, which may or may not have anything to do with whatever conflict the US government or pick-your-government has with country A. So, that was a third country in the mix that creates, I think, some challenging policy and legal questions.
And I would assume that's not only the exception. That's likely, more often than not, going to be the case, right? If you're an attacker, the last thing you want to do is, you know, make it obvious where the attack's coming from, so I would assume one of the first things you're going to do is to try to launch it from somewhere that at least tries to mask your identity, right?
Right, and one of the unfortunate twists here is that our adversaries are also very familiar with US surveillance law and constitutional protections here domestically, so what adversaries will do is they will purposefully compromise infrastructure in the United States and use that infrastructure as part of their attack infrastructure because they know that, in a way, in a practical matter, it's harder for the US government to operate domestically against a national security threat such as that than it is if that same infrastructure were in a third country, because we would need probably cause and satisfy legal requirements that just aren't the same if we're operating overseas.
Let me ask another question, and this is the one where anybody who's a venture capitalist should be particularly interested in your answer here, or a startup company: Obviously, there's an enormous commercial sector devoted towards cyber solutions of all shapes and sizes. The question is, while that's a large sector, it's less clear that it's covering all the bases. Are there any obvious gaps in the types of solutions you see reflected in today's commercial offerings? If you were going to leave the academic/policy world and start a cybersecurity company, is there a particular sector of cybersecurity that you think is ripe for better solutions commercially?
I think any technology that can do what a human does in cybersecurity more efficiently and more effectively has huge potential because time and time again, the critical shortage in enterprise, whether it's the federal government or in private companies, is human capital, the need for people to do IT and solutions that can perform, can automate these tasks, I think, have huge potential in the future. I think IoT cybersecurity is, I think, a massive opportunity, how to both build efficient solutions into products, but also how to retrofit products that have bad security with more effective security. I think that's a huge market.
For people in the academic community, on the cyber policy side, again, putting the obvious aside: is there anything that you see as a particularly ripe avenue for people in the academic policy world to contribute to help move the dialog forward on cyber issues?
Yeah, so on the sort of policy side specifically, I would say, one area is data on cost of incidents, on the behavior of enterprises in the face of uncertainty around cyber risk. I think there's a huge need and opportunity for doctoral students looking for dissertations to delve into some of these empirical questions about measurement and whatnot.
I would love to see more psychologists in the cybersecurity business. If you look at studies of how adversaries break into enterprises and organizations, they're almost, for the most part, exploiting human weaknesses. There's this spearfishing, right, that, things like that, and getting a better handle on how to make people, whether they're IT professionals or just users of IT, you know, either less vulnerable or effective at fending off attacks, I think there's a huge need and maybe some fascinating questions of psychology there.
And then, I think, a need for management scientists, organizational scientists, to start to unpack how businesses and governments and businesses both within sectors and across sectors can collaborate on common challenges and better characterizing, “What can we learn from history about the ability of like-minded or similarly-situated institutions to tackle complex management” because managing cybersecurity risks is ultimately a management challenge for enterprise, tackling a complicated management challenge like cybersecurity.