Inaugural cyber boot camp brings congressional staffers to Silicon Valley

Beth Duff-Brown

Two-dozen congressional staffers joined academic and Silicon Valley experts at Stanford’s inaugural cybersecurity boot camp to discuss ways to protect the government, the public and industry from cyber attacks, network crimes and breaches of personal privacy.

The staffers listened to presentations from 25 business and technology leaders, as well as experts in privacy, civil liberties and intelligence during the three-day boot camp. They also took part in a role-playing exercise dealing with a cyber crisis, posing as staffers from the White House, Homeland Security, the State and Defense departments, as well as private enterprise.

The idea behind the workshop was to give Capitol Hill staffers the knowledge and contacts that will help them better craft legislation and policies on cybersecurity.

“We’re 3,000 miles away from Washington and we’re at ground zero for the tech revolution,” said CISAC Co-Director Amy Zegart. She is also the Davies Family Senior Fellow at the Hoover Institution, which co-sponsored the boot camp that that ran from Aug. 18-20.

“The boot camp is an important early step in what we envision to be a continuing, leading and lasting cyber program,” said Zegart, co-convener with Herbert Lin, chief scientist at the Computer Science and Telecommunications Board, National Research Council of the National Academies, who joins Stanford in January as a senior scholar for cyber research and policy at CISAC and research fellow at the Hoover Institution.

Zegart had three goals for the boot camp. One was to bring together computer and social scientists across campus and across the country “to broaden and deepen our cutting-edge scholarship.”

Then, from the networking that naturally took place, Zegart hopes to create a Track II cybersecurity council that will convene regularly with leaders from the U.S. government, scholars and key stakeholders from the private industry.

“And finally, we want enhanced education programs not only for students here at Stanford, but key stakeholders for cybersecurity policy,” she said.

The presentations were videotaped and will be packaged and used for educational purposes at Stanford and eventually be made public online.

Some of the staffers said the boot camp exceeded their expectations and they were grateful for the jam-packed, 72-hour crash course in all things cyber.

“What Stanford has done really successfully here is they brought together people from D.C. who wouldn’t necessarily talk to each other, from different committees, from different sides of the aisle,” said Jamil Jaffer, Republican chief counsel and senior advisor to the Senate Committee on Foreign Relations. “Then from the valley community they brought lawyers, educators and technologists – you name it – from across the spectrum in a way that I’ve never seen before.”

He said he hoped CISAC and the Hoover Institution, which co-sponsored the Stanford Congressional Cyber Boot Camp, would convene the next boot camp with the New York business community as well.

“I think there’s a real opportunity to build bridges between these three major cities; I think we need to have these conversations together,” he said.

Staffers also exchanged views about the wide gap between the government and Silicon Valley tech companies with regard to privacy when they met with senior security chiefs at Google during a visit to the nearby Google X campus.

And there were plenty of lively debates about Internet security vs. privacy and whether the government should step in to police public networks.

Benjamin Wittes of Brookings and Hoover faced off with Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society at the Law School.

“Liberty is a feature of security – and security is a feature of liberty,” Wittes said. “So the urge to think that any security measure is going to negatively impact your liberty, or conversely that anything that augments online liberty is going to have negative implications on security is a very easy, and I would say, very lazy instinct.”

Granick countered by saying most professionals in Silicon Valley do not trust the government to police the Internet without secret hacks. For example, documents leaked by former NSA contractor Edward Snowden indicated the National Security Agency tapped into fiber optic cables transmitting data for Yahoo and Google.

“Last night you heard Eric Schmidt say that the NSA had hacked Google,” she said, referring to a keynote dinner conversation between the Google chairman and former Secretary of State Condoleezza Rice, a professor at Stanford's Graduate School of Business and a senior fellow at Hoover and the Freeman Spogli Institute.

The NSA has denied hacking into Google and Yahoo.

“Everyone here in Silicon Valley agrees with what he says,” she said. “Don’t fool yourself that he’s just saying that because that’s just Google marketing. Everybody at Twitter believes it; everybody at Facebook believes it. I am embedded in the privacy world and we’re all worried about consumer privacy and what these companies are doing with this information – but that doesn’t mean we trust the government to protect us.”

Aside from the government trust debate, other big takeaways were that surprisingly little is secure on the Internet and the threat of cyber attacks against the United States is one of the biggest issues facing Washington policymakers today.

They heard a warning in stark and unambiguous language from Jane Holl Lute, president of the Council on CyberSecurity and a consulting professor at CISAC.

"It's no longer possible to ignore this issue," said Lute, who until last year was deputy secretary for the Department of Homeland Security, where she was responsible for the day-to-day management of the department's efforts to prevent terrorism and enhance security. "Life online is fundamentally unsafe.”

She emphasized that the Internet is about "the power to connect, not to protect" and stressed the importance of practicing "cyber hygiene" to reduce problems. This includes monitoring the hardware and software running on a network, limiting administrative permissions, and real-time patching and monitoring of system vulnerabilities.

If organizations would just follow these steps, she said, 80 to 90 percent of cyber attacks would be prevented.

"We know a lot, but we're just not doing it,” she said.

Lute emphasized that today's world has an "existential reliance" on the Internet – more than 3 billion people in the world, including 80 percent of North Americans, have access to the Internet. All of this dependence comes against the reality that many companies and sites do not carry out basic hygiene to protect their networks.

The U.S. Senate and House staffers attending the boot camp come from both political parties and work on the U.S. Senate Select Committee on Intelligence and the Homeland Security, Appropriations, Judiciary, Energy and Commerce committees. The group also includes staffers working with House Minority Leader Nancy Pelosi, D-Calif., U.S. Sen. John McCain, R-Ariz., and Ed Markey, D-Mass., among others.

Senior executives from Microsoft, Visa, Palantir, Palo Alto Networks and U.S. Venture Partners had a robust discussion about how their companies battle cyber crime and share network data.

Ellen Richey, global head of enterprise risk for Visa, talked about her frustration with the international organized crime rings that attack financial institutions and credit cards companies.

“And they’re using that money to finance other types of illicit activities, such as human trafficking, drugs and terrorism, yet their governments don’ t go after them, or if they do go after them, they are released due to corruption in the courts,” Richey said.

She said Visa believes that at the end of the day, it’s not possible to adopt measures that are going to adequately protect against the growing threat of cyber crimes.

“So we believe that the ultimate answer for us is to get vulnerable data out of their hands,” Richey said. “You’ve got to shrink the battlefield.”

And the staffers heard a plea by Joe Sullivan, chief security officer at Facebook, to join them in the valley’s quest for better network security.

“The pace that we work at here in Silicon Valley is amazing. It’s exciting and fun to be a part of – but it’s really scary, too,” said Sullivan, a former federal prosecutor devoted to high-tech crime. “There are challenges that we have to deal with every day and we have to have really large and nimble security teams that are thinking about the next big thing before it launches.

“The question is: are government agencies thinking about these issues? Far too often – that is not the case. Hopefully when you go back to Washington you think about how we engage companies, how we engage with government agencies, think about the roles that we all play.”

Sullivan talked about Facebook’s “white hat” program, in which the social network invites users to find security vulnerabilities and report them for a bounty.

He said they have spent $3 million in the last three years in payouts to users around the world, such as the young Palestinian man who was able to hack into Facebook CEO Mark Zuckerberg’s page to warn him of a security flaw.

“We’ve focused on encryption, we’ve hired a lot of people and we’ve looked at data center traffic and all those things,” Sullivan said. “But one of the areas where I think we’ve tried to be at the forefront is about talking about security in a more open way.”

Sullivan said he believes there’s a “disconnect” when one talks about security between the private and public sectors and consumers.

“I feel like when the government talks about security, they’re talking about surveillance,” Sullivan said. “I think when consumers talk about security, they’re talking about safety.”

The big tech companies – Facebook, Microsoft and Google – must take “full ownership” of network security, though he wishes that were not always the case.

“We honestly don’t count on any government agency anywhere in the world to make the people who use Facebook secure,” he said. “We realize we have to do it on our own. Is that a good thing or a bad thing? I would suggest it’s a bad thing. I think we’d all like more help in securing our services.”

For more details about the boot camp speakers and program, visit this website.

All CISAC News