In panel 3 of its conference on cyber security, ASP hosted Michele Markoff, Deputy Coordinator for Cyber Issues at the U.S. Department of State (DOS), Colonel Jon Brickey, National Capital Region Liaison and Assistant Professor at Army Cyber Institute at West Point, and Hon. Bijan R. Kian, Chairman of the Board of Directors for iCelero. William G. Lay, Deputy Chief Information Officer for Information Assurance and Chief Information Security Officer for DOS, moderated the panel. The two panels prior focused on “Lessons from the OPM Attack” and “Consequences for the Military,” whereas this panel highlighted the roles of the U.S. government, the military, and the private sector in maintaining cyber security.
Michelle Markoff began by highlighting the need to establish international peacetime norms and laws that will direct states on how to respond to cyber threats, the U.S. government’s stance regarding the UN charter that guides states’ use of kinetic military tools and how it also applies to cyber-attacks, and how the U.S. government is taking “Confidence Building Measures” (CBM) to preserve cyber security
“Norms are not for disrupters, per se, the bad guys. The norms are for the vast majority of peaceful states who rally around us [the U.S.] and agree when the acceptable line of behavior has been crossed and permit us to take action against disrupters.”
COL John Brickey quoted the current U.S. national security strategy for cyber threats and noted that it describes U.S. defensive capabilities, but does not discuss U.S. offensive capabilities beyond prosecuting violators to the fullest extent of the law.
“We’ll defend ourselves, consistent with U.S. and international law, against cyber-attacks and impose costs on malicious cyber actors, including through prosecution…and that’s it.”
Afterwards, he described the idea of a cyber escort for vulnerable things as similar to the concept of how a Navy escort ensures safe passage for unarmed vessels along a given route. Although the idea sounds good in theory, real world solutions do not work the same way for cyber-world problems.
To round off the panel, Bijan Kian stressed the need to outpace the ever-changing tech cyber-world with viable countermeasures.
“Countermeasures take time to build…By the time a system is in place, that system is obsolete.”
Kian also called for the need to expand relationships between the public sector and the private sector in order to better craft viable countermeasures. He also emphasized that the private sector businesses should objectively observe the rules regarding cyber security. We cannot rely on just one mean of securing our networks. Cooperation is the key.
“Sometimes merely convincing a state of the benefits of following the rules is not enough to deter them from being malicious. In this case, other measures are necessary to confront them.”
At the conclusion of the panelists’ speeches, William Lay asked them two questions to gauge their opinions on matters relating to cyber security. Summaries of panelists’ responses will be indicated as such.
First, Lay asked about the role of the private sector.
Bijan Kian said that there is a grey area when it comes to who [public/private sectors] assumes responsibility for protecting infrastructure. He said a partnership of all institutions is essential in order to have shared a responsibility for infrastructure. It comes down to cooperation and incentives for cooperation. Intellectual incentives are just as important, if not more important, as financial incentives.
Michele Markoff is quoted as saying, “Rather than joining together, they [the private sector companies] tend to represent their own interests and, therefore, weaken their general position.”
As a response, Kian said that instead of the private sector companies caring about their own interests, they need to take an objective look at the cyber-security rules. Regarding cyber-security in the private sector, educating companies about countermeasures is more important than adding more regulations.
In response to the first question, Col. Brickey said, “The private sector needs to do threat-sharing [with the public sector]…There is no public service for cyber [security]…Small businesses will cease to exist if they have to pay to protect their customers; big businesses can do these things instead.”
Then, Lay asked for the panelists’ opinions on data sovereignty.
Providing his opinion on the matter, Kian said, “The world is moving in a direction in which sovereign powers do not have full control over [non-state] actors…It might be easy to get others to think like us but it’s not so easy to get others to agree to our norms.”
Following Kian’s opinion, Markoff opined that the Edward Snowden leaks spurned states toward a policy of data localization. She said it was a push to keep data within country borders or turn to domestic providers, as opposed to multi-national providers. As an example, China and Russia have entirely domestic providers, which also allow those countries to more easily impinge on the privacy of their citizens.
Col. Jon Brickey ended the discussion with a short answer and said, “It makes operations much more difficult, and [it is] more important that you have a good cyber attorney next to you.”
Further Reading Section: