by Matthew Raab and Aislinn McNiece
The MSFS CyberProject hosted the 7th Annual International Conference on Cyber Engagement: “Global Issues that Demand Global Solutions” on Monday, April 24, 2017. The conference welcomed keynote speakers from across the public and private sectors, as well as panelist experts from around the world.
Government Perspectives on Cybersecurity: View from the White House
The day began with keynotes providing government perspectives on the challenges and opportunities facing the world of cybersecurity. Dr. Catherine Lotrionte, Director of the CyberProject, first introduced Robert Joyce, Special Assistant to the President and Cybersecurity Coordinator for the White House.
Cyber issues are global challenges that call for global solutions. -Dr. Catherine Lotrionte
Joyce outlined the cybersecurity priorities of the Trump administration, while emphasizing the difficulties facing a massive organization like the U.S. federal government, where cybersecurity resources are not spread evenly.
“Our government has something like 200 different departments and agencies, give or take, and in those departments and agencies some are really well resourced and focused on the problem, take for example the Department of Defense,” Joyce said.
While the Department of Defense has robust cybersecurity programs, Joyce noted that other agencies and bureaus with critical missions cannot individually raise themselves to that same standard.
“I don’t want to pick on the Bureau of Reclamation but I want you to have a mental picture of the challenge,” Joyce said. “They manage, develop, and protect the water related resources in our country. They are the second largest producer of hydropower in the United States. There’s a lot of technology in that important critical infrastructure mission. So how do we ensure the Bureau of Reclamation has the same focus on cybersecurity in their critical infrastructure that the Department of Defense does in their weapons systems?”
Joyce divided the federal government’s approach to cybersecurity issues like resource allotment into several ‘priorities.’ The first priority of the Trump administration is to “enhance the security and defenses of the federal government networks.” Eye opening attacks like the 2015 Office of Personnel Management personnel data breach underscored the wide-ranging implications of cybersecurity issues that require top-level focus.
“The president will hold the heads of departments and agencies accountable for managing the cyber risks of their enterprises,” Joyce said. “Cybersecurity really isn’t just the domain of the IT department or even the chief information security officer. Cybersecurity is the responsibility of those department heads. The cabinet secretaries, the agency directors.”
Joyce also sees opportunities for better cooperation across government divisions.
“We’re looking at adopting a comprehensive enterprise risk management approach for federal cybersecurity,” he said. “We’ve never before looked at the whole of the federal government as one enterprise.”
Other cybersecurity priorities for the administration include “securing critical infrastructure,” an effort that will look to secure collaboration with the private sector, and the maintenance of an “open, interoperable, reliable, and secure internet that benefits the United States and the rest of the world.”
“We will not allow other nations to hold us at risk through the malicious use of cyber. This is an important value for us and we will continue to propagate it,” Joyce said. “We will reinvigorate existing and build new partnerships internationally that focus on cyberspace with partners that will advance our shared security and economic interest.”
Government Perspectives on Cybersecurity: The Rule of Law Online
Joyce was followed by Marietje Schaake, a Member of the European Parliament from the Netherlands. Schaake expanded on the international nature of cybersecurity, focusing on the development of rule of law and international norms for internet usage, access, and content.
“A zero-sum articulation of narrow self interest needs to be replaced with a new appreciation for an articulation of the interdependence of our globally connected world,” Schaake said. “Change will require an injection of values and stronger governance in the public interest. It will also involve a much more active engagement of the general public in this discussion.”
The considerable influence of non-governmental, often private sector voices on the development of the digital world presents a unique challenge to world governments.
“The connection of everyone and everything is leading to a redistribution of power that is not yet or not at all matched with a redistribution of oversight and accountability. The rule of law does not apply online as it does offline even if this is what we claim to aspire to.”
Schaake espoused cooperation and the invested interest of all parties as the key to advancing a sustainable and safe agenda for an increasingly connected world.
“This connected global order must build on the benefits and risks of mutual dependence and should involve various stakeholders in governance and representation,” Schaake said. “Of course, those with the most power must also bear significant responsibility. The term multi-stakeholderism cannot be a mere catchphrase when the public interest needs to be advanced in new ways.”
We need more leadership from democratic governments to ensure norms between states are rooted in the values of open societies and open economies. -Marietje Schaake
News, Alternative Facts, and Propaganda
Panels at the conference included discussions on national cybersecurity strategies, the roles of the military and business in cybersecurity, and the use of cyber in war and peace. One of these panels, titled “News, Alternative Facts, and Propaganda: The Role of Cyber in Influence Operations,” focused on the role of cybersecurity in current political events and discourse.
Panelists included Maria Belovas, Director General of the Communications Department of Estonia’s Ministry of Foreign Affairs; Rashid Gabdulhakov, a Ph.D. Candidate in the Department of Media and Communications at the Erasmus University Rotterdam in the Netherlands; Sebastian Gorka, Deputy Assistant to President Trump; Markku Mantila, the Director General of the Government Communications Department in the Prime Minister’s Office of Finland; and Anthony Arend, Senior Associate Dean for Graduate and Faculty Affairs in the SFS and Director of the MSFS Program. The panel was moderated by Siobhan Gorman, Director of the Brunswick Group.
Gorman began the panel with the argument that fake news has become a critical element for the role of governments in cybersecurity due to the increasing potential for fake news to influence political discourse. Belovas agreed, adding that with the addition of social media to the news landscape, fake news can travel faster, which has a direct effect on everything from a population’s basic understanding of current events to national elections.
Belovas called attention to the similarities between fake news and propaganda, defining propaganda as something “orchestrated by a government with a purpose.” In dealing with propaganda in Estonia, she argued that it is up to the public to check their facts, citing a study that even intelligent adults don’t often verify the sources of their news. In this sense, she said the way people deal with fake news and propaganda is the same: readers must check the credibility of their sources in any way that they can.
Mantila agreed, explaining that there is a limited role for democratic governments in decreasing fake news because the means of counter-propaganda are contrary to democratic principles of free speech and transparency. In Finland, where the children are the best educated in the world, according to Mantila and numerous independent studies, education is the “first line of defense” in information war, said Mantila.
Arend, who is also a professor in international law and American constitutional law in foreign policy, agreed that legal actions like licensing and regulation are not the best solution to fake news. Rather, the best response to fake news, he said, is better news. Because of this, Arend said he was skeptical of German and French attempts to use legal responses to counter the proliferation of fake news.
However, Belovas argued that governments are not inept in dealing with fake news, even if government responses from a legal or cybersecurity perspective venture into dangerous anti-democratic territory. She said that government communications can play an important role in preventing the spread of fake news:
What we can do as governments, and what we have to do in this digital era, is be more open, more honest, and more fast with our own information. Because when you get that out first and you are a credible source, and the other sources are not as fast and not as clear with their information, they do not have that credibility.
The issue of speed, then, is both a problem and a solution in the fight against fake news. As Gabdulhakov explained, the urge for speed and sensationalism to drive clicks and shares on social media has made news a monetized commodity, something of which “even venerable news sources” are victims.
Gorka agreed, citing the widespread angle of “palace intrigue” to generate views in recent news stories about the White House. “Unfortunately that market-driven reality [of journalism] creates vulnerabilities that can be exploited by nation-state actors and non-nation-state actors,” said Gorka.
The panel ended with a series of questions-and-answers, the majority of which were directed at Gorka by a group of student protesters who attended the session. Many of the questions referenced allegations of Gorka’s ties to an anti-Semitic group in Hungary, to which Gorka told the students they were “victims of fake news.” Gorka told the conference organizers that he had to leave the panel early, which he did. The audience was not informed in advance.
“National Fightbacks: Reaching a Turning Point in the Battle Against Cyber Attacks”
The final keynote brought Ciaran Martin, CEO of the United Kingdom’s National Cyber Security Centre (NCSC), to Gaston Hall to discuss the U.K. government’s efforts to combat cyberattacks. The NCSC, housed within the Government Communications Headquarters (GCHQ) signals intelligence organization, was formally opened in February.
Martin highlighted a number of critical questions about cybersecurity that efforts at NSCS have addressed, including the growing international prominence of cybercrime and what should be expected from governments in response to that dynamic. Beyond relatively established national security concerns, seen in incidents like the aforementioned OPM breach, cyberattacks present a fundamental economic and societal threat–a threat to “public confidence in the digital economy.”
“As well as caring about cybersecurity for national security reasons, governments should care about it because confidence in the economy depends on it,” Martin said.
To accomplish this, Martin urged an improved understanding of cybersecurity that stressed the preventability of most cyberattacks and demystified the subject.
“Too many attacks are getting through. Worse, far too many basic attacks are getting through,” Martin said.
The effectiveness of these basic attacks can be reduced with small investments that raise the costs of those attacks. These changes can be accessible and attainable for broader society.
“There’s much talk about people being the weakest link in cybersecurity. That makes as much sense as saying players are the weakest link in a sports team,” Martin said. “The internet is a human creation for use by humans. We have to construct solutions that people who are not experts in cyber security can use and follow easily and cost effectively in the environment [that] they live and work in. If we allow the subject to be shrouded in mystique, in fear and panic, then we won’t fix the problems we need to.”
Cyber security is about risk management. Nothing more, nothing less.
Thus, Martin expects and depends on the private sector to pull its weight in defense against cyber crime. The U.K. government is ready to provide its own expertise, but it hopes to do so as part of a collaborative effort.
“Our strategy is by making it easier to raise basic defenses across the board by first finding gaps in what is happening in the private sector and moving directly to fix them,” Martin said.
Overall, Martin was insistent that cybersecurity is not an insurmountable or unmanageable problem.
“Cybersecurity is a manageable problem,” he said. “Let’s not overhype it, let’s understand it. Let’s help people to manage risks normally like they do elsewhere in life.”