September 24, 2020
Five big questions as America votes: Cybersecurity
As part of the Atlantic Council’s Elections 2020 programming, the New Atlanticist will feature a series of pieces looking at the major questions facing the United States around the world as Americans head to the polls.
With the next US presidential election in less than two months, the next administration will face no shortage of substantive cyber policy issues. US adversaries such as China and Russia continue to undermine and fracture the free and open internet. The technology ecosystem has been altered by the rapid adoption of cloud computing, placing immense power and responsibility in the hands of few technology giants, such as Amazon and Microsoft. The effects of the coronavirus pandemic have forced millions of Americans to rely on remote technologies to work and study from home. These trends and an increasing number of Internet of Things (IoT) connected devices are raising new concerns over privacy and security at the forefront of policy discussions.
Below are the five major questions facing the United States on cybersecurity as the US elections approach, answered by five Atlantic Council experts:
Since the last Bush administration, US attention in cyberspace has largely focused on four adversaries—Russia, China, North Korea (DPRK), and Iran. Who will be the biggest challenge for the United States in the next decade?
“Proliferation of offensive cyber capabilities. Where states like Russia or DPRK develop and share capabilities or intelligence on US and allied targets with non-state groups, either direct proxies, independents, or criminal groups, the threat environment facing the United States becomes decidedly more complex.” – Trey Herr, director, Cyber Statecraft Initiative
“Russia. At this point, it is more difficult to point out a geopolitical conflict involving Russia that doesn’t have a cyber component instead of one that does. We also need to watch out for China’s advancements in artificial intelligence research and military applications. The real challenge, however, is that the current cyber landscape is such that both the United States and its adversaries are stuck in a prisoner’s dilemma where the individual incentives for surprise attack, preemption, and exploitation of vulnerabilities leave cyberspace collectively insecure for everyone. Challenges from adversaries, old and new, will continue as long as this dynamic persists and as the attack surface increases.” – Jenny Jun, fellow, Cyber Statecraft Initiative; PhD candidate, Columbia University’s Department of Political Science
“China will be the largest challenge to not just to the United States, but to all of the ‘rule of law’ countries over the next decade. Aggressive intellectual property theft and the influence of their market power combined with the exportation of an authoritarian governance model as a viable alternative to the Western system will be the defining issue of the decade.” – Jeff Moss, nonresident senior fellow, Cyber Statecraft Initiative; founder, Black Hat and DEF CON security conferences
“Size is not as crucial as a concern; we need to be worried the most about how criminal groups and similar actors working with nation-states to disrupt the West politically. Particularly concerning is the ability of these groups to use nation-state grade cyber capabilities in operations, with the support of nation-states.” – Gregory Rattray, senior fellow, Cyber Statecraft Initiative; partner/co-founder, Next Peak LLC
“These four states will all continue to pose different kinds of threat, in addition to many new players who have obtained or built offensive cyber capabilities in recent years. The biggest challenge for the United States in the next decade will be China; but the challenge is not to prevent China from assuming a more influential role in cyberspace—that cat is out of the bag—but for the United States to find cybersecurity solutions that work in a multipolar and interdependent world. The alternatives of withdrawal from or overmatching in cyberspace do not appear sustainable.” – James Shires, fellow, Cyber Statecraft Initiative; Assistant professor, Cybersecurity Governance, Institute of Security and Global Affairs, University of Leiden
The Cybersecurity and Infrastructure Security Agency (CISA) was established in 2018 to improve cybersecurity across government. What other organizational changes at the federal and/or state levels should be made to best protect Americans from damaging cyberattacks?
Herr: “The United States must revamp its cloud adoption and security regulatory processes. The incumbents, programs like FedRAMP and the DoD Cloud Computing Security Requirements Guide, are slow, emphasize manual processes over automation, and skew towards prescribing design choices instead of security outcomes and performance. Change at the Federal level would be a boon for more secure adoption of cloud computing by states and allies, many of whom are searching for a more flexible and cloud-friendly model.”
Jun: “At this time, instead of making more organizational changes, I think it’s more important to empower existing positions and strengthen regulations for specific policy goals. For example, if the goal is to make businesses exercise more due diligence when manufacturing various products in the supply chain, making acquisition choices, and handling customer data, this can be achieved through congressional legislation and empowering regulatory agencies such as the Securities and Exchange Commission (SEC) for its enforcement by sector. If the goal is to make individuals and enterprises less susceptible to ransomware attacks, federal insurances can be established to pay for victim recovery, and baking in backup and resiliency best practices to insurance premium prices, instead of leaving insurances to pay the ransom itself or simply asking victims to not pay.”
Moss: “Our future will depend on reliable, safe, and secure technology gluing society together. A clearly articulated industrial policy for technology that prioritizes resiliency and security would provide intention and direction to future decisions. The creation of a National Supply Chain Safety and Transparency Agency could act as a coordinator for industry and government risk evaluation, best practices, and policy advice. This would help governments understand the risks before procuring a technology, and companies would be able to address their concerns.”
Rattray: “Beyond CISA, the government needs to establish joint operating capabilities and collaboration with the private sector, through analysis and resilience centers like the FS-ISAC. These should very definitely include enabling state governments through the increase of response capabilities, following the federal level in working directly with the providers of critical national functions.”
Shires: “Greater privacy and data protection will be crucial. Although it would not directly prevent cyberattacks, good privacy and data protection design and regulation would prevent some of the most serious consequences of intrusions and breaches for the general public. Of course, finding a good solution to information sharing on cyberattacks is also key, whether incentive-based or regulatory, and at state and federal levels. Finally, keeping to a single and clear definition of critical infrastructure, enabling states and federal government to focus resources effectively, would definitely help.”
What will be the most influential force on the shape of the internet that the next administration will face?
Herr: “Apathy. The internet’s continued universality and technical integrity are in question, as much because of deliberate Chinese and Russian efforts to drive fragmentation as benign neglect from the United States and key allies. The internet’s original design features which pushed intelligence (and thus much of decision-making power) to the edge of the networks has been eroded in favor of ever more capable intermediaries. The arguments against a single internetwork are being made far more frequently than those in favor.”
Jun: “Increased attack surface from 5G adoption coupled with IoT devices. More dependencies and integration can make it easier to create cascading effects where exploitation of one feature could affect the entire network. As a political scientist, one hope is that perhaps the vulnerabilities will be so great and intertwined such that it will create mutual hostage situations and ironically contribute to stability.”
Moss: “Great power competition and decoupling economies will fundamentally change the nature of the internet over the next decade, and the next four to eight years will be critical. There has been a lot of speculation about the use of cyber retaliation and how infrastructure provider would alter their networks to limit the impacts, and now we are witnessing the emergence of what I call ‘App Diplomacy’ with India banning popular Chinese social media apps such as TikTok. A new capability in the diplomatic toolbelt.”
Rattray: “The internet and cyberspace generally continue to evolve extremely rapidly. I would have the next administration focus particularly on artificial intelligence, the protection of data used to form algorithms, and the reliance of government, economic, and social functions on the use of artificial intelligence.”
Shires: “There are two. The first influence is its own current trajectory. If current ‘clean’ measures are taken to their extremes, the United States itself will reshape the internet into at least two halves (and, maybe, depending on which way Europe goes, three). The second influence will be the continuing surge in internet access worldwide, especially in the Global South.”
How will the novel coronavirus pandemic impact the next administration’s approach to digital privacy?
Herr: “Unclear. Contact tracing through smartphone and wearable apps has not featured in the United States as prominently in other countries and the EU remains a patchwork of different designs and applications. The move to work from home has forced users to more frequently consider where their data lives and how it can be accessed which may improve support for a private authority or more coherent federal privacy protections.”
Jun: “This is a classic commitment problem, for both governments and big tech. Whoever is collecting vast amounts of personal data to a centralized system has a hard time credibly promising that it will use insights from that data or the capacity to collect it for one purpose but not the other. But this problem is not unlike other promises that governments had to make in the past, such as a promise to use military power only against foreign adversaries but not against its own citizens or domestic rivals. While no silver bullet, mechanisms such as tying hands, allowing oneself to be sued, delegating authority, and embedding these mechanisms in institutions so that they are hard to change—stuff democratic governments have known for centuries—can partially mitigate this commitment problem. But voluntarily giving up this power will take an extraordinary event, probably not without a bottom-up demand from consumers.”
Moss: “COVID-19 has forced everyone to embrace online everything, and with that comes a growing awareness that their expectation of privacy is being violated or traded away with only illusory consent. In the absence of a constitutional right to privacy, the next administration could address this by creating legislation that would create a minimum for privacy expectations to provide clarity to both people and to the market, ultimately enabling competition instead of privacy law arbitrage. I know. I’m an optimist.”
Rattray: “The pandemic requires the next administration to both enhance digital privacy and deal with the increased sharing of private information. New, ever more relevant medical information must be shared digitally and must be protected. Simultaneously, remote work increases the necessity of the digital environment, and the amount of private information handled digitally. Finding the right approach to privacy is going to become a fundamental enabler.”
Shires: “It will create some contradictory pressures. For example, the pandemic has forced many personal and professional lives online for the foreseeable future, suggesting investment in digital privacy for online connective services should be a priority; but also generating more of a market for these services and greater opportunities for data-based advertising, threatening privacy. Another example is healthcare data: protecting the privacy of healthcare data should be more important, but finding a balance that also enables the sharing of data when necessary for contact tracing, and avoiding a shadow surveillance economy for doing so, will be difficult.”
The IoT is growing by the day, increasingly morphing the digital and physical worlds and in turn broadening the cyberattack surface. What immediate steps can the next administration take that can result in quick wins for creating a more secure IoT ecosystem?
Herr: “Empower the Federal Trade Commission to enforce a baseline standard of secure design and manufacture for IoT devices. There are numerous proposals of what such a standard might look like and various labeling schemes to support their enforcement but the root of impact is a clear and minimally ambiguous enforcement scheme.”
Jun: “Change incentives of manufacturers and distributors to sell more secure products, like we have done for areas such as food safety and financial products. Don’t rely on the consumers to make security choices, and don’t regard this as a purely technical problem beyond the policy realm. Leverage existing recommendations for manufacturers like NISTIR 8259, create certification mechanisms, and ensure compliance. Coordinate such efforts with like-minded countries to gradually establish global market standards.”
Moss: “While I don’t believe there are any quick wins to be had in IoT, there are some steps that are long overdue, like requiring an update mechanism to fix critical bugs, imposing manufacturer liability for defective products, and requiring transparency on what is inside the device, possibly a Software Bill of Materials (SBOM). Finally legislating clear product labeling laws like we have for food would provide transparency to important questions like how many years will the product be supported? Does the product require you to reveal personal information to activate it after purchase? Will this product be used to track my movements or spy on me?”
Rattray: “In general, I am a skeptic of the notion regarding quick wins, especially when it comes to fundamental changes in the digital ecosystem, like the rise of IoT. The next administration should focus on providing support to those who provide IoT products and services to make sure that they are easily secured and robust, while also increasing the general capacity of individual organizations in the nation to respond to digital disruption.”
Shires: “First, develop consistent standards for IoT security (although this isn’t quick, it should be started immediately). Second, find a way to effectively leverage the cybersecurity community to publicize and patch bugs in IoT systems. Third, for consumer IoT it is privacy and data protection. There will always be successful IoT attacks, and the harder it is to for example exploit access to smart speakers, or pivot from a dumb device to something juicier, the more we can use them with confidence.”
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
See more from CSI’s 5X5 series:
Image: U.S. Department of Homeland Security election security workers monitor screens in the DHS National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Virginia, U.S. November 6, 2018. REUTERS/Jonathan Ernst