Public-Private Partnerships on Cybersecurity Seen as Key to Pass Effective Security Legislation

From left: Beau Woods, deputy director for the Atlantic Council’s Cyber Statecraft Initiative, moderated a discussion between Lorrie Faith Cranor, chief technologist at the Federal Trade Commission; Cris Thomas, a strategist at Tenable Network Security; and Jason Healey, a nonresident senior fellow at the Council’s Cyber Statecraft Initiative on August 10 in Washington. (Atlantic Council/Victoria Langton)

Increased cooperation between government cybersecurity officials and independent hacker communities can lead to streamlined and higher quality legislation for technology security measures, according to cybersecurity expert.

“We are seeing a change from a completely adversarial relationship between the government and the hacker community and it’s starting to thaw a bit where there is a lot more cooperation now. It hasn’t completely thawed, but it’s getting there,” said Cris Thomas, a strategist at Tenable Network Security.

“Now we have groups like [the Department of] Commerce…the [Federal Trade Commission] and the [Department of Defense] who are trying to bridge that gap and trying to access that knowledge and expertise to say ‘hey come help us out,’” he added.

Thomas spoke at the Atlantic Council in Washington on August 10 at a discussion hosted by the Council’s Brent Scowcroft Center on International Security. Lorrie Faith Cranor, chief technologist at the Federal Trade Commission and Jason Healey, nonresident senior fellow at the Council’s Cyber Statecraft Initiative also joined the panel. Beau Woods, deputy director for the Cyber Statecraft Initiative, moderated the discussion.

Cybersecurity has been propelled into the limelight recently as allegations of hacks being carried out by supposed Russian-linked hacking firms that targeted the Democratic National Committee in March and July of this year. Russia has denied any involvement in carrying out the attacks.

The first week of August saw an annual convention hosted by cybersecurity firms, technology companies, and independent hackers known as Def Con. Government officials have historically been absent from such gatherings, save for recent years. Cranor attended on behalf of the Federal Trade Commission (FTC).

“The FTC was out there…we wanted to do outreach to the hacker community and to let people know what our agency does and that we are interested in hearing about research that people are doing that can help us understand vulnerabilities in systems and give use ideas about how we can protect consumers from scan and fraud,” she said.

Participation from government agencies in these hacker communities is seen as a breath of fresh air, according to Healey.

“It’s good to see the FTC and others [attend these conferences] because instead of saying ‘it’s illegal to have curiosity about this object and how it works’…they are now saying that ‘people have discovered the vulnerabilities and we better work as quickly as they are to keep up with these insecurities,’” he said.

The panelists noted, however, that such participation needs to be reciprocated in Washington.

“I would love to see more elected officials get involved [in the hacker and cyber community]. There are enough of us that are more than willing to have meetings and put the tie on [to work with policymakers],” said Thomas.

“It’s a slow process. This is DC. Things do not move quickly. We’ve been working on improving cybersecurity policy for years. As new legislation is introduced and new bills proposed, each one gets a little bit better. I see quality increasing over time and hopefully that continues,” he added.

Mitch Hulse is an editorial assistant at the Atlantic Council.