Experts debate national cybersecurity policy suggestions at RSAC 2017

Experts at RSAC 2017 discussed national cybersecurity policy suggestions for the new presidential administration, including what to do about encryption and the DHS mission.

SAN FRANCISCO -- Members of the Cyber Policy Task Force at the Center for Strategic and International Studies (CSIS) first began work on cybersecurity recommendations for the next administration in 2014, and at RSA Conference 2017, members of the task force discussed areas where the government needs to improve, including encryption, the role of the DHS, incident reporting and an increased focus on user data privacy.

Sameer Bhalotra, co-chair and head of the West Coast team for the CSIS Cyber Policy Task Force, said the government might need a national cybersecurity policy concerning major cyber incident reporting and data collection.

"The model that was most popular was the National Transportation Safety Board. ... They provide limited immunity and a lot of anonymity to pilots and airline operators who explain what happened so we can learn for the benefit of everyone else," Bhalotra said. "We want the same thing in cybersecurity -- a safe way to share information so it's not pointing fingers and not blaming the victims and we can all learn how to stop this [from] happening again."

Karen Evans, co-chair and head of the East Coast team for the CSIS Cyber Policy Task Force and national director for the U.S. Cyber Challenge, said she wanted a national cybersecurity policy to enforce the tenet that data belongs to the user.

"If that guiding principal is set up that the data belongs to the user, then that sets in motion a whole lot of reforms that could happen, as well as a lot of adoption," Evans said. "A lot of the laws locally where you're trying to make use of cloud technology say, 'No, the data needs to stay resident in the state.' That's ridiculous in today's day and time. ... If the basic guiding principal is adopted by this administration that the data belongs to the user, it could be set up from a national and international perspective of how data flows between countries all the way down to what's happening in a local county."

Nico Sell, co-founder and co-chair of Wickr, based in San Francisco, said national cybersecurity policy needs to be more prescriptive about personally identifiable information (PII).

"Another thing is really expanding the definition of what's important to a user with data, because there are a lot of things that aren't protected right now," Sell said. "There's a lot more information with PII that needs to be defined to really protect users out there."

Sell also advocated for more radical ideas like engagement with hackers, more bug bounties for government agencies and long-term solutions to building the IT workforce by starting to teach children to hack as early as kindergarten and through college.

Ryan Gillis, vice president of cybersecurity strategy and global policy at Palo Alto Networks Inc., based in Santa Clara, Calif., said the government needs to modernize.

"The federal government has not adapted adequately to evolution in technology to modernize IT. There's been a start to that and proposed legislation that we've seen on the Hill to modernize the infrastructure," Gillis said. "That's an area where we need to move faster as a nation and as a federal government, and do so with security in mind. So, it's not just buy the shiny new toy, but think about this in a way that we introduce and leverage security capabilities."

Gillis also suggested national cybersecurity policy to develop international norms around sanctions against nation-state attacks and more bilateral agreements like the no-hacking agreement made with China.

Bobbie Stempfley, director of cyber strategy implementation at The MITRE Corporation, based in Bedford, Mass., said we need to find ways to "feed the entire nation" and not have specific tech hotspots like San Francisco, Boston and Houston, and she said the industry needs to move past the idea of "adequate security."

"It took a decade to realize that IT was the transformative thing for the business. We're there now. No one thinks of Amazon as a logistics company, they think of Amazon as a technology company," Stempfley said. "We need to really embrace that both inside government and for small businesses, and think about security resiliency as paramount because it's a business imperative."

Encryption and international data flows

Denise Zheng, director and senior fellow of the technology policy program at CSIS and moderator for the Cyber Policy panel at RSAC 2017, asked the panel about the uncertainty around President Trump's potential policies around encryption and international data flow.

"Data crosses borders and data isn't always stored in the United States and there are a lot of countries now taking a localized approach to the processing and storing of data, in part because of national security concerns," Zheng said, and asked how Trump's trade agenda and pro-law enforcement stance could impact national cybersecurity policy.

Sell, whose company makes an ephemeral encrypted messaging app, was optimistic that strong encryption is something that "everyone wants" and that sentiment could make its way to the president.

"I would say that law enforcement depends on Wickr and strong encryption every day, and I think most of the people in the intelligence community and law enforcement understand that and hopefully it works its way up to the top," Sell said. "I think most people wouldn't want to put a hole in their communications ... and there are plenty of other ways to catch bad guys. The first one I would point to is metadata and GPS and using security cameras to look at somebody's password."

Evans noted that this conversation has happened before with the Clipper Chip and she hoped that would "inform policy going forward."

"I think that as we move forward that this is a balance between your security and your privacy and law enforcement," Evans said. "All of those equities come to the table and then it really is what is the ultimate goal that you're trying to get to."

Bhalotra agreed and said he was optimistic that the recommendations from the Cyber Policy Task Force would sway any potential national cybersecurity policy from President Trump.

"These kinds of protectionist policies for the internet and the cybersecurity sector are bad for business and bad for the economy," Bhalotra said. "I think it's pretty clear that [the president] is getting advice from people who understand that."

Next Steps

Be aware of keeping digital data private

Who owns the employee data in a BYOD scenario?

Governance tips for digital data ownership

Dig Deeper on Security operations and management