They called it a lawyer jurga – a term evocative of “loya jirga,” the Pashto phrase for a council or mass meeting assembled to discuss important matters of national, political or emergency import. And it was just that, even though we were not in Afghanistan amongst tribal leaders, but in downtown Manhattan.
The Center on Law and Security of NYU School of Law hosted its fall conference this past Friday, “The Law of Cybersecurity: A Multidisciplinary Perspective.” The day comprised frank and rousing debates on the most pressing issues for leaders in cybersecurity. Or, as Verizon General Counsel Randy Milch put it bluntly, the issues that keep him awake at night (and occasionally cause him to wake up screaming).
While topics and discussions ranged widely, an important theme emerged at the onset of the conference and did not let up throughout the day: trust and the complex relationship between government and the private sector, and between the myriad world governments that must cooperate on cybersecurity. Milch and his fellow panelists – Leonard Bailey, Special Counsel for National Security (DOJ); Michael Vatis, partner at Setpoe & Johnson LLP; and Daniel Weitzner, MIT research scientist; led by Judith Germano, Senior Fellow of the Center – emphasized that the United States is unique because its information infrastructure is privately owned. The consequences of an attack on critical information systems, upon which our hospitals, defense and transportation depend, would be devastating to the nation. Yet, this “battlespace” is owned by private companies. As Vatis pithily said, “When there is (and there will be) a devastating event, people will ask, where was the government?”
To do their part, companies such as Verizon are very conscious that even though they are not an arm of the government, they cannot turn their backs on important national security issues. Weitzner sees a failure on each end of this relationship – a trust gap. On one hand, trust is hindered when the government two-facedly serves valid warrants on a company while surreptitiously entering that company’s systems through backdoors. Or, when the government serves Microsoft a demand for data instead of going to the Irish DPA.
Think of Apple’s recent hard line statement that it will no longer cooperate with law enforcement efforts to collect its users’ information. Weitzner called this a natural response to the lack of trust between corporate America and the government.
On the other hand, the private sector is not helping when it refuses to accept regulation with a “no way, no how” attitude. Sooner or later, there will be federal regulation, and Weitzner posits that it will be a “dumb” law if industry does not get involved now.
There was a range of responses on the trust issue from the public sector panelists throughout the day. They described just how complicated it is to govern and protect in this space. Bailey, of the DOJ, pointed out that cybersecurity is not a “thing,” but a set of relationships between policymakers, agencies and private sector hardware, software and consumer businesses. These people and institutions must cooperate and collaborate, and then this set of relationships is replicated about 180-fold across the other countries in the world. Bailey further defended American government relationship-building efforts by pointing to successful multi-national operations against botnets such as Gameover Zeus and the hundreds of companies that the FBI helped last year by notifying them of insecurities in their systems.
Panelists did note that multiple agencies have jurisdiction over cybersecurity, often vying for authority, to the confusion of the private sector. Bailey called for a federation of agencies to oversee cybersecurity, although Milch contended that companies would balk at information sharing with such a federation if it included agencies, such as the SEC or FTC, to which they have reporting obligations. Weitzner added that government has a fundamental conflict, in that it wants to enforce criminal law, which opposes the interests in rapid disclosure of security threats and information sharing.
Keynote speaker Brigadier General Patricia Frost of US Army Cyber Command noted, during her lunchtime speech, that 85% of the military’s information systems are owned or dependent upon the private sector. She described the government as learning on the go, still working on its “nascent” strategy for a global domain that is more congested and more contested every day. She provoked chuckles from the audience when reminding us that the military does not own the Internet. Brigadier General Frost called upon privacy professionals and Congress to define parameters by which the armed forces could defend cyberspace: “We create the force; you tell us the parameters for using it.”
However, those parameters, regulation and consensus may not be imminent. Per Vatis, Congress is distracted by the consumer protection issue of data breaches and a very vocal political force that decries any interference with the Internet. Milch even declared that the public is numb to the issue of cyberthreats. Weitzner echoed that although we live in an environment of continual catastrophic threat, there is no audible political will on cybersecurity that Congress can hear.
In the face of these cynical comments, Brigadier General Frost spoke positively about the strategies the military is implementing, such as her unit, the new Cyber Command, and Operation Buckshot Yankee, which is an effort to neutralize malware within government networks.
The conference lived up to its exotic title because of the robust public discussion amongst key players in the cybersecurity domain. The panelists were frank without being withering, critical without being accusatory. I left feeling that the jurga was a promising day in which the different sectors cajoled one another to move forward, both mutually and strategically, on the critical matter of American cybersecurity.
To keep up with future initiatives by The Center on Law and Security, sign up for their newsletter.
If you want to comment on this post, you need to login.