Deep Dive Episode 115 – Public-Private Partnerships: The Future of Cybersecurity?
While most agree cybersecurity is a vital part of modern national security and see cyber-attacks as an evolving and dangerous threat, the question of how best to utilize the resources of the United States to protect the nation against cyber-attacks is far more contested.
Many in the cybersecurity space see the path forward as including more public-private partnerships since private companies are often more directly impacted by cybercrime than the federal government and can be more dynamic in their responses.
However, given the criticism of these partnerships in the past, are they truly the best way to protect the public? In this time of quarantine, American society has become more dependent on internet technology, so examining how our nation protects itself and its companies digitally has never been more important.
Are public-private partnerships the best way to fight cybercrime? If not, can the government alone protect the nation from cybercrime? If these partnerships are the way of the future, how could they be improved? This episode will discuss these important questions and more.
Although this transcript is largely accurate, in some cases it could be incomplete or inaccurate due to inaudible passages or transcription errors.
Colton Graub: Good afternoon and welcome to The Federalist Society’s Fourth Branch podcast for the Regulatory Transparency Project. My name is Colton Graub. I’m the Deputy Director of RTP. As always, please note that all expressions of opinion are those of the guest speakers on today’s call.
This afternoon we’re pleased to host a conversation exploring the role of public-private partnerships in protecting the nation against cyber-attacks. We’re pleased to feature Dmitri Alperovitch, who is the co-founder and former CTO of CrowdStrike, as well as Jamil Jaffer, who’s the founder and Executive Director of the National Security Institute and an assistant professor of law and Director of the National Security Law & Policy Program at George Mason University. Dmitri and Jamil, how are you today?
Dmitri Alperovitch: Great, Colton. Thanks for having us.
Jamil N. Jaffer: Fabulous.
Colton Graub: Thank you both for joining us. If you’d like to learn more about each of our speakers and their work, you can visit regproject.org where we have their full bios. To kick things off, Dmitri, the internet and the digital economy touch almost every aspect of our lives. Some of our most valuable information lives on internet-connected devices. In light of the current COVID-19 pandemic and the upcoming U.S. election in November, what do you see as the major threats facing the country in the cyber arena?
Dmitri Alperovitch: Thanks, Colton, and thanks for having me. I’m very much looking forward to the conversation. And I think Jamil and I have a great debate coming up as well. So I’ll be brief on this question as we’re going to get into more interesting discussions later on.
But in general, when you look at the threat landscape, there are three types of threat actors that we face. There are nation-states out there that wish to do us harm. Obviously, the primary ones are the top four that we face in the broader geopolitical context: Russia, China, Iran, and North Korea. Although, there are increasingly others that are leveraging cyber to achieve various national priorities, whether it’s traditional espionage or facilitation of economic espionage as we see, for example, from Vietnam increasingly targeting our industry.
The second type of threat actor is cyber criminals. Sometimes they’re working closely with the state-based resources, intelligence agencies, and militaries in various countries. But more often than not, they’re operating on their own or in organized groups targeting anything that they can monetize, so either direct theft of data, direct theft of resources, credit card numbers, identity information they can monetize, or ransomware type of attacks where they can extort money through cyber action.
And then the third type of actor is general malfeasances that are trying to do harm on the internet because of some cause. So those could be terrorist groups that are trying to achieve specific objectives online. More often than not it’s anarchist type of groups and others with a political agenda that they’re trying to pursue and typically engage in more disruptive and destructive attacks.
On the nation-states front, this is really the major threat that we face today, the most strategic. Obviously, we have seen nation-states interfere in our elections. We have seen nation-states engaged in highly destructive attacks like the NotPetya attacks, the most destructive attack in history that cost hundreds of billions of dollars of damage in 2018 when it was unleashed by Russia on Ukraine and then spread from Ukraine to target numerous other countries including, ironically, Russia itself; attacks like WannaCry, originating from North Korea that masqueraded as ransomware but was really all about disruption and destruction.
And then nation-states are also engaged in economic espionage. So the likes of China, for example, have really pioneered this model of leveraging state resources to infiltrate companies, steal intellectual property and then provide that intellectual property to their domestic industries to better compete out there. In terms of the current COVID situation, really all three types of threat actors are ramping up their operations.
In fact, so far year to date, the number of attacks and intrusions that we’re seeing in cyber has doubled compared to prior year. So things are only increasing in both threat level, as well as vulnerability, because as more and more people are working from home, including in government agencies, they’re much easier to target, both on their personal machines as well as on their home networks. And it’s an increasing challenge for both governments and industry to try to protect those resources online when they’re not sort of physically in charge of them. So that’s sort of the high-level overview of the threat landscape.
Colton Graub: Thanks, Dmitri. So for those in the audience who may be unfamiliar, Jamil, can you walk us through information sharing partnerships, specifically how they have developed historically and how do they function currently?
Jamil N. Jaffer: Sure. Well, you know one of the things that Dmitri highlights about the threat actors that are facing us are a lot of these are actors, particularly some of the most active and effective ones, tend to be nation-states, that is countries that are focused on the U.S., not just our government, but our private industry, either to steal intellectual property, as Dmitri just described, or to gain other economic advantage, to conduct direct attacks. Sometimes these attacks tend to spill over. NotPetya, as Dmitri pointed out, was an attack directed by Russia against Ukraine that had massive spill over effects, hundreds of millions of dollars to individual companies that were not even the targets of the attack.
So you see nation-states getting involved in ways that are in some ways unprecedented, at least unprecedented beyond that last five, ten years. And you also realize that in this country in particular we’re not interested in having the government sort of patrol the borders of the internet, as it were, even if you could identify the quote/unquote borders of the U.S. internet, which you can’t. But if you could, we’re not structured in a way — nor do we as a matter of private individuals want sort of U.S. Cyber Command patrolling those alleged borders.
So the question then becomes how do private companies — how can they be expected to defend against nation-state threat actors who have virtually unlimited resources, both from human capital and an economic perspective. And obviously, these companies are not in the business of cybersecurity. They’re in the business of providing services to consumers or goods to consumers or goods to other businesses. And so how can they possibly be expected to compete?
And the fact is they can’t compete. And one way that they can look at that competition is to work with one another, and another way is to work with the government. And what does that work with one another mean, right? Well, one, historically, the way you thought about that it’s about sharing information. It’s about saying, “Hey, here are the threats I’m seeing on my network. Here are the threats you’re seeing on your network. How can we better understand it to get ahead of some of these threats?”
So we’ve, for a long time, had these things called information sharing and analysis centers, ISACs, which are generally structured by industry. So you’ve got the healthcare ISAC. You’ve got the financial services ISAC, energy, and the like. And they tend to be groupings of companies that work together with one another to share insights on what they’re seeing on their networks, how the threats are going, how to respond to them, sort of best practices and the like. And oftentimes, these ISACs or ISALs, which are another form of these — other type of information sharing organization, will work with the government to share information with the government, understand better what the government knows about potential threats and the like.
Now, the challenge that these organizations have, they’re exactly at the right approach, and they’ve long been [inaudible 08:15] and have made huge strides forward in ensuring that we’re better protected. But one of the challenges they face is that the government is generally unwilling to part with the information it has. And Dmitri and I will have a debate, I think, today about how valuable that information might be, if at all, to private industry participants. I think we might have different views on that.
But the government to the extent it has information is often unwilling to part with it because they want to protect intelligence sources and methods. Industry is generally — has historically been, and I think less so today — but has historically been reticent to give the government tremendous amounts of information because they’re concerned about regulation and potential liability exposure. And frankly, the government hasn’t been the greatest steward of private industry information, oftentimes posting it on public websites or disclosing it through FOIA and the like. And so industry is reticent, and so there hasn’t been that great sort of communication between the government and industry.
And then, of course, within industry itself, there are obvious competition issues. There are antitrust issues and the like. A lot of those have been addressed in recent years by laws like the Cyber Intelligence Sharing Act — Cyber Information Sharing Act that passed in 2015. But there remain issues in the law and concerns about lawyers. And a lot of folks on this call are lawyers, so concerns by lawyers about what cyber operators might do to shared information.
So I think those are some of the things that play into this debate about information sharing. And it’s historically been. One is a question of trust. Another question is the question of value and the need of the benefits coming from that. And then finally, what do you do with that information once you’ve shared it, and how effective can you make it? So I think there are a number of issues there.
But I think one of the things that Dmitri and I probably should talk about is this question of there’s been this long-held debate and discussion about the need for industry to share with the government and for government to share with the industry and that that will make cybersecurity better. And Dmitri, I think your view — you have a view on this. So Dmitri, what’s your view on this?
Dmitri Alperovitch: Yeah. No, that’s a great start, and let’s get into this debate. So let me be very clear about my position. Information sharing is not a bad thing. However, it is absolutely not a panacea, and it’s not going to solve our cybersecurity challenges, which unfortunately has been the proposed solution literally for the last 20-plus years in the policy community in this town, in D.C.
So literally since the late ‘90s, people have been clamoring for more and more information sharing between governments, for government to share more, for industry to share more with the government, as a proposed solution to our problems. And the problem with that is that, just like washing our hands is not a bad thing and everyone should be doing it, it is not going to solve the COVID problem for us. We need a vaccine to get us out of that situation. Similarly, information sharing, while clearly providing significant benefits, is not the ultimate solution.
And the proof is sort of in the pudding because for the last 20 years we’ve been focused on this issue. For the last 20 years numerous legislation has been past. A lot of these organizations that Jamil talked about have been stood up to share information. Government has been more aggressive at sharing what it knows with industry, and yet the problem has only gotten much, much worse.
So doing more of the same, in my view, is actually counterproductive. And unfortunately, it’s not cost free. The more effort and energy we spend, particularly in this town, pushing for legislation to improve information sharing is a time and effort we’re not spending doing other things that can be more impactful.
So everything has a cost-benefit analysis, and I believe that on information sharing specifically we’ve reached the limits of the benefits of what we can achieve with the existing system. And instead of pushing for more and continuing the same policy that we perceived for the last 20 years, expecting a different result, we should try a different strategy.
Jamil N. Jaffer: So look, I actually am going to agree with Dmitri on a lot of what you said there which is, number one, of course it’s not a panacea. Nobody would suggest that information sharing standing alone is the solution to all of our cyber security problems. I will dispute with you whether we’ve gotten far enough or done enough, and I’ve got a couple of examples of why I think — where I think we haven’t done enough and could do a lot more in terms of information sharing. But I do agree that it’s not the panacea.
And to me, part of the reason is a couple things. Number one, it’s not just information sharing for information sharing sake. It’s what do you do once you have that information? It’s how do you act on it. It’s how do you work together, right?
Part of the problem I think that we have today is, when it comes to nation-state threats, we don’t expect, for example, Target or Walmart or any of these big companies, even JP Morgan, to have sort of surface to air missiles on the roof of their buildings or their warehouses to defend against Russian bear bombers. Why? Because it’s not the job of a private company to defend against attacks from the air by a foreign nation-state.
Of course, we do expect them to have high walls and guard dogs and armed guards to defend against the average common criminal. But we don’t expect them to do that. One, it’s not their job. Two, they can’t realistically be expected to buy and spend the money and have the wherewithal to do that kind of defense, nor do we want them in that business.
Of course, the situation is somewhat flipped in the cyber arena where we actually do expect JP Morgan and Target and Walmart and all of these companies to defend against nation-state threat actors. And they’re not resourced to do it, right? And we know the government does know things about nation-state threat actors that the private sector doesn’t know. And I know there’s a debate about this, and we’ll debate this issue, Dmitri, right?
But we know today, after all the disclosures that we’ve seen about government surveillance efforts and like that our government, like other governments, lives inside foreign computer systems and mines them for information, oftentimes foreign government systems and the like. And in the process of doing that, they identify things that are potential threats against the U.S. government, and they may identify threats against the private sector.
And the question becomes how come they didn’t take that information without disclosing the source of that information, give it to the private sector in a way that’s actionable, and allow them to act on it? I don’t think, frankly, Dmitri, today that we’re doing that or have done it effectively. We’ve talked about it. I agree with you 100 percent. We’ve talked about it for altogether too long, and the time has come, particularly in this environment, where we know that nation-states are going after our COVID response, whether it’s healthcare entities or companies that are looking into vaccines and the like. So we know it’s happening. This is as good a time as any to actually take that actual information, give it to industry, and let them act on it in a way that protects the source of the method.
At the same time, I think that there is something to be said—Dmitri, I’m interested to hear your thoughts on this—for putting aside whether you share information. But what do you do once you’re working with another company or with the government? How can you engage in a collaboration? And sort of the Cyberspace Solarium Commission said we need a new way of thinking about the problem. We need a new social contact, really need to think about collected defense.
And I think that’s right. I think what we need to think about is how do we collaborate. How do we have collaborative defense where one company can work with another company and say, “Look. We’ve identified these three threats. You’re seeing the same thing. We’ve decided we’re going to take these out. You don’t need to waste any resources, your limited human and technological resources on this. You can simply rely on our decision and act on that?”
And of course, you don’t have to do that. But if you can, then you can leverage scale of multiple actors in a given environment. You don’t have to have all the humans to do it. And perhaps, government and industry might be able to find a collaboration there also.
So I’m interested, A, Dmitri, whether you think that’s sort of a better approach or a refinement that you’d be willing to bite off on in terms of not just information sharing but, if not that — and if you think that’s also not as productive and sort of a time waster, I’m interested to know what is your theory about what we ought to be doing better on the public-private divide if it’s not this sort of information sharing or collaborative defense as I’ve described? Over to you, Dmitri.
Dmitri Alperovitch: Well, I knew it was a fool’s errand to debate a brilliant lawyer like Jamil because, of course, you’re a master of changing the subject and trying to pivot. Because of course we should be doing more, and of course private sector shouldn’t be expected to defend themselves against these nation-state actors all by themselves. And the government has a huge role to play.
I would argue the role that it has to play is primarily in the deterrence and punishment arena where they should be articulating clear policies and backing them up with force, including potentially military force depending on the level of attacks that we suffer, that make it very, very clear to our enemies that these actions will not be tolerated. And I think our policies, in fairness, particularly in this administration, have been changing towards that where you have seen a very, very aggressive vis-à-vis China, for example, on economic espionage where we’ve essentially launched a trade war against China because in many ways of the economic espionage that they’ve been conducting against our industry for the last two decades, indictments and other strategies that we’re now seeing from the U.S. government. I think that’s great, and I think it needs to be expanded to other nation-states as well.
However, back to the information sharing point, and I think it’s really, really important to dispel this myth that the government is sitting on this massive pot of gold of information — this highly sensitive, classified intelligence, that if only they would share it, suddenly all of our problems would disappear and these companies would be able to defend themselves. There are actually two problems with that.
One, it’s actually not true. So I don’t disagree with Jamil that we have phenomenal intelligence resources and our collection methods are better than anyone else’s in the world. But it’s not actually clear that that itself manifests into a timely collection of relevant cyber data that can be useful to industry. So just because you may be able to overhear a colonel in the MSF, Ministry of State Security in China, discussing a potentially new attack does not mean that that is going to be necessarily actionable information that you can take and give to a company and have them defend themselves against that form of attack.
To collect the type of very, very technical data in a very, very timely fashion that would enable that type of response, particularly a long-lasting response, is actually very, very difficult. And it’s not clear that we have the mechanisms at least today to do it well. And the proof, again, is in the pudding because if the government really was sitting on this wonderful wealth of intelligence that was so useful to protecting against cyber intrusions, don’t you think that they would first and foremost actually use it to protect themselves?
And in fact, our government networks, including our most sensitive networks, like the networks of Department of Defense, like the networks across our intelligence community, the White House, the State Department, have all been breached over the years and are targeted literally on a daily basis with the results that I think would put to shame many of the top corporations in the world if they have similar successes, or failures I should say, against defending these types of networks. So the government really does not have this type of information that would be massively useful to industry. Oftentimes the information that they do have is delayed.
So the one probably best program that we have seen from the government is the Breach Notification Program, which the FBI currently runs. So when the intelligence community, either the NSA or other agencies, including the FBI itself, get wind that someone may be compromised, they go out — the FBI agents do and do notification to those companies. And oftentimes, as even we’ve seen in recent years, even those programs have not been very successful because rarely do they have very actionable information to tell the company that this is the machine that the attacker has targeted.
And in any large network, if the company does not have great resources to go hunt for those adversaries, they may not be able to find them. And we have seen numerous cases over the years when that’s been the case. But that’s been probably the most successful program.
And it’s fundamentally after the fact. You’ve already been compromised, potentially for months if not years. And sure, it’s better than nothing to know that you have been compromised and ultimately kick the adversaries out of your network. But by that point, the information probably has already been stolen. So that’s problem number one.
Problem number two is that a lot of organizations out there — in fact, the vast majority of the private sector actually does not have the resources and the capabilities to defend themselves, even if you gave them sort of the full blueprint of what an attacker’s going to do against them. They don’t have the technical capabilities. They don’t have the human capabilities often to actually face that type of threat.
We have numerous small businesses in this country that don’t have dedicated security teams, oftentimes that don’t even have dedicated IT teams. We have numerous even Fortune 500 companies that are not spending the needed resources on cyber security to actually be able to leverage that information, even if it existed. So for those two reasons, one that the government doesn’t actually have this magic pot of gold that we think it does to enable cyber defense and two, that even if they did and were to share it, that the industry would be able to use it effectively—the vast majority of it—I don’t believe that information sharing is the answer. And we can get back to what is the answer later on, Jamil, but I figured we should finish the debate on info sharing.
Jamil N. Jaffer: Yeah. No, I’d love to go to the latter part of the conversation. But let’s keep on this for a minute. So a few things. One, couldn’t agree with you more that the government’s role absolutely in the first instance is doing better in more deterrence.
A lot of people say that, “Oh, deterrence doesn’t work in cyber space. It’s just not made for it.” I completely disagree, and I think you agree with me on this, Dmitri, which is that deterrence can and should work in cyberspace.
It’s just we don’t practice it. We don’t talk about what capabilities we have. We don’t talk about what our redlines are. We don’t talk about what we would do to somebody if they crossed those redlines. And then even worse than all those things, when people do cross redlines with us, whether they’re in cyberspace or the real world, we rarely, if ever, actually enforce those redlines.
So to the extent that we create credibility around deterrence, we undermine it by not actually acting when people sort of fail to meet the things we’ve asked them to meet. So for a variety of reasons, I think that deterrence has not worked in cyberspace but not because it can’t but because we simply aren’t willing to do what it takes to actually effectuate deterrence in this space. So I agree with you 100 percent. The government needs to be clear about what it will do, what it can do, and that it actually needs to do that.
And by the way, it’s not just doing it and responding. It’s actually being seen to respond, doing so in a public way. Oftentimes we hear now through sort of leaks and rumor mill “Oh, yes, we conducted a cyber attack to respond to whatever, the drowning of a U.S. drone by Iran. We conducted a cyber attack in Iran, allegedly.”
Well, here’s the thing. If we don’t tell the world we did it and show the impact, then nobody else is going to be deterred. Let it drip out through leaks and the like. Maybe that has some effect, but I just don’t think that’s the kind of deterrence we need and want in cyberspace. So I completely agree with you, Dmitri, that that’s a key role of the government.
At the same time, I think sort of trotting out this idea that, well, because the government is inept at defending its own network, it must not have some valuable information. I think we’ve seen time and again that the government has information that it fails to act on. Intelligence is missed or mis-utilized. The government — and we’ve seen intentional abuses in recent years, but we’ve also seen just general government bureaucracy and incompetence. They often say that if you think something’s a conspiracy or a plot and it involves the government, more often than not it’s actually just sheer incompetence.
So the idea that just because the government’s regularly breached and that their cyber defenses may not be as good as some of the best in the industry doesn’t mean that they’re not sitting on valuable information, maybe that they have it. They don’t know what to do with it. It may be that they have it and, for whatever reason, can’t utilize it. It may be they don’t even know they have it. It may also be they just haven’t gone and collected it. And frankly, I think that’s part of the large problem, which is today the government is largely focused on a set of intelligence collection priorities that aren’t around the cyber threat to the private sector.
Now, the Cyberspace Solarium Commission did recommend that we rejiggle those priorities. We’ll see if that actually happens. But I do think that if you redirected the government’s collection priorities in this massive intelligence collection infrastructure that we’ve learned about in the post-Snowden environment — if you redirected portions of that to focusing on private sector cyber threats, I dare say we could gain some value out of that. But then the question becomes how do you then pass that to the private sector in a way they can act on it without undermining the government’s ability to collect that in the future.
So again, lots to be debated about here. And I totally get your point, Dmitri, about how they may not have sort of the pot of gold, right? But I think there is some gold to be had, and maybe part of the debate between us is just how much time you spend trying to get that gold out of the pot and chase that end of the rainbow.
As to your sort of second point about what industry can do about it — and the posture I completely agree with you that today industry isn’t structured in a way and doesn’t have the resources, some because they haven’t committed the resources but most because they just — not the business they’re in. They can’t afford to spend the kind of money it takes and effort it takes to defend against these threats, whether they’re small or medium size businesses, the real engines of the American economy, or even larger Fortune 500 businesses that simply haven’t made the commitment of resources in this way. And those, they have larger and separate issues.
But I think the answer to that, again, comes back to this idea of collective defense where, if you can partner up a number of small companies in the supply chain with their larger company-based supply and that company can provide some amount of support down, “Look. We have a 200-person security operation center that’s look at cyber threats all the time. We’re going to tell you about decisions we make, and you’re going to be able to implement those decisions in your companies, these smaller 10-, 50-, 100-person small government contractors or suppliers to big chain Walmart and Target and the like. And you can simply implement this, and you have the capability to do that. You don’t need the big IT team. You don’t need a security operations center. We’ll take care of all that for you.”
So I think creating that capability to do that may actually help us a lot in some of these spaces. But I am still interested, Dmitri, on other ideas you have about how we might solve some of these problems, so back over to you.
Dmitri Alperovitch: All right. Well, I’m glad that we agree more than we disagree. And I think it does come down to the tradeoffs. Absolutely, if doing information sharing, both reorganizing the government for it, creating a regime that encourages and incentivizes information sharing was easy, one, it would have been done a long time ago. And the reality is it’s not, and there’s some really thorny issues here, including legal ones that make this very, very challenging.
And the main point that I want to argue is that instead of spending another decade or two decades trying to solve those issues, our efforts are probably best spent on other things that can give us more bang for our buck. Again, we’ll live in a world of limited resources, limited time, limited attention span. We can’t do it all. And we should focus on the most impactful things, first and foremost, which in my view is actually deterrence.
And there, I think we completely agree, Jamil, that we have not practiced effective deterrence. I think you could debate whether a clear articulation of redlines is helpful or not. You could argue that by doing that you actually tell the adversaries that they can walk straight up to that redline and not cross it, but everything below it is fair game. But at the very least, when they do cross those redlines, whether it’s a destructive attacks like NotPetya or the massive theft of intellectual property that we have witnessed over the last two decades, there needs to be a clear response.
And the response needs to be tailored to individual countries and individual circumstances. So your response to China will not be the same as your response to Russia, even if they’re doing the exact same thing in cyber, just because the leverage points are very different. And our economic interdependence and our ability to influence their policy just needs to be very, very tailored to the particular threat actor that you’re trying to deter and what actions you’re trying to deter as well.
So I think on China we’re actually coming to a really sensible deterrence policy where we realize that what is happening and what has been happening over the last two decades is actually not cyber activity. At the end of the day, what China’s been doing to us is engaging in economic warfare, of which cyber was actually just one small piece. But other things that they were doing in the economic sphere, in the trade sphere by violating their trade agreements, by manipulating their currency early on and so forth has all been part of this economic warfare that they’ve been waging against us and our allies. And the right response to that is economic and, ultimately, in the trade sphere and sanctions and the like that the administration’s now pursuing.
So we need to find the similar types of points of leverage with other countries to make sure that they realize that there’s a real cost to doing this. And with some countries it will be easier than others. Very little we can probably do against North Korea given that our leverage against them is minimal. But with other countries, we do have leverage, and there’s clearly things that they don’t like us doing. And we need to start engaging in those types of activities.
And I think the problem has been, in national security policy for the last two decades, is that cyber has not been part of the conversations in the Oval Office, even when some of these major attacks have taken place, and have not risen to the level of urgency to trigger a response. So even when a major attack on Sony occurred from North Korea that was devastating to Sony — and President Obama at the time came out and spoke about the great attribution that the U.S. government had on who did it in North Korea, there was no visible response to that.
So the only thing that happens when these types of events occur is that you just tell both that country, the perpetrator, as well as every other enemy that we have that those types of things are okay to do. And the only thing you’ll get is a public slap on the wrist with no real repercussions. So I would rather see our country do a lot more in this space, first and foremost, to try to actually limit the threat level that is facing our industry.
Secondly, on the defensive side, I actually think that we need some regulation. I think it’s well past the point where we can expect these companies who have suffered devastating breaches that have impacted both our national security, as well as our economic security—and impacted the personally identifiable data of literally every single American probably ten times over—to expect that they will do the right thing just out of the goodness of their heart. And we need to actually get them to start caring.
I can tell you I’ve worked on tons of major breaches that have occurred and been on the front pages of newspapers over the last 15 years. In virtually every single case, the root of the problem — not sort of the technical root of the problem, but the fundamental reason for that breach was that the board of directors and the CEO really did not pay any attention to cyber. And many of them unfortunately, from my experience, even after experiencing a breach, still don’t pay much attention to cyber because the cost to them are minimal in the grand scheme of things of the overall business, or those costs will be paid over many, many years, at which point the current leadership that’s in place in that company may no longer be in charge.
I’ve literally had major Fortune 500 executives tell me that, while they don’t like the fact that the Chinese are stealing all their IP, they believe that the effects of that theft will manifest themselves over five to ten years, at which point they may no longer be at that company. And that is why they’re not spending much time focused on this issue. So clearly the market has failed to address this with the right incentives because a lot of these problems are longer term and not sort of the short-term view that the market punishes. And we need sensible regulations, lightweight regulations that are not prescriptive but are actually effects driven and that penalize companies that do not do the right things when a breach occurs.
Jamil N. Jaffer: Well, look, I agree with you on the former and definitely not on the later. So this will be a good point for us to debate a little bit. So one, on the former, look, I think you’re absolutely right. The government can or has to do more to go after and reduce the threat level — the overall threat level coming at us. We haven’t done enough in this space.
I’m glad that you rightly recognize the threat posed by China and the broader sense, that it’s not just a cyber threat, that it’s a larger threat they pose to our nation and an increasing threat. And in a post-COVID environment, in fact, I actually think that the situation is worse, not better, because they’re coming out of it a little sooner than we are, although there are some debates about whether there’ll be a second wave and the like. And they are appearing to come out of it somewhat stronger than we are.
And frankly, we have been divided as a nation. We continue to be divided as a nation on this threat, as well as on our sort of larger agenda as a country. And China, for better or for worse because of it’s political system and the way it operates, has less of those challenges. And at least as a government, it can effectively operate much more aggressively and in a much more forward leaning way.
It makes them less flexible, makes them less agile. It makes them less capable to innovate, which are problems that they’re starting to solve very rapidly. And that’s something we shouldn’t miss.
So I agree with you. Deterrence is critical. The government has a much bigger role to play there. And if we’re going to spend time on something, that’s where we should definitely spend a tremendous amount of time and energy on.
On this issue of regulation, it’s not going to surprise anybody on this call who’s ever heard me talk before that I am not the first person to reach for the regulatory stick, and I don’t think you are either. You’ve been in the industry for a long time. You’ve seen this from the industry side of things. And you recognize that private businesses thrive when regulation is limited, particularly — and that’s no more true in any industry than the technology industry, which has been so productive and become this engine of growth and innovation for the American economy precisely because the government has stayed away from regulating it and stayed out of the business and has largely let it develop on its own and grow and thrive.
So I do worry about government regulation for a number of reasons. Number one, as a general matter, you reach for the regulatory stick when all the other things like carrots have failed, when incentives has failed, and when the market has failed. And I think that, one, I’m not convinced — and I know you are. And I think it’d be interesting for us to debate why we think this.
But I’m not convinced there’s actually a market failure here. I actually think that we may very well be investing at a rate that’s low, as you correctly described. But to me that’s because we lack information. And we come back to this issue of I think there’s still a fundamental gap between what experts like you understand as the threat to companies and the way that industry sees it.
And I think that that’s been changing over time, and I think we’re seeing some correction there. But I think there’s still a lack of information in this marketplace. So it’s not that the market’s reaching bad results. It’s the market’s making decisions based on bad information. So the more we can get the right information, more transparency into the marketplace, more data about these threats to the marketplace, I think that’s going to help a lot. And again, there I think the government has a role to play in part based on what it knows about what the threats are to the nation.
But then on top of that, I think that the government hasn’t really tried the incentive approach, the sort of carrot approach. So I would not be trying to reach for a regulatory stick when you have carrots available: tax incentives, other economic incentives that might motivate companies to do the right thing, disclosure rules. We’ve now seen disclosure rules by the FCC. I think that’s had a salutatory effect. I also think you’re right that it’s not breach disclosures, but I think that now materiality and potential question of cyber risk is becoming something that’s been looked at. So I think that’s a more gentle regulatory approach if you’re going to take one that might be the first thing to do than reach for sort of a “You must do X and Y.”
The other thing I think the — pointing out government — Dmitri, as you mentioned, the government’s not particularly good at cyber. The idea that the government itself could come up with a regulatory measures, even these independent agencies, with regulatory measures that would stand the test of time for even 30 seconds in the way that industry innovates and changes over time I think is laughable. And I think what would end up happening is that as you create these regulations they’ll be outdated by the time the ink was dry. And then people would end up having a compliance culture.
They’d go to that regulatory line and do that bear minimum and then ultimately actually be less safe because they met the regulatory minimum, aren’t doing what they actually need to defend their networks and their systems, and ultimately failing as a result. So I have a lot of reasons why I think regulation is exactly the wrong approach to take. And look, there are times, rare in my view, in which regulation is the right thing to do. But in a highly innovative, rapidly evolving environment like this where we know there are information failures, where we know that the carrot has been tried, the last thing I would do is reach for the regulatory stick.
Dmitri Alperovitch: Let’s talk specifics. I want to propose one regulation and get your comment on it. Before I do that, though, I have to say I completely disagree with you on the information failure, given that you can’t open up a newspaper these days and not read about a major breach that’s occurred in one company or another in every part of our industry. So I don’t know how there’s any executive out there sitting in middle America right now that doesn’t think that cyber’s a big problem. If they are, they should really open up a newspaper because they’ve been literally overwhelmed with that type of information over the last certainly decade plus.
But let me propose one regulation. So I agree with you it can be prescriptive. You can’t tell a company, “Here’s the three things you need to be doing,” because, one, those things may not be tailored to that company. They may be counterproductive, and they may be obsolete before the ink even dries on that regulation.
But let me suggest one that focuses more on incentivizing them to do the right thing through liability. So if the regulation said that you, as a company — and you have to define, obviously, the set of companies for whom they would apply. It probably wouldn’t apply to your neighborhood bakery, but it would apply to, let’s say, public companies, maybe some critical infrastructure. You have to define what that subset looks like.
And for those types of companies, you’d say, “You have to track certain types of metrics about the effectiveness of your cyber security program. And you don’t even have to report them to the government. In fact, don’t report them to the government because the government is so bad at keeping secrets that if you were to report it to the government and the government were to get hacked they would literally give the blueprint to the hackers of which companies are not doing well.”
“But you track it internally. You report it to your board every single quarter so the board is fully aware not just of where you are at in terms of your baseline but where you’re headed quarter over quarter. Is the trend improving? Is it actually going in the wrong direction? And then should a breach occur, that information would be disclosable in a lawsuit from either shareholders or customers or whoever is impacted by that breach.”
“And then you can actually show negligence. If you can show that the board clearly was aware that their cyber security was not up to par to where the rest of their competitors were or actually was going in the wrong direction and they took no actions, then they’re liable. The board is liable, the executive team, and the damages triple as a result or what have you.” So how do you feel about a regulation of that sort?
Jamil N. Jaffer: Well, I think the devil’s always in the details on a regulation like that. I think, as a general matter, I’m supportive of government measures that create transparency, put more information in the marketplace about what companies are doing and how they’re operating. So I’m not opposed to more disclosure requirements about decisions that corporate boards are making that are material to public companies or the like.
I do worry about liability rules that create additional liability, particularly if they create liability individually for corporate officers or directors. It’s one thing to create liability for a company. That’s something that can be baked into your overall earnings and your risk posture. If you’re starting to create individual liability for individual directors or officers, even though they have D&O policies, director and officer liability policies, that can be a lot more challenging.
It’s going to de-incentivize people to take those jobs, and you’re going to get less qualified, less capable people in those jobs. And that’s the last thing we need. I think you and I would agree on that.
But let’s talk about creating liability for a company, which I think is what you’re essentially talking about. To me, the idea of creating liability — it’s not clear to me we need to go down that road right now. Why not try — disclose the information? And I don’t mean disclose the specific way you measure up because obviously that would create opportunities for people to take advantage — but create disclosures about material risks that you have. Is cyber a risk for you? And if it is, how big a risk and how are you mitigating it? And what are you doing to address it?
These are the kinds of things that the FCC regularly engages in, requiring public companies to do. No reason to think that that can’t be as effective a tool and let the marketplace weigh it. Then, if the stock takes a hit because they disclose the material cyber risk, okay. And if it doesn’t account for it, well, then the market doesn’t care. And then ultimately they’ll pay the price later on, or maybe they won’t pay the price. We’ve seen the record has been somewhat mixed on whether companies that are breached pay a big significant stock market price. Some do and some don’t. So — go ahead. Jump in.
Dmitri Alperovitch: In that mix, in every single case of a major breach, the company’s stock bounces back very rapidly, and there’s no long-lasting effects.
Jamil N. Jaffer: Right. So even more interesting, right? So what does that tell us? Does that tell us that maybe it’s not as big a concern as we think, or do we think is the market wrong or stupid?
This is why I think that there might be an information gap because, if clearly the markets are reaching a clear result, Dmitri, that you and I don’t agree with, even when they have the relevant information — they know there was a breach. They know there were failures on behalf of whatever it was management or whomever, and yet they don’t make a company pay a price. So the question becomes, well, why is that?
And it’s not clear to me that the government’s in the best place to say, “Oh, you know, we know why. Industry is wrong. The market is wrong. Everybody is wrong. We, big brother, the government, know better. Let us come in and help you solve this problem by creating a liability rule that allows lawyers to get rich.”
You know how these lawsuits work. We’ve got a lot of lawyers on the phone. The way these class action lawsuits work is the lawyers make a lot of money. And I’ve been on the plaintiff’s side in a lot of class action lawsuits. The lawyers make a lot of money. The plaintiffs get some minimal recovery, and companies pay a big price.
And I’m not sure that’s something we want to create an incentive for in this particular arena. That’s at least my gut instinct. I do want to hear what you have to say, Dmitri. But then I think, Colton, we probably have to go to questions after Dmitri gets the last word in. Is that right?
Colton Graub: You guys are more than free to keep on riffing.
Jamil N. Jaffer: Okay. Cool. Dmitri?
Dmitri Alperovitch: I think we’ll get some good ones. But let me just quickly address the issue that you highlight. I completely agree with you, Jamil. The problem really is that the market is looking at this in the short term.
In the short term, if a company is manufacturing really amazing technology, has their IP stolen by China, that’s not going to manifest in the earnings returns of that company this year, next year, or probably even the year after. But five years from now, ten years from now, that company may very well go out of business because a competitor in China now has short circuited their R&D. They can build up market share, initially probably domestically and then later expand internationally, as we’re now seeing with Huawei.
The telecommunication industry in this country and across our allies have been targeted by the Chinese from the early 2000s. And only now are we seeing Huawei and other Chinese telecom companies 20 years later achieve the kind of dominance that we’re sort of sitting back and saying, “Well, what just happened? Why don’t we have any American companies that are providing any key 5G technology?”
Well, what happened started 20 years ago, and no one paid any attention to it because it took a long, long time for that to manifest. And we’re just not good at thinking about the long-term. And I think that’s where the government is much better than the markets. The markets don’t care about what happens ten, 20 years from now. They care about the next quarter. But the government should absolutely care about national security and economic security, and that’s why it should be stepping in and correcting these market failures.
Jamil N. Jaffer: Well, I think that’s interesting. So I couldn’t agree with you more on the Huawei issue and the fact that we totally failed as a nation on that. But the idea that the government knows better on long-term — on the long-term perspective, I’m not sure that’s right.
I’m not sure markets can’t account for long-term gain or loss. I’ll agree with you that, sure, immediate price fluctuations up and down do turn on sort of earnings reports and the like. But long-term values of companies, I think, is measured in the marketplace, and that’s built into stock prices and values. And there’s all sorts of economic analysis on this sort of thing. We could debate the esoteric economic questions here.
But I think on the question whether the government has a longer-term view, I think fundamentally, honestly, the problem is not one of industry versus the government. It’s actually American sort of — so sort of the view of the world that we have as Americans, what makes us so innovative, versus the view that the Chinese and the Russians take, a much longer-term view. We in America — part of what makes us so innovative is we think about tomorrow, the next day, the next week, the next month, the next year — maybe two years out.
We’re not looking at five, ten, 20 years. And we’re certainly not looking at the 100-year plan. The Chinese on the other hand I think do have a 100-year plan, and they have a long-term strategy. And they are executing on that.
Now, I think we as a nation could benefit from that. I’m not sure the government is the right entity or is even capable of doing that. I think the government would completely get it wrong, frankly, if we left in their hands to figure out what the future was going to look like 10, 15 years out. They’d just guess wrong. So I’m much more comfortable with finding a way to incentivize industry to take that into account.
And maybe there are incentives we can come up with or ways that we can account for that. I have more faith in the markets than perhaps it sounds like maybe you do on this one. I won’t disagree with you that — you’re right. The data, as you’ve laid it out, suggests that the more immediate concerns are what drive day -to-day fluctuations. I’m not sure long-term value isn’t built in. Back over to you, or if you’re good — yeah. Jump in.
Dmitri Alperovitch: Well, Jamil, just one last comment. I don’t know how you can faith in the public markets when, year to date, they’re down about 3 percent when we’re in the midst of the highest unemployment we’ve seen in this country in 100 years and probably heading for a depression. So I think it’s example number one in the failures of the market, at least in the short term, to account for challenging problems.
Jamil N. Jaffer: Let’s talk about that for one — give me 30 seconds on that because I do have one thought on that, and then we’ll go to questions. So the one thought I would have on that — there’s two things I would say — not one, two things I would say to that.
Number one, there are times at which markets get frothy. We all remember the Alan Greenspan irrational exuberance comment. And I think we saw that happen in the housing market back in the early 2000s and the like, in the mid-2000s. We saw some of that. So there are times at which markets are overenthusiastic or over-projecting.
I think the current market is partly that, but I think also partly that I do think that there is economic value in the current environment. I realize it’s a tough time for a lot of folks. I’ve had friends and family members who’ve been affected by the disease and the like and people’s business obviously suffering greatly.
At the same time, there are — there is a lot of capital out there running around looking at where to go and what the next opportunity might be. And oftentimes, out of some of the greatest economic travails we’ve faced — whether it was the oil shocks of the ‘70s or the Depression in the ‘20s, we have seen economic booms come out of those — or boom-lets at least come out of those. So part of that might be what the market’s accounting for in this also.
I do agree with you that’s it probably overenthusiastic about that. But I wouldn’t say — I don’t know that we’re gearing up for as massive a downturn as a lot of people are predicting. So we’ll see how that all plays out. But Colton, back to you for questions from the audience if there are any.
Colton Graub: In the meantime while we wait for our first question, Dmitri and Jamil, if each of you had a magic wand, how would you try to solve cyber security and public-private partnerships?
Jamil N. Jaffer: Well, Dmitri’s wand is going to be the regulatory stick. Right, Dmitri?
Dmitri Alperovitch: Well, there’s going to be a few things. And I think the Solarium Commission—and I had the opportunity to chat with them extensively over the last year—has a lot of great recommendations. To me, I kind of look at this in three separate areas.
So one is the government itself. The fact that the government itself is spending so little time actually on protecting itself and the fact that it’s sort of unsexy topic in the halls of Congress I think is unconscionable. The first responsibility of the government is to actually protect our national security, and it’s doing a miserable job of that. So before the government goes to industry and tells them anything, they should be focused on that.
I think we need to centralize responsibilities of CISA, the cyber security agency that’s within DHS, to actually have authority to become sort of the CISO, if you will, the Chief Information Security Officer, for the federal government — being able to provide security services to most agencies, not necessarily the intelligence community, not DOD, not some of these larger agencies. But Bureau of Land Management will never be great at cyber, with no offense to the great folks that work there. But they’re just never going to be able to attract the great talent that you need to defend those networks. And there are numerous, probably thousands of agencies like that across the federal government that we need to just remove their authority to do cyber security and give it to a centralized agency like CISA.
Similarly, Cyber Command, which was set up almost ten years ago now, needs to actually be given responsibility to protect DOD networks, which today it largely does not. It’s still the responsibility of different services and commands. That’s an easy thing for the Secretary of Defense to issue an order tomorrow to mandate that all cyber security efforts be centralized within Cyber Command. I think that’s a no brainer. So those are some things on the government side that I think are really key.
On the industry side, I think it is all about incentives and sticks to motivate companies to do the right thing. And look, my sort of jaded view on this, Jamil, is literally from several decades of working with industry and responding to these breaches and being just so disheartened not necessarily that these breaches occur but looking at what happens after that breach, where, inevitably, in 90 percent of the cases the company goes back to the state of normal, which is doing what they were doing before the breach and kind of moving on. Very few take sort of the opportunity to say, “You know what? We’re going to take this as an opportunity to reform how the entire company works and does business and think about how we prioritize cybersecurity.” So that’s why I don’t think that the market is responding well to this issue. And that’s what we need to focus on.
And then just on election security, I think paper ballots and audit vote fail for voting is really, really crucial. We need to have faith in our elections. And the only way to do that is to be able to take sort of the electronic threat out of it. And audits that can be enabled through paper to make sure that no shenanigans have taken place is really the number one thing that we should be doing to protect our elections.
Jamil N. Jaffer: Yeah. And I’ll jump in on that last — sorry. Go ahead.=
Dmitri Alperovitch: No, I was just saying there are many more, but those are the key ones in my mind.
Jamil N. Jaffer: No, I think that’s a great list. And Colton, jump in if you do get a question from the audience. If not, we’ll continue. But look, I think on the election piece I agree with you 100 percent. I think that auditable elections are key. We’ve never really had those. And a paper trail is necessary. I’m not sure if by paper trail you meant just sort of a record of what the votes were in the box as opposed to sort of actually filling out on of those old paper ballots where you put an X, or you punch something in.
Dmitri Alperovitch: Yeah. The voting itself can be on a touchscreen, but then when you select your vote, it prints out the ballot. You can check it. It can be handed in, and if a hand recount needs to happen, there’s an opportunity to do so.
Jamil N. Jaffer: Yeah. I think that’s right. I think that having the backup of a paper audit trail is critical. And frankly, I think it’s critical that we spot check those and we have auditors come in and it sort of be a requirement that every state audit its elections and have them sort of certified.
We expect that out of public companies. We should expect that out of our electoral system. There’s no reason that can’t be done and can’t be done well and effectively, both ahead of time to make sure the system is good and after the fact. I think those are totally appropriate and necessary measures and actually buttress the right to vote and, by the way, ensure that — there’s a lot of concerns — people have different views on this — about whether voter fraud is an issue.
I tend to think there are some serious issues of voter fraud, but there are people who debate the issue. But having auditable elections helps address some of that, too. To the extent you have voter ID laws and the like, that part of the process can be audited also. So I think there’s real benefits to having an auditable system.
And I’m not sure why that’s so controversial or why that’s so hard to do other than states generally control elections. And we benefited from states controlling elections in the sense that we have a more diverse range of systems and the like than we otherwise would. But I do think that at this point it is important because of the impact that state control over elections is having on federal elections — that we ensure that, if states are going to get federal funds for a variety of purposes, but particularly for election purposes, that they ought to make their elections auditable and have them certified by sort of standard outside auditors.
So then, I think going backwards from there to the questions about the government and the like and who can do what in this space, I think at the end of the day, if I were to pick that magic wand or that sort of one thing, I think it comes back to — like you said, it comes back to the Cyber Solarium Commission report item which is this idea of collective defense and the idea of really building that relationship between companies, individual companies, one to the other, individual industry sectors one to the other and then industry sectors and industries writ large with the government to really work together and collaborate in real time, constantly, all the time on defending our nation in this environment because this is a whole nation problem. We don’t treat it as one today, and I think that’s part of the problem.
And I do think information sharing is one small piece of that, but I don’t think, as you said — I think you’re right to say it’s not the panacea. But it is a part of the larger collaborative effort that needs to take place. So I’m less — I am a believer in the need to do some of the fixes that you talked about, the issues about fixing the way the CISA works and really empowering DOD to have the authorities it needs, both to take action against threat actors overseas but also to do the defense at home. I agree with you 100 percent on that.
But I’m also not as convinced that sort of the government boxology is the most important thing. I think the most important thing, because, at the end of the day, the private sector’s on the frontlines of this defensive effort, is really trying to convince—and I don’t know how much of it is advocacy and how much of it is economic incentives and tax incentives and the like, sort of at opposite sides of the regulatory stick—to get people to work together and collaborate and do that effectively, both across industry and with the public sector. So that’s where I’m at on the magic wand. Colton, back over to you either for any questions or to wrap up.
Colton Graub: Awesome. Yeah. Thank you. So we are approaching the top of the hour. We do have a question, so I’m going to go to that now.
Robert Barker: So this is Robert Barker in Atlanta calling basically from the securities law point of view. The securities law have long said and required as part of disclosure controls and procedures that boards of directors look at cybersecurity threats. And you seem to be saying that that’s not working, which I think is right.
Although, if you look at the corporate governance blogs and everybody — all the people who are advising boards, they’re always telling them, “Why don’t you go out and get a cybersecurity expert on the board?” And the boards have done that. They’ve put cybersecurity “experts” on their boards. But an expert in cybersecurity who’s on a board of directors is probably not keeping up with their cybersecurity. In fact, they may be in retirement from that practice, and they may not even be up to date. So that might not be the right thing to do.
The FCC’s put out guidance as late as like two years ago there was some guidance put out on what the boards should be looking at. But what should the — what are the key metric — and you talked about metrics. What are the key metrics that a board should look at when trying to say, “Do we have an adequate security? Should it be — have we been breached in the last year? Do we have things that we don’t want to be shared in China five years, 10 years from now?” What are the metrics that the board needs to know? And how can you make that a list of questions or checklist or something that actually works? Because your argument is it’s not working.
Dmitri Alperovitch: Yeah. That’s a great question. Just really quickly I think we have a minute left. But I don’t believe that boards need to have cybersecurity experts. I’ve never seen a board that has experts in sales on it, but yet every single board member understands whether the company made their numbers or not.
So you don’t need to be an expert in a particular area to understand how well you’re doing. And that’s really the responsibility of the board. They shouldn’t be deciding what technology the company should be buying or who they should be hiring. That’s not the responsibility of the board. Their responsibility is oversight and correcting issues as they come up.
So I’ve been a big believer in speed-based metrics in cybersecurity. I think ultimately, effectiveness of a cybersecurity program is all about how fast you are at doing three things: at detecting a threat, investigating that threat, and mitigating or containing that threat actor once you’ve investigated. And if you think about hygiene and everything else that actually applies to that speed enabling you to do these three things much faster. And if you’re faster than the attacker is able to accomplish their objective, then there is no breach, and you’ve contained the problem before there’s an issue.
So I’m a huge believer in using those three metrics: measuring how fast you are at detecting, investigating, and responding, both in simulated cases — every company should have a simulated resting exercise every quarter to test their defenses. And you can measure the response times — a routine for that, and then obviously real incidents as well. And then you can sort of track this quarter to quarter, see if it’s improving, set goals for your security team that they have to meet, and hold them accountable if they don’t. And that’s ultimately the responsibility of the board. It’s not their responsibility to tell them how to do their job, but it is to make sure that they are doing the right things.
Colton Graub: All right. Thank you, Dmitri and Jamil. I know that we’re a bit over on time. Do you have any quick final thoughts for our audience before we wrap up?
Jamil N. Jaffer: No, good from my end. Great debate, Dmitri. Thanks for doing this with me. Really appreciate it.
Dmitri Alperovitch: Likewise, lots of fun. And thank you, Colton and The Federalist Society, for having us.
Colton Graub: All right. Thank you both for joining us. We are all very grateful for you for your time today and for our audience for joining us. We welcome listener feedback by email at RTP@regproject.org. Thank you for joining us. This concludes today’s call.