Rethinking the Role of the Foreign Intelligence Community in Promoting Cybersecurity
Despite escalating concerns associated with cybersecurity and the open Internet, coordinated responses and comprehensive strategies to deal with mounting challenges have been understandably slow to develop. The Internet environment is a distinctly shared space: it comprises many interdependencies among public and private, and governance of some central functions has been distributed among many parties, government and private, and undertaken by consensus and practice, rather than formal and by fiat. While a high proportion of Internet infrastructure is private, and government has carved out a central role in cybersecurity, action taken by government and corporate actors has been highly fragmented. Further complicating matters, trust in government -- in particular the intelligence community -- to address the mounting concerns around cybersecurity is at a low point. Moreover, the level of engagement by civil society groups and academia has been notably lacking, beyond noting the impact on individual freedom of particular security proposals. Comprehensive cybersecurity frameworks that recognize and build upon the distributed and generative nature of the Internet have not received adequate support, and suffer from a lack of coordination. Basic cybersecurity vulnerabilities are not sufficiently owned by any combination of parties, and actions by stakeholders may not be sufficiently considered with an eye to changes in systemic risk that those actions could cause.
Launched in December 2014 with support from the Hewlett Foundation and led by Jonathan Zittrain, former US National Counterterrorism Center Director Matt Olsen, and cryptographer and civil liberties author Bruce Schneier, the cybersecurity project will engage in a clean-slate evaluation of the set of responsibilities related to foreign intelligence gathering, which has expanded to include the exploitation of cybersecurity vulnerabilities. In this project, we aim to identify concrete steps to clarify roles and boundaries for the intelligence community, the corporate sector, academics, non-profits, and individuals; to examine how the cybersecurity risks are conceptualized and assessed by governments and companies, particularly companies with global operations; and to rebuild legitimacy and public support for cross-sectorial cybersecurity policies and practices.
Part of this effort will necessarily be focused on properly framing and defining the issue. More work is needed to develop a coherent framework for understanding cybersecurity in order to develop a systematic and holistic approach for addressing cybersecurity-related problems and the intersection of these challenges with the threats to the open Internet. We wish to cut through the thicket of competing definitions and narratives describing the contours of the issue, and to develop a common language for discussing these issues across different sectors and disciplines.
The core team will iterate quickly in the first three months to develop categories and frameworks that will then focus our attention, helping us and, we hope, Hewlett to assess and evaluate alternative approaches to understanding and ameliorating problems in this space. After about three months, and with the additional intellectual horsepower of the co-chairs to be recruited, we plan to check in with our framework and related priorities that emerge from that process. While the central objective is to reconsider the role of the intelligence community in cybersecurity, we also believe that it is important to identify mechanisms to strengthen the role of civil society and academic groups, which we maintain is a prerequisite for greater coordination with government and private sector groups currently working on cybersecurity and open Internet issues.