By Claire Zalla and Claire Kalikman
There hasn’t been enough carnage.
This was the prevailing impression underpinning discussions at the recent Yale Cyber Leadership Forum where preeminent thought leaders from multiple disciplines and professional backgrounds gathered to address threats to our cybersecurity, a word which repeatedly is becoming synonymous with security.
The industry expected events like the data breaches of Equifax, Yahoo, and Target to be the catalysts that awakened people to our vulnerability to cyber threats, but it was disappointed. The underlying current at an otherwise relatively hopeful event was that in order for real change to occur, it might take an attack to hospitals, to the healthcare system, to the internet of things that are increasingly becoming installed in our bodies. People might have to die to get others to pay attention.
The goal of the Yale Cyber Leadership Forum was to bridge “the divide between law, technology and business in cybersecurity, and expose participants to effective approaches to recognizing, preparing for, preventing, and responding to cyber threats” (Yale Cyber Leadership Forum). Accordingly, the Forum was attended by a plurality of experts and leaders with backgrounds in cybersecurity, technology, and intelligence, but also the financial sector, academia, healthcare, law, politics, and public policy. Enrollment was limited to a small group of roughly forty attendees who were accepted by application, and each was positioned to take an active role in tackling current and future challenges in cybersecurity.
Occurring from April 7-8, 2018, the Forum was arranged in collaboration with the Yale Center for Global Legal Challenges and the Yale Office of International Affairs along with knowledge partner McKinsey & Company after being met with success last year. It was directed by Oona A. Hathaway, Gerard C. and Bernice Latrobe Smith Professor of International Law and founder and director of the Center for Global Legal Challenges at Yale Law School. The forum was preceded by The Kissinger Conference: “Understanding Cyber Warfare and Artificial Intelligence” featuring the honorable Dr. Henry Kissinger, Former Alphabet Chairman and Google CEO Eric Schmidt, and Former Secretary of Defense Ashton Carter. This event started the conversation by discussing the changing landscape of national security and international relations while the forum continued the discussion by considering interdisciplinary challenges and possible solutions.
The forum featured expert panels, keynote speakers, and breakout sessions wherein the attendees divided into small groups to discuss niche topics of interest, such as the internet of things or the “going dark” debate. The original list of speakers was expanded to include two female speakers after the conference received backlash for planning an all male lineup. Topics of discussion included the technical threat landscape, the regulatory and legal landscape both at the domestic and international levels, and challenges in bridging the divide between different disciplines and the private and public sector.
To encourage free discussion, the Forum took place under the Chatham House Rule which allows for the free use of information received, but not for its attribution to any person, affiliation, or organization.
In a highly digitized world, cyber action has become a standard tool for a nation state to accomplish a given goal, along with political and economic action. In many ways, it is actually more attractive than traditional avenues because cyber tampering is difficult to attribute to a particular source.
As one panelist put it, spying is illegal everywhere, but everyone does it. The most active threats to the United States are Russia, China, North Korea, Iran, and certain criminal groups who have used technology to their advantage by spreading misinformation, stealing innovations to boost business, and generally hacking security. North Korea even allegedly digitally stole $81 million dollars from the Bangladesh central bank’s account at the Federal Reserve Bank of New York.
Because of the high level of digitization integrated into the United States, the country is one of the most vulnerable to cyberattacks. According to one panelist, cybercrime has replaced terrorism as the number one threat to the US. In the last few years, several highly visible cyber attacks have occurred such as the Democratic National Convention hack in 2016, the Russian disinformation campaign, the US Office of Personnel Management data breach, and the Sony Pictures hack.
One of the topics of discussion was the reason for our vulnerability to cyber attacks. After all, encryption, the process of encoding information with a cypher, is a very effective tool at protecting data. However, the problem appears to be not with encryption itself but with its deployment. Strong security and privacy technology has been available for a while, but it is not a panacea because security and privacy are not purely technological problems, but also legal, business, political, and social problems. Encryption is only effective when decision makers deploy it, use it correctly, and keep the keys safe.
Furthermore, law and policy makers are struggling to keep up because technology is changing very quickly and can be difficult to understand. As discussed at the Kissinger Conference that preceded the forum, with artificial intelligence becoming more prevalent, how does one program ethics into a computer when no one knows what those ethics should be?
Moreover, the priorities of the private and public sectors are sometimes competing: the private sector drives innovation, and the government creates new opportunities for growth, defends infrastructure, and generally protects the population. For this reason, the government discourages the private sector from “hacking back” when facing a digital threat because of possible liability accrued should the company accidentally take down another target instead of the perpetrator. There is also the risk to national security if the counterattack is interpreted as the United States initiating an act of war. Collaboration is essential both to allow technological and corporate growth while also protecting companies, American citizens, and their personal information. Technical expertise needs to be combined with legal and political savvy during the decision process. One solution proposed was the United States “outcasting” bad actors, such as a company stealing formulas or inventions, by limiting their access to US markets.
As much as cybersecurity appears to be the concern of the government and engineers, the power truly rests with the people, those using the platforms or hiring private cybersecurity firms to protect data. For now cybersecurity is mostly reactive, not proactive. One panelist estimated that 80% of the money spent on security is spent on reactive measures, which are roughly 5% effective, and only 20% on proactive measures. Also discussed was a problem with an increasing number of new and untested cybersecurity firms that focus more on marketing than having the best security. Encryption and strong security are expensive, so companies are reluctant to invest in them unless the public demands it. Security and privacy will only improve if consumers decide that it is important to them. There is no need to wait for more “carnage” or a “digital 9/11” before demanding protection.
Claire and Claire are both rising sophomores. You can contact them at firstname.lastname@example.org and email@example.com.