Biden cybersecurity strategy a positive step, ASU expert says

Global Security Initiative Executive Director Nadya Bliss says incentivizing security is right approach


Graphic of a lock with binary code printed on the background.
|

The Biden administration outlined its vision for a more secure cyberspace Wednesday with its release of a National Cybersecurity Strategy.

The strategy places more responsibility on software developers and other institutions to have safeguards in place that ensure their systems cannot be hacked.

The administration also announced it is proposing legislation that would establish liability for software-makers that fail to take reasonable precautions to secure their products. Additionally, the administration wants to incentivize businesses and developers to invest long-term in cybersecurity.

ASU News talked to Nadya Bliss, executive director of Arizona State University’s Global Security Initiative, about the administration’s plan.

Editor's note: The following interview has been lightly edited for length and clarity.

Woman's portrait

Nadya Bliss

Question: What are your general takeaways regarding the new strategy?

Answer: The fact that there is a huge emphasis on incentives is incredibly positive and optimistic. One of the biggest challenges with cybersecurity, and this is something that I’ve thought about for more than 20 years, is that generally we design everything with capability first in mind and security second. If you think about how the market functions, everybody wants the next best thing. As a result, we have this system that is really not designed for security.

Second, I think it is incredibly positive that the strategy has focused on prioritizing the burden for cybersecurity on sectors and companies that can bear it because right now too much of cybersecurity responsibility falls on the individual. You really don’t want to have significant vulnerabilities hang on individuals.

Finally, if you think about the future of cybersecurity, the strategy highlights a few areas. Things like post quantum encryption systems, artificial intelligence, biotechnology, clean energy, all of those have significant cybersecurity aspects. Sometimes they’re positive for cybersecurity, sometimes they increase the attack surface. So I think the outlined research initiatives is another important aspect of the strategy.

Q: How much of a difference do you think offering incentives could make?

A: That’s a fabulous question and precisely the right question to ask. I think there is a significant benefit to elevating this to a core element of the strategy. I am the current vice chair of the Computing Community Consortium. We have a white paper on designing secure ecosystems and a lot of what we talk about is the notion of incentives. I think without having that as a top-level federal strategy, quite frankly, no progress is going to be made. The fact that it’s stated is very, very important. Whether or not it’s actually going to affect the security of our system is going to depend on specific domains and specific policies and how it is implemented.

Q: A general question: Just how safe or unsafe is cyberspace?

A: I would say we’re not particularly cyber secure. There are certain areas and certain sectors that are a lot more secure than others. For example, the national security community has specific protocols and prioritizes security, but that makes it more difficult to rapidly adopt new technologies. But there’s still a ton of individual responsibility. Too much personally for my liking, to the degree that my personal bias is toward being quite conservative. I don’t click on links in emails that I receive.

I would also say that some industries that are particularly vulnerable are also the ones that have a lot of interaction with people, which is quite concerning. Let’s say schools. School systems often don’t have the resources to implement significant cybersecurity infrastructure and could be subject to ransomware attacks. Similar things have been seen in the health care sector, where you have rapid adoption of novel technical capabilities without the proper know-how to secure it.

Q: How much of this strategy do you think will actually be implemented?

A: I am feeling reasonably positive that this is going to be a high priority, as it is also aligned with a number of economic priorities and a number of other policy priorities, such as the CHIPS and Science Act, and all of the policy priorities around the new energy future. Cybersecurity is incredibly important in context of the changing climate.

Q: Final question. Why have products or software been designed with more capability in mind than security?

A: Think about what you’re looking for when you are buying something like a phone. You want to know if it has all the latest apps. Does it have a really nice camera? Is it fast? Is my email going to load fast? If you’re on social media, do those things work pretty well? Very few people go to a store to buy a piece of technology — and I’m just talking from a commercial user perspective — and say, “Can you tell me what the security features are?”

I’m a computer scientist, and I ask those questions all the time, and usually the feedback I get from the person in the store is that no one ever asks this. So I think that’s why we are where we are. But I will tell you the focus is shifting. People are increasingly worried about their identity being stolen. They’re aware of data breaches. People worry about the resilience of infrastructure. Like when the FAA had to ground all those planes because the system just crashed out. And that wasn’t even a malicious attack. People are thinking about these things a lot more and when it’s at the forefront at a national level, from policy issued by the White House; I think it’s a very positive focus.

Top image by Pete Linforth, courtesy Pixabay

More Science and technology

 

Emily Williamson carries the gonfalon for the School of Computing and Augmented Intelligence down an aisle in a crowded auditorium full of seated graduates

Computer science school looks forward on heels of record-breaking graduation season

This spring, at two packed convocation ceremonies, a crowd of newly minted engineers ebulliently cheered under a rain of fireworks, balloons and confetti as the School of Computing and Augmented…

Large group of people pose for a photo at the top of steps leading up to an outdoor building at the Dedan Kimathi University of Technology campus.

Emerging machine-learning expert leads Kenya AI workshop

What if we already gather all the data we need to help us prepare for disasters, better plan our urban environments and protect our food supply — but we lack the tools to effectively analyze that…

Galaxy PJ0116-24, known as an Einstein ring

Telescopes in Atacama Desert capture extreme starburst galaxy warped into fiery ring

Ten billion years in the past, a rare population of extreme galaxies formed stars at rates more than 1,000 times faster than our own Milky Way galaxy. This was just a sign of the times; while…