Global Security Initiative Executive Director Nadya Bliss says incentivizing security is right approach
The Biden administration outlined its vision for a more secure cyberspace Wednesday with its release of a National Cybersecurity Strategy.
The strategy places more responsibility on software developers and other institutions to have safeguards in place that ensure their systems cannot be hacked.
The administration also announced it is proposing legislation that would establish liability for software-makers that fail to take reasonable precautions to secure their products. Additionally, the administration wants to incentivize businesses and developers to invest long-term in cybersecurity.
Editor's note: The following interview has been lightly edited for length and clarity.
Question: What are your general takeaways regarding the new strategy?
Answer: The fact that there is a huge emphasis on incentives is incredibly positive and optimistic. One of the biggest challenges with cybersecurity, and this is something that I’ve thought about for more than 20 years, is that generally we design everything with capability first in mind and security second. If you think about how the market functions, everybody wants the next best thing. As a result, we have this system that is really not designed for security.
Second, I think it is incredibly positive that the strategy has focused on prioritizing the burden for cybersecurity on sectors and companies that can bear it because right now too much of cybersecurity responsibility falls on the individual. You really don’t want to have significant vulnerabilities hang on individuals.
Finally, if you think about the future of cybersecurity, the strategy highlights a few areas. Things like post quantum encryption systems, artificial intelligence, biotechnology, clean energy, all of those have significant cybersecurity aspects. Sometimes they’re positive for cybersecurity, sometimes they increase the attack surface. So I think the outlined research initiatives is another important aspect of the strategy.
Q: How much of a difference do you think offering incentives could make?
A: That’s a fabulous question and precisely the right question to ask. I think there is a significant benefit to elevating this to a core element of the strategy. I am the current vice chair of the Computing Community Consortium. We have a white paper on designing secure ecosystems and a lot of what we talk about is the notion of incentives. I think without having that as a top-level federal strategy, quite frankly, no progress is going to be made. The fact that it’s stated is very, very important. Whether or not it’s actually going to affect the security of our system is going to depend on specific domains and specific policies and how it is implemented.
Q: A general question: Just how safe or unsafe is cyberspace?
A: I would say we’re not particularly cyber secure. There are certain areas and certain sectors that are a lot more secure than others. For example, the national security community has specific protocols and prioritizes security, but that makes it more difficult to rapidly adopt new technologies. But there’s still a ton of individual responsibility. Too much personally for my liking, to the degree that my personal bias is toward being quite conservative. I don’t click on links in emails that I receive.
I would also say that some industries that are particularly vulnerable are also the ones that have a lot of interaction with people, which is quite concerning. Let’s say schools. School systems often don’t have the resources to implement significant cybersecurity infrastructure and could be subject to ransomware attacks. Similar things have been seen in the health care sector, where you have rapid adoption of novel technical capabilities without the proper know-how to secure it.
Q: How much of this strategy do you think will actually be implemented?
A: I am feeling reasonably positive that this is going to be a high priority, as it is also aligned with a number of economic priorities and a number of other policy priorities, such as the CHIPS and Science Act, and all of the policy priorities around the new energy future. Cybersecurity is incredibly important in context of the changing climate.
Q: Final question. Why have products or software been designed with more capability in mind than security?
A: Think about what you’re looking for when you are buying something like a phone. You want to know if it has all the latest apps. Does it have a really nice camera? Is it fast? Is my email going to load fast? If you’re on social media, do those things work pretty well? Very few people go to a store to buy a piece of technology — and I’m just talking from a commercial user perspective — and say, “Can you tell me what the security features are?”
I’m a computer scientist, and I ask those questions all the time, and usually the feedback I get from the person in the store is that no one ever asks this. So I think that’s why we are where we are. But I will tell you the focus is shifting. People are increasingly worried about their identity being stolen. They’re aware of data breaches. People worry about the resilience of infrastructure. Like when the FAA had to ground all those planes because the system just crashed out. And that wasn’t even a malicious attack. People are thinking about these things a lot more and when it’s at the forefront at a national level, from policy issued by the White House; I think it’s a very positive focus.
Top image by Pete Linforth, courtesy Pixabay