Cyber Policy Still Stuck in the ‘90s

Maksim Kabakou/

In the nearly 20 years since the first cyber policy discussions, technology has changed tremendously. The debate hasn’t caught up yet.

A few weeks ago, I wrote about the need to move the cybersecurity dialogue to its next stage and to start to seriously consider what disruptors are sitting out there that could help us do so.

I identified four areas ripe for discussion.

  • Policy disruptors
  • Data breaches vs. cybersecurity
  • Cyber weaponization
  • Post-Snowden security  

Let’s start this disrupting conversation by looking at policy disruptors.

To do that, we have to go back to the Clinton administration.

Back in 1997 and 1998, we saw the issuance of the President’s Commission on Critical  Infrastructure Protection. This was a report on the scope and nature of the vulnerabilities and threats to the nation’s key industries, like power and water systems. Then, in 1998 came the release of Presidential Decision Directive 63.

Those cutting-edge Clinton-era efforts talked about the “shared responsibility and partnership between owners, operators and government.” They discussed incentives and only using regulation in the “face of a material failure of the market.”  

Research and development investments as well as government procurement were also discussed. Information sharing, including the legal impediments and possible liability issues, insurance and standards were all evaluated and deemed necessary.

Fast forward 17 years, through countless reports, think-tank events, congressional hearings, legislation and administration action.

The policy debates are still focused on shared responsibilities, incentives, R&D investment, government procurement, information sharing, insurance and standards.

In the nearly two decades since the first cyber policy discussions were seriously initiated, technology has changed tremendously: Email, the Internet, and mobile devices are now the norm, not unusual like they were in the mid-1990s.  

The policy debates, sadly, have not changed.

We have reached the point where the policy framework for addressing cybersecurity and critical infrastructure protection probably should not be the same as it was when the first clamshell a.k.a flip mobile phone was considered the latest innovation.

If we are to tackle cybersecurity effectively, we need to be able to look to the future of technology and map out policy positions that are going to be relevant in the years to come.  

Three areas I would be interested in seeing more “big thinking” on:

The integration of technology. There has been some work in this area and increasing interest in doing more, given the attention on the “Internet of Things.” But it feels as if not enough is being done to really explore the policy implications here.

Many years ago, the former National Communications System, when it was still in the Defense Department, did a lot of technical work on this issue, especially in telecommunications. Today’s discussions, which still talk about cybersecurity in terms of “sectors,” could be better served by looking at how the lines between sectors are becoming blurred. More and more things are being considered “critical infrastructure,” given our increased reliance on technology.

Cybersecurity by design. This pops up as an issue every once in a while, especially in discussions about software design, but it does not feel like we have really had some serious discussion on how cybersecurity can and should be integrated into technology and services at the onset, instead of as an afterthought.

There is a tremendous number of policy questions that arise when we build things with cybersecurity (instead of convenience) in mind, and it would be helpful to have those discussions.

The intersection of cyber and economics and law. Many of the recent conversations around cybersecurity have used a disease-fighting framework, comparing to the health system and discussing “holistic” approaches to the issue. Less has been done to explore the intersection of law and economics on cybersecurity. This is an area that is ripe for policy debate.  

In some ways, spending more time on this topic could lead to the same thought leadership we have seen when it comes to economics and law on the environment. Yes, it could result in many of the same old issues re-emerging and being discussed under the guise of “economic analysis,” but could be done in a more systematic and research-oriented way if done properly.

These are just three areas that seem ripe for policy exploration. There are many more, especially as we look at the international nature of cybersecurity. Of course, the real policy disrupters that are out there are probably still unknown ideas in some of the young bright minds who one day will help solve these issues.