The incoming Trump administration should create a cybersecurity version of the Defense Advanced Research Projects Agency, experts urge.
The creation of a civilian DARPA — focused exclusively on over-the-horizon cyber research — was one of four efforts the new government should focus on to improve the nation’s long-term cybersecurity, according to Steven Weber and Betsy Cooper from the University of California—Berkeley.
Cooper is executive director of the Center for Long Term Cybersecurity at Cal-Berkeley and Weber is the center’s faculty director. They spoke in Washington at a Bipartisan Policy Center event on Friday.
“Republicans have supported small government, but they have also supported smart government,” said Cooper, seeking to head-off suggestions that a proposal for a new federal agency would be dead-on-arrival in a GOP-controlled budget-hawkish Congress.
Weber argued that cybersecurity needed to be seen as an existential requirement for continued U.S. security and prosperity. “Just think about how much of our life depends on the assumption that the Internet actually works and is safe,” he said.
Cooper argued that improving cybersecurity ought to be an integral part of the new administration’s commitment to renew the nation’s infrastructure.
“If you’re going to have smart cities and IoT connected devices … you have to have security,” she said.
Weber added that there also needed to be more thought given to the role of government in setting security standards for innovative and potentially threatening technologies like the Internet of Things.
“You guys [in Congress and the executive branch] have given us a free pass,” he told Rep. Will Hurd, R-Texas, chairman of the House Oversight IT Subcommittee, “If we say the word ‘innovation,’ you let us do whatever we want!”
“There needs to be a balance,” between market self-regulation and government intervention, he said.
In addition to the civilian cyber DARPA, the other three initiatives were:
- Focus on education. Cybersecurity should be made a part of the general curriculum in K-12 education. And the government ought to offer loan forgiveness to cybersecurity graduates who work in the public sector for some time.
- Involve the public with awareness campaigns aimed at their children. “Recycling took off when children started asking their parents ‘Why are you throwing that can in the garbage?'” because of information they were getting at school, noted Cooper. “The way to stop people clicking on phishing emails is to get their kids coming home from school asking them ‘Dad, what are you doing?'” she suggested. “It doesn’t need to be a fear mongering campaign,” added Weber. Rather, it should explain the effects of individual poor cyber hygiene on internet security overall — just as environmental awareness campaigns had emphasized the importance of individual action through recycling. Cybersecurity will not improve as long as it is seen as “somebody else’s problem,” said Weber.
- Set norms for nation-states. The U.S. should “be more courageous” in setting forth the principles that govern its own behavior in cyberspace and more explicit about its expectations that other countries will abide by them as well, Weber said. A good starting point would be that countries be accountable for catching hackers conducting cyberattacks from their territories. With some countries there are capacity issues, other panelists noted, but not with the principal U.S. cyber-adversaries. “I would be happy if we could hold Russia, China and Iran to that standard,” said Democrat and former deputy attorney general Jamie Gorelick.
Hurd expressed broad agreement with the proposals.
“There have to be consequences” for foreign adversaries who flaunt their use of plausible deniability to defy norms in cyberspace, he said.
On the other hand, the U.S. shouldn’t be totally transparent about where its red lines were and what kind of retaliatory power it had. “We have to have some strategic ambiguity,” he argued.
Hurd also welcomed the idea of cybersecurity graduates working in federal cyber jobs for a certain period to qualify for loan forgiveness.
“We need a cyber national guard,” he declared, recruiting federal cybersecurity specialists leaving for the private sector to “become weekend cyber warriors” after their departure — with the cooperation of their new employers.
“You can figure this out to where it’s beneficial for the companies” to employ them, for instance if they maintain their security clearance, Hurd said.