In the space of about one minute, Secretary Kirstjen Nielsen of the Department of Homeland Security gave three tidy one-liners, each of which could describe how she sees the problem set of cybersecurity. First: “your risk is now my risk, my risk is now your risk.” Next: “we have a weakest link problem and the consequences affect us all.” Then: “today we are all on the front lines of a digital battlefield.” Together, the lines plotted a through-line to her keynote: it will take collective action to adapt to cybersecurity threats, the attack surface is vast, and government views it more as a conflict than as a technological challenge.
While other news overshadowed headlines about cyber, the first year of the Trump administration saw massive attacks and breaches across the board. In her remarks, Nielsen focused on three of the newsier ones: the Equifax breach, which included information on roughly half of Americans; WannaCry, the malware that notably hit hospitals in the United Kingdom but as recently as last month caused a minor panic at Boeing; and NotPetya, an attack that hit companies all over the world. The way we refer to these attacks reveals the distance between them. WannaCry and NotPetya are known by the name of the attack tool, while Equifax we identify because it (and its massive database) was the target. What can keep information safe against both sophisticated attacks and sloppily defenses?
Government and politics, Nielsen argued, though she did not specifically invoke those terms. Nielsen compared individual cyber security to a family in Florida that only puts sandbags around their own house when the flood comes. Without working with neighbors to protect flooding in the neighborhood, the single sandbagged house will still be overwhelmed when the water rises, and the preparations will have been for nought.
Household metaphors were a persistent theme for the keynote. Remarking about the changed nature of attacks, Nielsen compared the attacks of a few years ago to a smash-and-grab home invasion that left broken glass everywhere, obviously and clumsy in execution. Today’s attacks, she continued, are more like sophisticated break-ins, where nothing looks disturbed and the intruder may still even be in the house when the family gets home.
As for an answer to this problem, this inevitable flood and this covert intrusion, Nielsen’s prepared remarks focused largely on norms. The United States is vulnerable to other attacks because aggressors feel they can get away with those attacks. To that end Nielsen suggested that the world, primarily governments but also tech companies, need to establish norms for cyberspace, rules and boundaries and hard lines. Backing up this would be an emphasis on deterrence, a promise of some retaliation in some form for some hostile acts.
“To those who would threaten our security and sovereignty, I have a simple word: don’t,” said Nielsen.
The how of that deterrence, and the nature of those norms, went unspecified in the remarks. In a question and answer session with CNBC’s Deirdre Bosa, Nielsen had an opportunity to expand on the concepts further. The context, provided by Bosa, was the “Cybersecurity Tech Accord,” a proposed “Digital Geneva Convention” drafted by over 30 tech companies, most notably including Facebook and Microsoft. (Big names absent from the accord at present include Google, Apple and Amazon.)
“We need norms. Part of our adversary’s threshold being low is norms are not recognized,” Nielsen said, while clarifying that she not speak to the specific of the rules as proposed. As to the absence of companies like Google, Apple, and Amazon, Nielsen noted that “other companies have other ways of contributing to security infrastructure.”
The Secretary pointed to a joint U.S./UK statement issued by the Trump and May administrations as nudge in the direction of norm setting, though norms take more work that simply two countries working together.
Tackling the other thrust of norms and deterrence, Bosa asked Nielsen if the U.S. was prepared for offensive cyber. Nielsen hedged, saying that there are a lot of ways to interpret “hack back,” then followed up by saying “everything is on the table.”
“Is that a yes on offensive?” Bosa pressed.
“That is not a DHS function,” Nielsen replied, and then went on to note that DHS has a team that coordinates cyber with other agencies. As presently organized, offensive cyber falls under the prerogative of U.S. Cyber Command.
Finally, Nielsen was asked about the trade-off between privacy and security, especially in light of the European Union’s General Data Protection Regulation (GDPR). Nielsen went on at length about the different cultural norms between Europe and the United States, and then noted that by protecting individual access to privacy, government agencies may lose some ability to see the big picture. And it was in this last moment that Nielsen broke from the metaphors about connected security, about a battle against nefarious actors where everyone is on the same side and benefits from the same actions, taken together.
“Do we need a Digital Bill of Rights?” Bosa asked.
“Depends on what’s in it,” Nielsen said. “We need norms of digital responsibility.”