1.Introduction to Cyber-crime
The cybersecurity and cyber-crime landscape is evolving at a rapid pace, with an ever-growing list of concerns and the continual emergence of new threats such as state-sponsored hacking, theft of intellectual assets, impairment of systems, fraud, and others. Although the specific stakeholders vary from country-to-country or region-to-region, the ecosystem as a whole relies upon frequent cooperation (or at the very least, interaction) between a variety of stakeholders including the government, the private sector, and the public at large. Much of the Internet is controlled and maintained by the private sector, necessitating alliances between governmental and private sector actors in order to address the growing corpus of cyber-crime and cybersecurity issues.
Before discussing some of the key issues of cooperation between the public and private sectors in the cyber-crime space, it is important to address two issues related to the scope of the mapping. First is a definitional clarification; for purposes of this mapping, we consider the terms “cybersecurity” and “cyber-crime” to be closely related. At its most basic level, cybersecurity can be characterized as the range of defensive policies against cyber-crime. Cybersecurity encompasses approaches to defending and coordinating efforts against threats and attacks that are criminal in nature and the broader set of policies by which governments and private sector companies operate to secure the wide range of stakeholder interests against such threats. Because of their close connection, we use the terms cybersecurity and cyber-crime interchangeably, and where necessary we distinguish our use of the terms from those used by others.
Second, our mapping of the cybersecurity landscape is focused on a select set of issues relating to trust between public and private entities. The selection of this topic as an organizing principle emerged through the Berkman Center’s ongoing consultations with a variety of cybersecurity experts as part of its ongoing cybersecurity project. This project convenes a group of experts with unprecedentedly diverse experience within the government, private sector, civil society, and academia to identify and distill key issues around the set of government and private sector responsibilities related to cybersecurity. From those expert consultations, a single key issue has emerged as critical to partnerships between the public and private sectors: how can trust be established or increased between government and private sector actors? Informed by our conversations, we observe this issue play out in three important areas: (1) information sharing between public and private entities; (2) government cybersecurity reorganizations, sometimes to enable private partnerships; and (3) balancing security with government access to data. The mapping below describes these three areas of access to information, government reorganization, and balancing security and access, and identifies potential opportunities for the Forum and the FII.
Our approach highlights the key issues determined to be most salient to our network of cyber-crime experts. However, the landscape is richer than can be fully captured here. First, cyber-crime and cybersecurity are incredibly complex fields, and we cannot say that a different set of experts would highlight the exact same issues. Second, our experts have a U.S. focus and our mapping is largely informed by that perspective. We have strived to identify relevant international examples where applicable, and the Forum has identified many of the same issues in its own global cyber-crime initiative.
2.Key Issues/Themes
a)Information Sharing
Information plays an important role in the cybersecurity landscape. It is both responsive and preventative in nature. For example, government and private sector stakeholders use it to respond to ongoing cybersecurity incidents, assess vulnerabilities and potential harms, and build defenses against emerging threats. Effective information sharing, like many aspects of cybersecurity, relies upon carefully tailored partnerships between the public and private sector, in part due to information collection challenges and differing incentives. Individual actors within the private sector hold information that would be helpful to both the government and other actors within the private sector. A trust deficit makes such partnerships more challenging; moreover actors within the private sector often lack the incentive to share with competitors or address long-term risks.64 In contrast, the government is in a unique position to think about long-term threats and the types of actors who are capable of carrying them out, as well as to aggregate information from a variety of sources. However, the need for secrecy within national security and intelligence agencies often prevents the sharing of detailed information.
There are a number of initiatives that have been formed to try to facilitate information sharing. Because of the complexity of information collection, these initiatives reflect an equally complex constellation of information flows. Initiatives can enable public-to-private, private-to-public, and private-to-private information flows or a combination of the three. In some countries, for example Germany and the U.K., the government plays a role in centralizing forums for the exchange of threat information across these different types of information flows.65 Although a variety of mechanisms exist for government and private sector actors to share cyber threat information, in reality their effectiveness is limited.
Country examples:
-
United States: The U.S. government currently shares cyber threat information with the private sector through the U.S. Department of Homeland Security’s offices of Intelligence and Analysis, Cyber and Communications, and National Cybersecurity and Communication Integration Center.66
-
United States: Information Sharing and Analysis Centers (ISACs) are used by private sector companies to pool together resources and sharing information on threats.67
-
Germany: The Bundesamt für Sicherheit in der Informationstechnik (BSI – Federal Office for Information Security) operates the Alliance for Cybersecurity, which is a community for members of the German private sector to engage in active cyber threat information sharing and the exchange of best practices.68
-
United Kingdom: The United Kingdom’s Centre for the Protection of National Infrastructure (CPNI) facilitates a network of “Information Exchanges” (IE) across numerous sectors.69 The Ies allow companies to build long-term relationships of trust over time in order to facilitate the exchange of information related to cyber-attack, as well as physical and personnel-related threats.
Despite the many ways in which information is shared, the sharing is often described by private and public sector actors as being ad hoc, messy, and uncoordinated. In other words, it is sub-optimal. In many cases, the public-to-private information sharing that does occur is based on old, pre-digital models that are not scaling well to the increasingly complex needs of the private sector. For example, in the United States, information is frequently shared through the same channels as counterterrorism threat information is shared.70 In private-to-private sharing arrangements, which often occur within industry consortia and Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs), sharing in these forums can still be constrained by the number of organizations that participate and their willingness to divulge detailed information.
A number of inhibitors and challenges are to blame for the lack of information sharing. Our research indicates that in the context of public-private and private-public information sharing, one of the more significant inhibitors is the current state of mistrust between the government and private sector. Since the 2013 Snowden leaks, some companies have expressed concern about publicly collaborating with government actors. Companies like Apple, Facebook, Google, Twitter, Microsoft, AOL, and others have teamed up to protest government surveillance and efforts for surveillance reform, which is indicative of the sour relationship between government and the private sector.71 According to insiders, this extends to any efforts that might be perceived by the public or potential clients as collaborative activity between private sector companies and the global intelligence community.72 Financial concerns appear to be a significant factor, with some analysts estimating that the Snowden leaks will cost the major technology companies “billions of dollars over the next several years,” particularly if “international clients take their business elsewhere.”73
A second challenge to information sharing, particularly in the context of private-to-public and private-to-private information flows, are private sector concerns about legal liability for sharing information with the government and others in the private sector. This liability could emerge in several ways:
-
Direct liability: Companies fear that the very act of sharing could be a violation of law. In the United States, for example, a company may fear that sharing information with another private sector entity will violate the Stored Communication Act, which prohibits certain service providers from disclosing user information to others, including government officials.74 Similarly, in the European Union the Data Protection Directive would apply to information shared between private sector actors and the government.75
-
Indirect liability: A related concern is that in the process of sharing information, a company may reveal evidence that gives rise to unrelated liability. For example, after sharing information about incidents with one government agency, a separate regulatory agency might find evidence of a legal infraction, such as negligent behavior or violations of consumer protection regulations.
-
Antitrust liability: Companies may fear collaborating with other private sector entities due to the risk of such collaborations being deemed restraints against trade in violation of antitrust laws.
Of course, the legal risk faced by private sector entities will vary from country-to-country based upon the existing legal framework. However, we have observed these issues in several locations, including the United States and the European Union.
In addition to liability concerns, private sector entities are often worried that information sharing may lead to the disclosure of trade secrets or other competitively valuable information. For example, disclosure to a government entity my subject those records to public records requests, which may in turn lead to further investigations by government agencies or lawsuits by individuals.76 In addition, some companies view their approach to cybersecurity as a competitive advantage, which makes them less willing to share detailed information with others in the private sector.
These legal and competitive concerns have made information sharing more challenging. There have been some attempts at realigning the incentives in order to enable greater sharing. For example, recent proposals in the U.S. have tried to clarify the liability and create safe harbors for sharing information about cybersecurity incidents and threats with the government.77 That said, some industry experts believe that the most recent proposals will not sufficiently address these issues and will not be enough to change the current paradigm. Others have also questioned the degree to which the legislative proposals would enable the sharing of the types of information that would actually be useful for the government and private sector companies.78
The third challenge of information sharing is that of generating, transmitting, and understanding the information in an actionable manner. Both private and public entities often receive so much complex data that it is challenging to decipher, or they receive too little information. In either case, it can be difficult for decision-makers to act on information received. Due to the challenges of interpreting data, information can be unintentionally contradictory at times,79 which can be problematic when it’s necessary to attribute the source of a threat. In addressing cybersecurity, attribution can be very important for several reasons: first, by identifying who or what caused a particular incident (i.e., adversary or malfunction), an actor can choose from a variety of responsive tools; second, attribution can also reinforce deterrence against future attacks. However, attribution can be difficult in the cyber realm and it can often require coordination between public and private sector actors in cases with sophisticated adversaries.80 On several occasions, lack of coordination and incorrect attribution – as a byproduct of bad information sharing or not enough information – has led to negative consequences for companies and governments. 81
Example attribution challenges:
-
United States: When Sony Pictures was hacked, one U.S. government agency reportedly declared the aggressor to be Democratic People’s Republic of Korea. At the same time, other U.S. government agencies were still unsure, and the public cast doubts on the reports.82
-
Turkey: In 2008 there was an explosion in Turkey on the Baku-Tbilisi-Ceyhan oil pipeline. Initially, Turkey called it a malfunction and the pipeline owner claimed it was a fire. It took six years before it was revealed to be a cyber attack, although the company and government likely knew more prior to the public disclosure.83
-
Iran: The Stuxnet virus that disrupted nuclear centrifuges in Iran was intentionally constructed to create confusion about attribution.84
Even when attribution is not an issue, the information shared may be challenging to use in an actionable manner. Other challenges to use include:
-
Secrecy: Because of the nature of classified information, a government report about cyber threats might be stripped of useful information during the declassification process to such an extent that it is no longer useful for a private sector actor.
-
Timeliness: Many threats require real time responses, but the process of collecting, identifying, and sharing the data may take too long to for the data to still be actionable.
-
Empowerment: In order to respond, companies or governments need to have a designated person or team who is empowered to take action once information is received. In some cases such a person does not exist, does not have sufficient authority, or is not clearly identified to those who could share information.
b)Government Reorganization
As noted above, we observe a growing appetite for information sharing about cyber threats. However, in many cases the mechanisms and interface between the public and private sectors do not exist. In many practical ways, the lack of infrastructure to support information sharing has widened the trust gap.
In order to address this challenge, there have been recent experiments in constructing more effective interfaces. Recognizing the need for public-private collaboration in addressing cybersecurity, some of these experiments have taken the form of government reorganization at varying degrees of scale, including in the United States, France, Australia, and others.85 These reorganizations represent efforts at building public-private and public-public interfaces between the government and companies in the private sector, between particular agencies within the government with overlapping responsibilities, and between international governments. However, many of these cybersecurity initiatives are being developed within silos, without input from other stakeholders, or as “quick fixes” to temporarily fill gaps. They also place emphasis on some aspects of reorganization, such as agency-to-agency coordination, over other issues like improving existing interfaces with private sector stakeholders. This has led some experts to question whether these initiatives will ultimately be successful, whether they address the correct issues, and whether they serve the best interests of the private sector and the public at large.
Reorganization examples:
-
United States: In March 2010, the White House declassified the executive summary of its Comprehensive National Cybersecurity Initiative, which was aimed at strengthening the security of government and private sector system through a series of initiatives. 86 The full report remains classified. The U.S. Government Accountability Office (GAO) has written numerous reports since 2010 that question the effectiveness of the National Cybersecurity Initiative. The GAO notes that while the cybersecurity strategy has evolved over time, the U.S. government still “has not developed an overarching national cybersecurity strategy that synthesizes the relevant portions [of the Initiative] or provides a comprehensive description of the current strategy.”87 Among the key problems identified by the GAO are issues with public-private partnerships, which the GAO views as a critical component to the government’s strategy.
-
United States: In February 2015 the White House introduced a strategy to integrate disparate parts of the U.S. intelligence community through the Cyber Threat Intelligence Integration Center (CTIIC), a new center within the Office of the Director for National Intelligence responsible for integrating and coordinating the sharing of intelligence of threats across existing cyber centers within the government.88 According to experts, CTIIC is intended to serve as a one-stop-shop for government agencies within the intelligence community to share and access cyber intelligence information. Although CTIIC will provide the intelligence community with a single voice around cyber issues, it does not have any new authorities, it will not be involved in intelligence operations, and it is expressly prohibited from interacting with the private sector. The sole way for the government to interact with the private sector on cyber issues will continue to be through the existing authorities of particular agencies, like the Federal Bureau of Investigation and the Department of Homeland Security.
Beyond these U.S. examples, other industry observers have noticed similar patterns in the strategies created by other countries. For example, the OECD report on cybersecurity in 2012 notes that “the level of detail with regards to whether and how governments engage into a multistakeholder dialogue varies, with many strategies providing little or no details on this aspect.”89 The report also suggested that non-governmental stakeholders felt there could be improvements in multistakeholder collaboration and cooperation with governments in the development of cybersecurity strategies. According to the report, “greater emphasis on enhanced consultation and co-operation with business could help governments find the appropriate balance between sovereignty and economic and social cybersecurity.”90
Experts and government insiders have questioned whether national strategies and ad-hoc initiatives such as the U.S. CTIIC are focused on the most pressing issues and positioned to scale up to the needs that will likely arise in the future.91 Although these reorganizations are an attempt to build relationships between public and private entities, experts have noted that many of these initiatives are developed without widespread public debate or consultation with the private sector. As a result, the programs that emerge from the initiatives are not designed in ways that bring together the public and private sectors but instead add more fragmentation within relationships between the government and private sectors.
c)Balancing Cybersecurity and Government Access to Information
The challenge of trust between public and private entities has recently created significant tension regarding government access to data. In response to cybersecurity and privacy concerns a number of consumer-facing companies within the private sector, including Apple and Facebook, are deploying software with strong end-to-end encryption enabled by default in their mobile products.92 The keys needed to decrypt the data are tied to user passwords and stored locally on the devices. The result is these companies are technically incapable of providing to law enforcement with much of the communications data generated by users, which is often called “going dark.”93 The deployment of such technology has sparked a contentious debate between members of the private sector, law enforcement, and others within the government. At issue is the ability of law enforcement and intelligence agencies to obtain unencrypted communications that they are lawfully entitled to access. The outcome of this debate may have profound implications for the ability of companies, and their consumers, to use specific types of security measures.
Company examples:
-
Apple: In late 2014, Apple announced its mobile operating system would feature end-to-end encryption enabled by default.94
-
Google: Not long after Apple’s announcement, Google announced that its Android operating system would also enable end-to-end encryption by default, though it appears not to have implemented this plan yet.95
-
Whatsapp: The Facebook-owned cross platform mobile messaging software implemented end-to-end encryption in November 2014.96
Country examples:
-
U.S. Federal Bureau of Investigation: The FBI has expressed concerns about companies “going dark” by implementing end-to-end encryption, which the Bureau sees as a major impediment to investigations.97
-
United Kingdom: Prime Minister David Cameron has publicly called for the introduction of backdoors into encryption technologies by companies, following the Charlie Hebdo terrorist attacks in early 2015.98
-
China: The People’s Republic of China adopted legislation in recent months that experts believe will mandate that companies provide the government with access to data.99
Not all government actors oppose the use of encryption; in a recent report, the UN Special Rapporteur on Freedom of Expression called it essential to the protection of free speech and access to information.100 Among those that do oppose its use, their primary concern is it inhibits their ability to “to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority.”101 Moreover, they believe strongly “if there is no way to access the data, encrypted systems and data, we may not be able to identify those who seek to steal our technology, our state secrets, our intellectual property, and our trade secrets,” thereby creating a safe haven for lawlessness.102 As a solution, in the United States, for example, law enforcement agencies and other members of government have lobbied legislators for legislative solutions that mandate companies to provide the government with access to the data, which would require alterations to their encryption systems.103 Although some law enforcement actors have raised strong concerns over the use of encryption, other experts have expressed doubt about how prevalent encryption will become in the future or how much it in fact hinders the ability of the governments to conduct intelligence operations, criminal investigations, and prosecutions.104
A large number of private sector stakeholders stand in opposition to such proposals. They have urged executive and legislative branches to reject proposals that “deliberately weaken the security of their products,” stating that encryption protects individuals “from innumerable criminal and national security threats.”105 Any legislative scheme that requires companies to maintain the encryption keys “makes those products less secure against other attackers,” undermining cybersecurity, economic security, and human rights around the globe.106 These concerns are not theoretical. For example, in 2011 RSA, a security-focused subsidiary of U.S. company EMC, was breached in a sophisticated attack that compromised the seeds used to generate keys for its encryption products.107 The breach was then used to compromise RSA’s encryption used by other companies, including U.S. defense contractors, to exfiltrate product designs and schematics.108 For that reason, weakening encryption risks not only communications, but also economic and intellectual property assets. According to U.S. Deputy Secretary of Defense, William Lynn, “although the threat to intellectual property is less dramatic than the threat to critical infrastructure, it may be the most significant threat that the United States will face over the long term.”109 The same threat faces companies around the world.
New rules that prevent or restrict the use of encryption would also pose other challenges. In the 1990s, when the U.S. and Europe imposed stringent restrictions on the export of products with encryption, the U.S. National Research Council argued that export controls were negatively impacting the ability of U.S. technology companies to compete on a global scale, as many customers abroad sought products that could provide embedded security protections through encryption.110 The 1996 report they published – Cryptography’s Role in Securing the Information Society – influenced the policy debate, and the White House ultimately lessened the restrictions on export and adopted other policies in favor of allowing widespread use of encryption. Around the same time, the European Union took a similar stance and loosened its restrictions on exports. In the wake of the most recent debates, the authors of the National Research Council report revisited the issues in a July 2015 report – Keys on Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications – arguing that “the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have 20 years ago.”111 The report notes that, in addition to the serious security challenges posed, a change in policy around encryption would be exceedingly expensive for private sector companies to implement and would likely chill innovations – “if all information applications had to be designed and certified for exceptional access, it is doubtful that companies like Facebook and Twitter would even exist.”112
As countries like the U.S., U.K., and China consider proposals that will affect the private sector’s ability to implement strong end-to-end encryption, the issues raised in these debates will only become more pressing.
3.Conclusions and Core Observations
A number of observations and potential opportunities for the Forum and the FII emerge from these themes. In general, there is a greater need for more coordination and collaboration between the public and private sectors. Although there are many examples of collaboration already occurring, we observe that there is still a significant trust gap between both sides that is impeding more organized and centralized efforts. Ultimately, more trust is needed between these sectors in order to facilitate open conversations between the groups.
First, the Forum and the FII have an opportunity to facilitate discussions with private and public actors around how to improve the current channels for information sharing. As noted above, there is a growing appetite within the private sector for more information sharing. However, the current channels for receiving and sending information to others are sub-optimal, particularly those between the public and private sector. Foremost, the lack of trust between these groups is a significant challenge, and given negative public perception, there is an opportunity for the Forum to facilitate conversations aimed at determining appropriate pathways for reestablishing trust.
Beyond the issue of trust, there remains a number of key questions that must be addressed in order to make improvements in how information is shared. For instance:
-
Determining the optimal scope of information that should be shared.
-
Identifying the audiences with whom information should be shared.
-
Coordinating the mechanisms for sharing information across organizations.
-
Identifying and constructing the channels needed to reach the right people within private sector organizations with information that is actionable, and those empowered to act upon such information.
The Forum and the FII are well placed to convene experts to identify the key elements and best practices for sharing information. As the WEF Cybercrime Project Plan notes, information-sharing interactions could extend beyond sharing information about threats and incidents, to things such as enhancement of existing regulation, guiding principles and tool kits, best practices, joint operations, and research. The Forum and the FII could help create such opportunities for knowledge exchange, facilitating the design and implementation of information sharing platforms or hubs to effectuate such sharing.
Second, there are opportunities for private sector actors to be more involved in shaping national and supra-national cybersecurity strategies as well as ad-hoc efforts to improve certain interfaces between the government and private sectors. These interfaces are critically important, but many of the new strategies and initiatives do not seem to prioritize their improvement or describe their plans in any great detail. What seems to be missing are concerted plans by the government to improve these working relationships in practice. Rather, what has emerged in some cases is an increase in bureaucracy that is not meeting the most pressing needs of the private sector. In some cases, it does not seem particularly clear that the government understands which aspects of the working relationship with the private sector are successful, and which are not. This presents an opportunity for the Forum and the FII to convene government and private sector stakeholders to distill needs and issues from current approaches, and identify opportunities where the government’s reorganization efforts can be improved, particularly as it relates to its interactions with the private sector.
Third, important debates are ongoing around the ability of companies to implement strong encryption in their products and the ability of governments to gain access to user data held by those companies. On the one hand, the companies have a genuine interest in securing the technologies they offer to the public. Encryption plays a key role in protecting user data against cyber-crime and attacks from a wide range of adversaries, including foreign governments. On the other hand, the companies’ advertising-based business models, based on the collection of their users’ data, disincentivize extensive use of encryption or the minimization of the data they collect in the first place. Moreover, governments are increasingly encountering encryption that prevents them from analyzing data that they are lawfully entitled to access. Government officials are concerned that this will inhibit their ability to stop terrorism attacks and prosecute criminals. At the heart of this debate are some difficult questions about the delicate balance between security and privacy, and the outcome will likely have far-reaching effects. While the debate is ongoing within particular countries, such as the U.S. and U.K., it is likely to have broader international implications. There is an opportunity for the Forum to convene and facilitate discussions between stakeholders from government and private sector communities to understand the scope of the problem, key challenges, and potential solutions. At present, these stakeholders seem to be talking past one another, perhaps fueled by the lack of trust noted earlier. But by bringing together the stakeholders, the Forum may be able to facilitate a common understanding around the core issues in the debate.
Share with your friends: |