Just ahead of World Economic Forum (WEF) 2018 Davos annual meeting, the Cyber Resilience Playbook for Public-Private Collaboration was published. There was a lot of news from Davos but, having spent the last year working on the paper alongside leading academics, thinkers and executives on the Expert Working Group on Cyber Resilience, I had a particular interest in it. It addresses one of the areas that I see as absolutely critical to the future of cybersecurity: multi-stakeholder cooperation in policymaking.
The report is an easy read, even over 71 pages. It neatly captures the essence of the problem cyber-policy actors all face. The digital world has enlarged and complicated states’ obligations, e.g. providing security for citizens and states’ essential interests, e.g. preserving and asserting sovereignty. The cybersecurity battlefield they find themselves operating on is always growing and changing, and the front line is largely civilian and out of their direct control. Even states’ unique ability to focus huge amounts of national resources to crack existential problems, something which put men on the moon for example, seems unlikely to produce a “silver bullet” for today’s cybersecurity problems. Furthermore, states’ calculations about what to do and how to do it are further complicated by a perceived need to “trade-off” between security and other values, from freedom of speech to social cohesion.
What the report proposes are not shake-and-bake solutions or pre-warmed plans for operational implementation. Instead it gives a very broad architecture for building public-private collaboration, to serve as a reference point for policymakers considering their options and also for others that want (or need) to become involved.
Central to this architecture are 14 policy areas across five themes, from sharing research, data and intelligence to cyberinsurance. The diagram on page 10, and which is included above, is an excellent way to visualise these topics and the complex web of connections between them. More generally the report does a fine job of bringing its points to life with punchy definitions, policy models, case studies and sharp analysis of the connections (and contradictions) between policies and values. The section on Zero-days, for example, clearly runs through the nature and “life cycle” of vulnerabilities and exploits, enumerating the roles of coders, researchers, hackers, governments and standards bodies. The interaction over time of processes of “disclosure” and risks of “vulnerability rediscovery” is set out by the section, as are trade-offs between “offense” and “defense” approaches. As a balanced starting point for consideration and discussion, it works well.
The challenges of cybersecurity are not going away, at least in the foreseeable future, which means that some genuinely thorny issues are going to have to be addressed if there is to be progress. For example: businesses do less than they might because they fear the legal consequences of sharing cybersecurity data with peers or with states; the tools used by security researchers and malicious hackers are nigh on identical, which complicates policing them; and, software vulnerabilities most often start with coding not with cybercriminals, which puts the security onus on tech companies. Different parties, be they business, government or technologists, may balk at these points as over-simplifications or distortions, but if these questions are festering at the back of people’s minds then they need to be discussed and resolved. The best way to do that is in an open and balanced discussion.
From my perspective, and that of Microsoft and many others involved in this discussion, there is no real option other than to embrace the value of multi-stakeholder discussions and policymaking. The WEF paper has taken this view on board and it helps make the case that governments can go it alone in tackling cybersecurity policy no more realistically than the tech sector or civil society. Everyone has to get on board and work together if effective and lasting cybersecurity solutions are going to be found.
The world needs a basis for those future discussions about cybersecurity policy writ large. Much of what we have today is somewhat atomized, focused on important but narrow areas. The Budapest Convention tackles cybercrime, the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) takes on states (warlike) behavior in cyberspace (at least until it reached its current impasse), and so forth. What is increasingly clear to me, however, is that many of these current platforms show some weaknesses because they do not bring governments, tech sector and civil society to the table as equals. There are clear exceptions of course; last year’s Global Conference on CyberSpace (GCCS), the fifth so far, showed that progress can be made on a level playing field. If more progress is needed towards multistakeholder cybersecurity policy, we need to start somewhere and perhaps a “discussion about discussion” could operate as a good place to begin. Certainly the WEF and the Expert Group I was pleased to have been part of have made a timely contribution to fostering a balanced, equitable approach to multistakeholder cybersecurity policymaking.