The Future Of Cybersecurity

Tuesday, September 1, 2009 - 01:00

Editor: Ambassador Gross, please tell our readers about your background as U.S. Coordinator for International Communications and Information Policy in the Bureau of Economic and Business Affairs.

Gross: I spent the first 15 years of my career in private practice. Then in 1994 I became in-house counsel for AirTouch Communications, a spin-off of Pacific Telesis Corporation, one of the Baby Bells. In 1999 we were acquired by Vodafone. I stayed with the company until mid-2000 when VerizonWireless was created by combining the U.S. mobile phone licenses of AirTouch Communications and those of VerizonWireless. Today, Vodafone owns about 45 percent of VerizonWireless. That's a longwinded way of saying I was in-house counsel for a good portion of my professional life, so I know the trials and tribulations and joys of in-house legal work.

After retiring in 2000, I worked on the presidential campaign of then-Governor George Bush, serving as the National Executive Director of "Lawyers for Bush/Cheney." Afterward, President Bush and his team asked me to join the administration as ambassador responsible for the U.S.'s international telecommunications and ICT work, which I continued for the full two terms of President Bush's administration. During that time I was primarily involved with expanding the Internet, telecommunications and other types of high-tech communications technologies. The growth and change that happened during that eight-year period were truly revolutionary. I was particularly pleased because that international revolution was led by the United States, as it had been for many years before I arrived on the scene.

Editor: On May 29, 2009 the Obama administration released its Cyberspace Policy Review which recommended substantial improvements over the current state of disparate systems among government agencies and private industry (represented by CNCI). Please describe the current state of cyber-readiness.

Gross: Let me describe it fairly broadly. The interagency review was quite well done because it identified many of the current challenges that the government faces bureaucratically and from a policy perspective both domestically and internationally. President Obama's public attitude was also very important because he took the time to receive the Review personally and to underscore the importance of cybersecurity as a matter of national security in his speech. Cybersecurity is of great importance to virtually all companies in the United States. Even if they're not in the business of providing cyber-related services, all companies depend upon cyberspace and are affected by the reliability of cyber communications. Since the Review was published, however, little action has occurred.

Recently attention has turned to who would, by appointment by the President, coordinate cybersecurity across the federal government. The focus has been heightened since Melissa Hathaway, one of the primary authors of the Cyberspace Policy Review, recently resigned from the administration to return to private practice. There has been an important bureaucratic question - how much authority should the coordinator really have? The President has said that on the one hand this is a matter of significant national security importance, yet the position is not as senior as many anticipated - the coordinator reports to two different parts of the White House rather than to the President directly - without clear lines of authority and command.

Editor: Why does the Report suggest the cyber czar report jointly to the National Security Council (NSC) and the National Economic Council (NEC)?

Gross:. Cybersecurity is not only a national security issue, but also is a major economic issue. However, ultimately the hard decisions will have to be made by the President.

Editor: In what ways does the Review suggest that the new U.S. cybersecurity policy interface with international partnerships? In what ways should business be involved?

Gross: Addressing the issue of cybersecurity both domestically and internationally and finding an approach that works best for advancing our shared economic interests and our shared as well as unique national security interests will be one of our greatest challenges. The current administration faces a difficult set of tradeoffs. The Internet is important for the free flow of information and for the health of the U.S. economy, which is based upon innovation. Some countries do not share this view and are much more comfortable with the status quo. There are economic, national security and free flow of information pieces that are implicated every time governments come together to discuss issues of how to secure cyberspace.

The key to successfully overcoming this challenge is the administration's ability to find a balance that works. What is the role of industry? The role of non-governmental organizations? The role of the military? These are very complex and difficult sets of challenges and tradeoffs. The role of companies, and particularly in-house counsel, who see the big picture, is extraordinarily important. Most of the infrastructure for the Internet is in private hands, so the ability to protect the cyber infrastructure is largely developed by industry, and the cost of being attacked is often born by companies when their systems are attacked. There's really a unique opportunity for companies to speak out, to get involved, to educate and to play an important role.

Today, because virtually every company, large and small, is so dependent upon the Internet and because the challenges to its security are so fundamental and substantial, businesses are dependent on it for their survival. For this reason businesses need to be involved in these policy, legal, and intergovernmental discussions. How these issues get resolved will affect virtually every company's business plans and bottom lines.

Editor: What dangers are there of intrusion on the privacy of individual citizens? How can they be avoided?

Gross: It is a significant issue. Let me first start by noting something that many people involved in multinational companies understand very, very well but others may not: Privacy is very important for virtually everyone around the world, but it means something very different, depending upon the culture and the country where you live, as well as your age. For example, it became particularly clear in the 1990s that Europeans as well as Asians and Africans and their governments have views regarding privacy that are different from views of Americans and their government. How people protect their privacy or how their privacy is protected by those with whom they do business or their governments becomes a great challenge of the Internet. In the area of cybersecurity privacy is very closely intertwined with the issues of security - you can't speak of one without the other. The fact that your personal information is at risk when it's outside your physical possession - digitized and stored elsewhere - makes people very nervous. There is also the challenge that some countries, under the guise of protecting privacy, are trying to ensure that their citizens don't have access to important information.

Editor: There is also the Obama administration's insistence that "network neutrality" be preserved. What is the meaning of this term?

Gross: At its core, "network neutrality" means that network operators should ensure that the consumer has the ability to have access to the lawful information that he or she wants. This very simple concept is extraordinarily complex as all providers have to be able to manage their networks.

Editor: Why does the Report suggest a cybersecurity-based identity management strategy to improve authentication of persons and transactions?

Gross: An interesting issue about the Internet is that it is not designed to tell you if the person you are communicating with is really the person you think that they are. That's a source of a whole series of problems and opportunities. Much technical work is being done to try to ensure better authentication. There are legal reasons for authentication to ensure that agreements made electronically are legally binding. Everyone from lawyers to policy makers to computer engineers is trying to figure out how to do it in a way that works well and has the fewest number of tradeoffs.

Many people think that when they don't use their name on the Internet, there is nothing that is identifiable about them when they post information. The simple answer is that sophisticated organizations, including the government, can almost always figure out who they are.

Some governments would like to see international conventions, and ultimately legally binding treaties, negotiated that affect Internet networks. Very active discussions will be held next year at the International Telecommunication Union (ITU), a UN organization of which virtually every country is a member, as to how much jurisdiction the ITU should have to deal with the issue of cybersecurity. It has dealt with this issue for many years, primarily regarding telecommunications equipment and the like, but there are many governments that would like to see the ITU become more involved in broader ways. There are also discussions in law enforcement groups internationally that focus on these issues. I had the honor of co-leading the U.S. delegation to two UN heads-of-state summits, known as the World Summit on the Information Society, one in Geneva and one in Tunisia (the first was in 2003, the second in 2005), where part of the focus was on cybersecurity. As the Cyberpolicy Review notes, the amount of work that needs to be done internationally will increase dramatically.

Editor: Please describe the two bills introduced by Senator John D. Rockefeller relating to creating a cybersecurity advisory position as well as cybersecurity standards applicable to both the government and the private sector?

Gross: Senators Rockefeller and Snowe have been leading the charge on the Senate side with regard to cybersecurity related issues. There are other bills, in both the Senate and in the House, that also seek to address cybersecurity. In the current draft of the Rockefeller bill there is discussion about the cybersecurity coordinator position. The one thing that caught the press's attention was that some read into it the potential authority for the U.S. Government to shut down parts of the Internet if there was a national emergency. The Rockefeller measure would place authority in the White House while others propose placing the czar under the purview of Congress. I think there is a good chance there will be some legislation this year, but my guess is that it will be significantly different by the time it passes from any of the bills currently proposed. I think, however, that the tradeoffs between security and economics, and those between personal privacy and the national good are ultimately the sorts of tradeoffs and policy decisions for which the President should be responsible.

Editor: Describe the reception of the Report by members of Congress. What steps now need to be taken to implement its recommendations?

Gross: Most of the steps can be done by the executive branch without special Congressional authorization. However, if Congress wants to act and if it feels that the President is not acting quickly or firmly enough, Congress will act. But, much of what is called for in the Report is closer coordination and policy leadership - matters for which the President already has full authority. However, at this stage, the ball is still firmly in the White House's court.

Editor: Would you care to summarize your thoughts?

Gross: There are many parts of the Report that are going to have a real-world, bottom-line impact on virtually every company and organization in the United States. Cyber attacks are with us now. Cybersecurity is both domestic and global, and corporate counsel need to get involved.

Please email the interviewee at dgross@wileyrein.com with questions about this interview.