The Cybersecurity Coalition and the Cyber Threat Alliance hosted their annual day-long CyberNext DC conference on Oct. 10. The event focused on the current cybersecurity landscape and examined policy trends and initiatives underway to improve the cybersecurity ecosystem. The conference featured panel discussions and fireside chats with government and industry leaders. Below are recaps of each of the sessions.

Panel: Securing the Digital World: Perspectives from Cybersecurity Luminaries

This panel session featured a discussion on the security challenges stemming from the uneven pace of technological modernization and the fragmentation of cybersecurity systems within organizations. Josh Corman highlighted certain market failures contributing towards cybersecurity vulnerabilities and underscored the perilous situation faced by small and rural hospitals relying on outdated infrastructure.

Lovejoy stressed the need for standardized infrastructure and modernization, mentioning, “We need to have a publicly supported infrastructure that enables sectors to engage more appropriately within this marketplace.” The panel also debated regulatory regimes and their impact on cybersecurity, with Jaya Baloo critiquing the EU’s Cyber Resilience Act’s requirement to report vulnerabilities within 24 hours.

Rob Knake questioned the effectiveness of punitive measures post breach. On the subject of AI, experts expressed skepticism about its role in addressing cybersecurity challenges, with Baloo remarking, “I don't think that AI is a panacea,” and Corman highlighting the urgency of prioritizing basic cybersecurity hygiene measures.

 Panel: Equity at Work: Building and Nurturing Diverse Talent for the Future

Building off of the Center for Cybersecurity Policy and Law’s whitepaper, “Diverse Perspectives, Stronger Defenses: Growing the Cyber Workforce Through Diversity,” this panel featured Cory Bullock, Irfan Hemani, Michael Alicea, Nicole Tisdale, and Heather West to address key themes related to growing a diverse cybersecurity workforce.

The panel highlighted challenges faced by diverse employees, emphasizing the need for modernized company structures and inclusive hiring practices. They endorsed the value of employee affinity groups, better aligning job descriptions with role requirements, providing clear career progression pathways, and the importance of retention and empowerment.

Tisdale underscored the mental load often placed on diverse employees to represent minority groups, while Alicea noted that affinity groups can be a good way to reduce that mental burden by finding community among others. Bullock highlighted the adaptable nature of the field and celebrated the shift away from overly strict qualifications, and instead relying on transferable skills.

The panel also addressed the role that AI will have on workforce development, with Hemani citing that AI could be a potential way to reduce the laborious technical elements of jobs and expand the appeal of the sector. Overall, the panel convened a fruitful discussion on the importance of building a diverse cyber workforce for stronger security outcomes.

Fireside Chat: Deputy Assistant to the President and Deputy National Security Advisor Anne Neuberger

Ari Schwartz convened a fireside chat with Anne Neuberger, Deputy National Security Advisor, and addressed various timely cybersecurity topics. Neuberger first discussed how the U.S. aided Costa Rica after they experienced a massive cyberattack and outlined the playbook followed for assisting allies.

She called for a focus on secure telecom and securing financing for such initiatives to support other nations. On the topic of ransomware payments, Neuberger stressed the need to resist making payments, highlighting the negative consequences and the necessity for a regime to disincentivize them. She emphasized the importance of industry collaboration in addressing this issue.

Regarding critical infrastructure, Neuberger noted the need for significant reform stating, “the only sector we had visibility into was pipelines. Because of the Colonial Pipeline attack, emergency authorities put in place required minimum practices. That’s the model we’re driving to achieve.” She concluded by calling upon industry to openly share information both with the government and amongst themselves, both to drive policy and to respond to security breaches. 

Panel: For the Greater Good: Funding the Future of the Internet

The panel focused on the difficulties surrounding funding the fragmented nature of the nonprofit landscape that supports much of the internet. Much of this work is decentralized, ad-hoc, and short-lived, making establishing consistent funding streams difficult. The funding ecosystem is also incredibly fragmented between national governments, international organizations, large tech enterprises, and more, further complicating the issue.

In providing recommendations beyond relying on wealthy tech leaders to donate, Director of the Digital Society Institute at ESMT Berlin, Heli Tiirmaa-Klaar, recommended international coordination on different funding programs. She also stated that the international community should be “working through prevailing means of funding, whether it's the GFC, the World Bank, or some other institution, and also have a better model for recognizing requirements of different nations, as nations have different levels of maturity.”

Keynote: Eric Goldstein

  •  Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA)

In his address, CISA’s Eric Goldstein described his vision for the government as playing dual roles in the cybersecurity space — both as a regulator and an informer. His main message was that as a community, we have not fully manifested a collaborative environment or shared goals. “This doesn't just mean regulatory harmonization, incident reporting, rather it has to be about shared missions and shared values.”

He discussed that an attack against an American network must be treated as a co-equal burden between public and private sectors. He expressed the need to break down barriers between government agencies to share information on threats and to operate “as a co-equal partner” deriving value for all organizations. Finally, he highlighted CISA’s initiatives to increase visibility between the government and private sector through the Known Exploitable Vulnerabilities (KEV) catalog, CISA’s Strategic Plan, continued engagements like DEFCON, the Joint Initiative on High-Risk Community Protection and much more.

Panel: 702 Reauthorization - What's In It for Cybersecurity?

  • Jonathan Mayer, Assistant Professor, Princeton University
  • Sara Hlavaty, Chief of Authorities Integration Group, National Security Agency
  • Megan Stifel, Chief Strategy Officer, Institute for Security and Technology
  • Jeff Greene, Senior Director for Cybersecurity Programs, Aspen Institute (Moderator)

This panel discussed Section 702 of the Foreign Intelligence Surveillance Act, a statute that enables the intelligence community, under court supervision, to target and collect foreign intelligence of non-Americans located outside of the U.S. The purpose of this panel was to debate the ongoing issue of Section 702, highlight its flaws and challenges and understand its impacts to cybersecurity.

Presently, Congress has to renew Section 702 every few years. Last renewed in 2018, it is slated to expire at the end of 2023. Notably, the most recent bill, S.139, includes the contentious issue of incidental collection – data containing Americans’ communications gathered in a database under Section 702.

The experts acknowledged the controversy surrounding specific provisions while emphasizing that Section 702 remains an indispensable mechanism for acquiring crucial information vital to U.S. national security and cybersecurity efforts. One of the panelists went as far as quoting FBI Director Mike Harrington that “95% of technically derived cyber intel comes from 702.” Unanimously, all the panelists advocated for the continuation of the Act, while still offering various proposed reforms, including independent watchdogs for better enforcement of current compliance violations.

Panel: Strategies for Product Security

  •  Steve Kelly, Chief Trust Officer, Institute for Security and Technology (Moderator)
  •  Katerina Megas, Program Manager for the Cybersecurity for Internet of Things program, National Institute of Standards and Technology (NIST)
  •  Charley Snyder, Head of Security Policy, Google
  •  Taylor Roberts, Director of Global Security Policy, Intel

The last panel discussed Internet-of-Things (IoT) product security and security regulations, featuring both industry and government leaders. Panelists noted that IoT-based companies have begun taking more interest in investing in cybersecurity and engaging with cybersecurity regulations, as they realize the benefits of transparency and mitigating risks that these frameworks focus on.

On regulations, the panelists also discussed how regulations can help bring the industry together under common frameworks and standards, but progress needs to be made. Director of Global Security Policy at Intel, Taylor Roberts, stated that "There's also a recognition that policy can be a tool for harmonizing industry best practices.”

While NIST Program Manager Katerina Megas noted that “There’s a lot of agreement, though we may not be using the same works,” focusing particularly on international differences.

Alice Hubbard, Alexis Steffaro & Tanvi Chopra

Read Next

The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments

The U.S. issued an updated position seeking to move forward the UN Convention Against Cybercrime, a treaty intended to improve the global community’s ability to combat evolving cybercrime threats.

The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)

In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.

Counter Ransomware Initiative Adds Private Sector Members

Earlier this month, more than 68 countries and organization members met for the fourth annual International Counter Ransomware Initiative (CRI), which included the addition of a public-private advisory panel.